Merge tag 'upstream/1.10pre8b'

Upstream version 1.10pre8b
2013-11-05 17:32:28 +01:00 · 2013-11-05 17:32:28 +01:00 · a895768a2d
parent f0257c6790 b5012c41b3
commit a895768a2d
9 changed files with 1172 additions and 964 deletions
--- a/bin/postfwd-script.sh
+++ b/bin/postfwd-script.sh
@ -10,6 +10,8 @@ PATH=/bin:/usr/bin:/usr/local/bin
 PFWCMD=/usr/local/postfwd/sbin/postfwd
 # rulesetconfig file
 PFWCFG=/etc/postfix/postfwd.cf
 # pidfile
 PFWPID=/var/tmp/postfwd.pid
 # daemon settings
 PFWUSER=nobody
@ -23,45 +25,32 @@ PFWARG="--shortlog --summary=600 --cache=600 --cache-rbl-timeout=3600 --cleanup-
 ## should be no need to change below
-P1="`basename ${PFWCMD}`"; P2="`basename $0`";
+P1="`basename ${PFWCMD}`"
 PIDS="`ps -aef | grep "${P1}" | grep -v "${P2}" | grep -v grep | awk '{print $2}' | sort -nr`"
 case "$1" in
-	start*)		if [ -n "${PIDS}" ]; then
+	start*)		echo "Starting ${P1}...";
-                                echo "Process called \"${P1}\" already found at PID ${PIDS}. Please use \"${P2} restart\" instead." ;
+			${PFWCMD} ${PFWARG} --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP} --pidfile=${PFWPID};
 				false;
                        else
 				echo "Starting ${P1}...";
 				${PFWCMD} ${PFWARG} --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP};
 			fi ;
 			;;
-	debug*)		if [ -n "${PIDS}" ]; then
+	debug*)		echo "Starting ${P1} in debug mode...";
-                                echo "Process called \"${P1}\" already found at PID ${PIDS}. Please use \"${P2} restart\" instead." ;
+			${PFWCMD} ${PFWARG} -vv --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP} --pidfile=${PFWPID};
-                                false;
+			;;
                        else
                                echo "Starting ${P1} in DEBUG mode...";
                                ${PFWCMD} ${PFWARG} -vv --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP};
                        fi ;
                        ;;
-
+	stop*)		if [ -f "${PFWPID}" ]; then
 	stop*)		if [ -z "${PIDS}" ]; then
 				echo "No process called \"${P1}\" found" ;
 				false;
 			else
 				echo "Stopping ${P1}...";
-				for pid in ${PIDS}; do kill ${pid}; done ;
+				kill `cat ${PFWPID}`;
 			else
 				echo "Pidfile \"${PFWPID}\" not found" ;
 				false;
 			fi ;
 			;;
-	reload*)	if [ -z "${PIDS}" ]; then
+	reload*)	if [ -f "${PFWPID}" ]; then
-				echo "No process called \"${P1}\" found" ;
+				echo "Stopping ${P1}...";
-				false;
+				kill -HUP `cat ${PFWPID}`;
 			else
-				echo "Refreshing ${P1}...";
+				echo "Pidfile \"${PFWPID}\" not found" ;
-				for pid in ${PIDS}; do kill -HUP ${pid}; done ;
+				false;
 			fi ;
 			;;
@ -71,7 +60,7 @@ case "$1" in
 			;;
 	*)		echo "Unknown argument \"$1\"" >&2;
-			echo "Usage: ${P2} {start|stop|reload|restart}" >&2;
+			echo "Usage: `basename $0` {start|stop|reload|restart}" >&2;
 			exit 1;;
 esac
 exit $?
--- a/doc/CHANGELOG
+++ b/doc/CHANGELOG
@ -1,12 +1,43 @@
 **************************************************************************************************
-ATTENTION:  requirements changed - as dns queries are now performed asynchronously, postfwd from
+ATTENTION:  requirements changed - postfwd since v1.10pre8 now uses Net::DNS.
