debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.16

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:32:50 +01:00
parent 2357dc9ae5
commit a7ab4e32cf
5 changed files with 752 additions and 168 deletions
Download patch file Download diff file Expand all files Collapse all files

180
man/man8/postfwd.8
View file

@ -1,4 +1,4 @@
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
.\"
.\" Standard preamble:
.\" ========================================================================
@ -128,8 +128,8 @@
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "MANUAL1 8"
.TH MANUAL1 8 "2009-06-27" "perl v5.8.8" "User Contributed Perl Documentation"
.IX Title "POSTFWD 1"
.TH POSTFWD 1 "2009-09-03" "perl v5.8.5" "User Contributed Perl Documentation"
.SH "NAME"
postfwd \- postfix firewall daemon
.SH "SYNOPSIS"
@ -175,7 +175,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& --cleanup-rates cleanup interval in seconds for rate cache
.Ve
.PP
.Vb 16
.Vb 17
\& Optional:
\& -t, --test testing, always returns "dunno"
\& -v, --verbose verbose logging, use twice (-vv) to increase level
@ -192,6 +192,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& --dns_max_ns_lookups max names to look up with sender_ns_addrs
\& --dns_max_mx_lookups max names to look up with sender_mx_addrs
\& -I, --instantcfg re-reads rulefiles for every new request
\& --config_timeout <i> parser timeout in seconds
.Ve
.PP
.Vb 7
@ -261,13 +262,17 @@ is not important. So the following would lead to the same result as the previous
.PP
The way how request items are compared to the ruleset can be influenced in the following way:
.PP
.Vb 7
.Vb 11
\& ====================================================================
\& ITEM==VALUE true if ITEM equals VALUE
\& ITEM>=VALUE true if ITEM >= VALUE
\& ITEM<=VALUE true if ITEM <= VALUE
\& ITEM~=VALUE true if ITEM ~= /^VALUE$/i
\& ITEM=VALUE default behaviour (see ITEMS section)
\& ITEM == VALUE true if ITEM equals VALUE
\& ITEM => VALUE true if ITEM >= VALUE
\& ITEM =< VALUE true if ITEM <= VALUE
\& ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
\& ITEM != VALUE false if ITEM equals VALUE
\& ITEM !> VALUE false if ITEM >= VALUE
\& ITEM !< VALUE false if ITEM <= VALUE
\& ITEM !~ VALUE false if ITEM ~= /^VALUE$/i
\& ITEM = VALUE default behaviour (see ITEMS section)
\& ====================================================================
.Ve
.PP
@ -352,19 +357,25 @@ Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" charac
\& recipient_domain
.Ve
.PP
.Vb 2
.Vb 4
\& helo_address - postfwd tries to look up the helo_name. use
\& helo_address=!!(0.0.0.0/0) to check for unknown.
\& Please do not use this for positive access control
\& (whitelisting), as it might be forged.
.Ve
.PP
.Vb 2
.Vb 4
\& sender_ns_names, - postfwd tries to look up the names/ip addresses
\& sender_ns_addrs of the nameservers for the sender domain part.
\& Please do not use this for positive access control
\& (whitelisting), as it might be forged.
.Ve
.PP
.Vb 2
.Vb 4
\& sender_mx_names, - postfwd tries to look up the names/ip addresses
\& sender_mx_addrs of the mx records for the sender domain part.
\& Please do not use this for positive access control
\& (whitelisting), as it might be forged.
.Ve
.PP
.Vb 6
@ -464,6 +475,12 @@ Any item can be negated by preceeding '!!' to it, e.g.:
\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please
.Ve
.PP
or using the right compare operator:
.PP
.Vb 1
\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
.Ve
.PP
To avoid confusion with regexps or simply for better visibility you can use '!!(...)':
.PP
.Vb 1
@ -480,6 +497,122 @@ Request attributes can be compared by preceeding '$$' characters, e.g.:
.PP
This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match.
Use the '\-vv' option to debug.
.Sh "\s-1FILES\s0"
.IX Subsection "FILES"
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files:
.PP
.Vb 1
\& id=R001 ; ccert_fingerprint==file:/etc/postfwd/wl_ccerts ; action=DUNNO
.Ve
.PP
postfwd will read a list of items (one item per line) from /etc/postfwd/wl_ccerts. comments are allowed:
.PP
.Vb 6
\& # client1
\& 11:22:33:44:55:66:77:88:99
\& # client2
\& 22:33:44:55:66:77:88:99:00
\& # client3
\& 33:44:55:66:77:88:99:00:11
.Ve
.PP
To use existing tables in key=value format, you can use:
.PP
.Vb 1
\& id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO
.Ve
.PP
This will ignore the right-hand value. Items can be mixed:
.PP
.Vb 3
\& id=R002 ; action=REJECT \e
\& client_name==unknown; \e
\& client_name==file:/etc/postfwd/blacklisted
.Ve
.PP