-            v1.10pre2 and above needs the perl module Net::DNS::Async! it is available via CPAN
+	    Net::DNS::Async and Net::CIDR::Lite are not required anymore.
            and installed for my tests without any problems on different linux and solaris systems
 NOTE:       please see the docs ('postfwd -m' or 'perldoc postfwd') for more information
 **************************************************************************************************
 1.10pre8b
 ==========
 - bugfix:  fixed two warnings about logging of undefined values in verbose mode
 1.10pre8a
 ==========
 - bugfix:  item plugins have been made available as cache-id items. this fixes a minor issue with
 	   --cache-rdomain-only and version 1.10pre8
 1.10pre8
 =========
 - code:    Net::DNS::Async is no longer used. The parameters --dns_queuesize and
           --dns_retries are still valid but have no function. The option --dns_timeout
           now defaults to 14s and applies to all rules containing dns items.
 - code:    Net::CIDR::Lite is not required any longer.
 - feature: the new variable $$request_hits contains a list of all matching ruleids
 - feature: the new variable $$dnsbltext allows access to txt records of rbls
 - feature: new options --no-rulestats and --nodnslog
 - feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means
           that you can set the option to 0 if you want to use the ttl of the dns answer.
 - feature: new item "rhsbl_helo" allows to check helo against rhsbls
 - bugfix:  disabled fallback to synchronous dns on timed out rbls, default is now
 	   to disable non responding dnsbls after 11 timeouts for 1200 seconds.
 	   use --dns_timeout_max and --dns_timeout_interval to adjust these settings.
 - bugfix:  days=Wed now means exactly Wednesday. to use a range you may
           still specify days=Wed- days=-Wed and days=Tue-Thu
           this applies to all date and time items
 - code:    --shortlog is now default behaviour (use -v to see more)
 - code:    changed Net::Server behaviour to ignore syslog errors
 1.10pre7c
 ==========
 - note:    1.10pre7c does not contain any code-changes to the postfwd daemon.
@ -177,3 +208,4 @@ NOTE:       please see the docs ('postfwd -m' or 'perldoc postfwd') for more inf
 =====
 - first public beta version
--- a/doc/postfwd.html
+++ b/doc/postfwd.html
@ -1,11 +1,15 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
+<html>
 <head>
 <title>postfwd - postfix firewall daemon</title>
-<link rev="made" href="mailto:root@localhost" />
+<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
 <meta name="description" content="postfwd a postfix firewall policy daemon">
 <meta name="author" content="jpk">
 <meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
 </head>
-<body style="background-color: white">
+<body>
 <p><a name="__index__"></a></p>
 <!-- INDEX BEGIN -->
@ -22,6 +26,7 @@
 		<li><a href="#items">ITEMS</a></li>
 		<li><a href="#actions">ACTIONS</a></li>
 		<li><a href="#macros_acls">MACROS/ACLS</a></li>
 		<li><a href="#plugins">PLUGINS</a></li>
 		<li><a href="#command_line">COMMAND LINE</a></li>
 		<li><a href="#refresh">REFRESH</a></li>
 		<li><a href="#examples">EXAMPLES</a></li>
@ -62,8 +67,9 @@
        -u, --user &lt;name&gt;           set uid to user &lt;name&gt;
        -g, --group &lt;name&gt;          set gid to group &lt;name&gt;
        -R, --chroot &lt;path&gt;         chroot the daemon to &lt;path&gt;
            --pidfile &lt;path&gt;        create pidfile under &lt;path&gt;
        -l, --logname &lt;label&gt;       label for syslog messages
-            --pidfile &lt;path&gt;        create pidfile under &lt;path&gt;</pre>
+            --loglen &lt;int&gt;          truncates syslogs after &lt;int&gt; chars</pre>
 <pre>
        Caching:
        -c, --cache &lt;int&gt;           sets the request-cache timeout to &lt;int&gt; seconds
@ -80,23 +86,25 @@
        Optional:
        -t, --test                  testing, always returns &quot;dunno&quot;
        -v, --verbose               verbose logging, use twice (-vv) to increase level
            --shortlog              disables logging of some postfwd commands
        -S, --summary &lt;int&gt;         show some usage statistics every &lt;int&gt; seconds
            --no-rulestats          disables per rule statistics
        -n, --nodns                 disable dns
-            --dns_queuesize         sets the queue size for asynchonous dns queries
+            --nodnslog              disable dns logging
            --dns_retries           how many retries for a single asynchonous dns query
            --dns_timeout           timeout in seconds for asynchonous dns queries
            --dns_timeout_max       maximum of dns timeouts until a dnsbl will be deactivated
            --dns_timeout_interval  interval in seconds for dns timeout maximum counter
        -I, --instantcfg            re-reads rulefiles for every new request</pre>
 <pre>
-        Informational (use only at command-line, not with postfix!):
+        Informational (use only at command-line!):
        -C, --showconfig            shows ruleset summary, -v for verbose
        -L, --stdoutlog             redirect syslog messages to stdout
        -P, --perfmon               no syslogging, no stdout
        -V, --version               shows program version
        -h, --help                  shows usage
        -m, --manual                shows program manual</pre>
 <pre>
        Plugins:
            --plugins &lt;file&gt;        loads plugins from &lt;file&gt;</pre>
 <p>
 </p>
 <hr />
@ -161,7 +169,16 @@ arguments. Please see the COMMAND LINE section below for more information on thi
        id                      - a unique rule id, which can be used for log analysis
                                  ids also serve as targets for the &quot;jump&quot; command.</pre>
 <pre>
-        date, time              - a time or date range within the specified rule shall hit</pre>
+        date, time              - a time or date range within the specified rule shall hit
                                  # FORMAT:
                                  # Feb, 29th
                                  date=29.02.2008
                                  # Dec, 24th - 26th
                                  date=24.12.2008-26.12.2008
                                  # from today until Nov, 23rd
                                  date=-23.09.2008
                                  # from April, 1st until today
                                  date=01.04.2008-</pre>
 <pre>
        days, months            - a range of weekdays (Sun-Sat) or months (Jan-Dec)
                                  within the specified rule shall hit</pre>
@ -354,20 +371,25 @@ rule containing only an action statement:</p>
 <pre>
        rblcount        - contains the number of RBL answers
        rhsblcount      - contains the number of RHSBL answers
-        matches         - contains the number of matched items</pre>
+        matches         - contains the number of matched items
-<p>This means that you must save them, if you plan to use these values in later rules:</p>
+        dnsbltext       - contains the dns TXT part of all RBL and RHSBL replies in the form
                          rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
 <p>These special attributes will be changed for any matching rule:</p>
 <pre>
        request_hits    - contains ids of all matching rules</pre>
 <p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
 <pre>
        # set vals
        id=RBL01 ; rhsblcount=all ; rblcount=all ; \
                rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
                rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
                rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
-                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)</pre>
+                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
 <pre>
        # compare
-        id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
+        id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
-        id=RBL03 ; HIT_rhls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
+        id=RBL03 ; HIT_rhls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
-        id=RBL04 ; HIT_rbls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
+        id=RBL04 ; HIT_rbls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
 <p>
 </p>
 <h2><a name="macros_acls">MACROS/ACLS</a></h2>
@ -409,6 +431,10 @@ First the macros have to be defined as follows:</p>
 <p>Basically macros are simple text substitutions - see the <a href="#parser">PARSER</a> section for more information.</p>
 <p>
 </p>
 <h2><a name="plugins">PLUGINS</a></h2>
 <p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
 <p>
 </p>
 <h2><a name="command_line">COMMAND LINE</a></h2>
 <p><em>Ruleset</em></p>
 <p>The following arguments are used to specify the source of the postfwd ruleset. This means
@ -421,13 +447,18 @@ that at least one of the following is required for postfwd to work.</p>
        -r, --rule &lt;rule&gt;
        Adds &lt;rule&gt; to ruleset. Remember that you might have to quote
        strings that contain whitespaces or shell characters.</pre>
 <p><em>Plugins</em></p>
 <pre>
        --plugins
        A file containing plugin routines for postfwd. Please see the
        PLUGINS section for more information.</pre>
 <p><em>Scoring</em></p>
 <pre>
        -s, --scores &lt;val&gt;=&lt;action&gt;
        Returns &lt;action&gt; to postfix, when the request's score exceeds &lt;val&gt;</pre>
 <p>Multiple usage is allowed. Just chain your arguments, like:</p>
 <pre>
-        postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; ...
+        postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; --plugins &lt;file&gt; ...
          or
        postfwd --scores 4.5=&quot;WARN high score&quot; --scores 5.0=&quot;REJECT postfwd score too high&quot; ...</pre>
 <p>In case of multiple scores, the highest match will count. The order of the arguments will be
@ -455,13 +486,16 @@ The following arguments will control it's behaviour in this case.</p>
        -R, --chroot &lt;path&gt;
        Chroot the process to the specified path.