and for non pcre (comma separated) items:
.PP
.Vb 2
\& id=R003 ; action=REJECT \e
\& client_address==10.1.1.1, file:/etc/postfwd/blacklisted
.Ve
.PP
.Vb 2
\& id=R004 ; action=REJECT \e
\& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
.Ve
.PP
You can check your configuration with the \-\-show_config option at the command line:
.PP
.Vb 1
\& # postfwd --showconfig --rule='action=DUNNO; client_address=10.1.0.0/16, file:/etc/postfwd/wl_clients, 192.168.2.1'
.Ve
.PP
should give something like:
.PP
.Vb 1
\& Rule 0: id->"R-0"; action->"DUNNO"; client_address->"=;10.1.0.0/16, =;194.123.86.10, =;186.4.6.12, =;192.168.2.1"
.Ve
.PP
If a file can not be read, it will be ignored:
.PP
.Vb 3
\& # postfwd --showconfig --rule='action=DUNNO; client_address=10.1.0.0/16, file:/etc/postfwd/wl_clients, 192.168.2.1'
\& [LOG warning]: error: file /etc/postfwd/wl_clients not found - file will be ignored ?
\& Rule 0: id->"R-0"; action->"DUNNO"; client_address->"=;10.1.0.0/16, =;192.168.2.1"
.Ve
.PP
File items are evaluated at configuration stage. Therefore postfwd needs to be reloaded if a file has changed.
.PP
If you want to specify a file, that will be reloaded for each request, you can use lfile: and ltable:
.PP
.Vb 1
\& id=R001; client_address=lfile:/etc/postfwd/client_whitelist; action=dunno
.Ve
.PP
This will check the modification time of /etc/postfwd/client_whitelist every time the rule is evaluated and reload it as
necessary. Of course this might increase the system load, so please use it with care.
.PP
The \-\-showconfig option illustrates the difference:
.PP
.Vb 3
\& ## evaluated at configuration stage
\& # postfwd2 --nodaemon -L --rule='client_address=table:/etc/postfwd/clients; action=dunno' -C
\& Rule 0: id->"R-0"; action->"dunno"; client_address->"=;1.1.1.1, =;1.1.1.2, =;1.1.1.3"
.Ve
.PP
.Vb 3
\& ## evaluated for any rulehit
\& # postfwd2 --nodaemon -L --rule='client_address=ltable:/etc/postfwd/clients; action=dunno' -C
\& Rule 0: id->"R-0"; action->"dunno"; client_address->"=;ltable:/etc/postfwd/clients"
.Ve
.PP
Files can refer to other files. The following is valid.
.PP
.Vb 2
\& -- FILE /etc/postfwd/rules.cf --
\& id=R001; client_address=file:/etc/postfwd/clients_master.cf; action=DUNNO
.Ve
.PP
.Vb 4
\& -- FILE /etc/postfwd/clients_master.cf --
\& 192.168.1.0/24
\& file:/etc/postfwd/clients_east.cf
\& file:/etc/postfwd/clients_west.cf
.Ve
.PP
.Vb 2
\& -- FILE /etc/postfwd/clients_east.cf --
\& 192.168.2.0/24
.Ve
.PP
.Vb 2
\& -- FILE /etc/postfwd/clients_west.cf --
\& 192.168.3.0/24
.Ve
.PP
Remind that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
with postfwd1 v1.15 and postfwd2 v0.18 and higher.
.Sh "\s-1ACTIONS\s0"
.IX Subsection "ACTIONS"
\&\fIGeneral\fR
@ -562,16 +695,27 @@ postfwd actions control the behaviour of the program. Currently you can specify
\& action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
.Ve
.PP
.Vb 8
\& rcpt (<item>/<max>/<time>/<action>)
\& this command works similar to the rate() command with the difference, that the rate counter is
\& increased by the request's recipient_count attribute. to do this reliably you should call postfwd
\& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
\& check it within the ruleset:
\& # recipient count limit 3 per hour per client
\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
\& action==rcpt($$client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
.Ve
.PP
.Vb 9
\& ask (<addr>:<port>[:<ignore>])
\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first
\& and the second argument (address and port) are mandatory. a third optional argument may be
\& specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
\& # example1: query postgrey and return it's answer to postfix
\& id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031)
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
\& # example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
\& # and continue parsing postfwd's ruleset
\& id=GREY; client_address==10.1.1.1; ask(127.0.0.1:10031:^dunno$)
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
.Ve
.PP
.Vb 3
@ -962,6 +1106,12 @@ These parameters influence the way postfwd is working. Any of them can be combin
\& significantly increase system load.
.Ve
.PP
.Vb 3
\& --config_timeout (default=3)
\& timeout in seconds to parse a single configuration line. if exceeded, the rule will
\& be skipped. this is used to prevent problems due to large files or loops.
.Ve
.PP
\&\fIInformational arguments\fR
.PP
These arguments are for command line usage only. Never ever use them with postfix spawn!