        Test this before using - you might need some libs there.</pre>
 <pre>
        --pidfile &lt;path&gt;
        The process id will be saved in the specified file.</pre>
 <pre>
        -l, --logname &lt;label&gt;
        Labels the syslog messages. Useful when running multiple
        instances of postfwd.</pre>
 <pre>
-        --pidfile &lt;path&gt;
+        --loglen &lt;int&gt;
-        The process id will be saved in the specified file.</pre>
+        Truncates any syslog message after &lt;int&gt; characters.</pre>
 <p><em>Optional arguments</em></p>
 <p>These parameters influence the way postfwd is working. Any of them can be combined.</p>
 <pre>
@ -535,13 +569,13 @@ The following arguments will control it's behaviour in this case.</p>
        Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-002   matched: 9351 times
        Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003   matched: 3116 times
        ...</pre>
 <pre>
        --no-rulestats
        Disables per rule statistics. Keeps your log clean, if you do not use them.
        This option has no effect without --summary or --verbose set.</pre>
 <pre>
        -L, --stdoutlog
        Redirects all syslog messages to stdout for debugging. Never use this with postfix!</pre>
 <pre>
        --shortlog
        As postfwd now logs all hits for a request, you might find it unecessary to log the
        postfwd actions jump(), set() and score(). You may disable it with this option.</pre>
 <pre>
        -t, --test
        In test mode postfwd always returns &quot;dunno&quot;, but logs according
@ -551,15 +585,10 @@ The following arguments will control it's behaviour in this case.</p>
        Disables all DNS based checks like RBL checks. Rules containing
        such elements will be ignored.</pre>
 <pre>
-        --dns_queuesize   (default: 100)
+        -n, --nodnslog
-        Sets the queue size for asynchonous dns queries. If the query exceeds this value,
+        Disables logging of dns events.</pre>
        postfwd waits for answers of timeouts for previous queries.</pre>
 <pre>
-        --dns_retries     (default: 3)
+        --dns_timeout     (default: 14)
        Sets the retry counter for asynchonous dns queries. This value will apply to
        every single query.</pre>
 <pre>
        --dns_timeout     (default: 7)
        Sets the timeout for asynchonous dns queries in seconds. This value will apply to
        all dns items in a rule.</pre>
 <pre>
@ -723,11 +752,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
                ...
        };
        &amp;&amp;MAINTENANCE { \
-                date=15.01.2007  ; \
+                date=15.01.2007 ; \
-                date=15.04.2007  ; \
+                date=15.04.2007 ; \
-                date=15.07.2007  ; \
+                date=15.07.2007 ; \
-                date=15.10.2007  ; \
+                date=15.10.2007 ; \
-                time=03:00:00-04:00:00 ; \
+                time=03:00:00 - 04:00:00 ; \
        };
        # rules
        id=COMBINED    ;  &amp;&amp;RBLS ;  &amp;&amp;DYNAMIC ;  action=REJECT dynamic client and listed on RBL
@ -742,14 +771,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
        id=REJECT02 ;  HIT_rbls==1 ;  HIT_dyna==1  ; action=REJECT please see <a href="http://some.org/info?reject=02">http://some.org/info?reject=02</a> for more info
        id=REJECT03 ;  HIT_helo==1 ;  HIT_dyna==1  ; action=REJECT please see <a href="http://some.org/info?reject=03">http://some.org/info?reject=03</a> for more info</pre>
 <pre>
-        # combined with enhanced rbl features
+        ## combined with enhanced rbl features
-        # set vals
+        #
        id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS ; \
-          action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+             action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
-        # compare
+        id=RBL02 ; HIT_dnsbls&gt;=2  ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
        id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
        id=RBL03 ; HIT_rhls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
        id=RBL04 ; HIT_rbls&gt;=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
 <p>
 </p>
 <h2><a name="parser">PARSER</a></h2>
@ -794,7 +820,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
        id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno</pre>
 <p>Lists will be evaluated in the specified order. This allows to place faster expressions at first:</p>
 <pre>
-        postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /root/request.sample</pre>
+        postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /some/where/request.sample</pre>
 <p>produces the following</p>
 <pre>
        [LOGS info]: compare rbl: &quot;remotehost.remote.net[68.10.1.7]&quot;  -&gt;  &quot;localrbl.local&quot;
@ -810,7 +836,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
        [LOGS info]: Action: dunno</pre>
 <p>The negation operator !!(&lt;value&gt;) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:</p>
 <pre>
-        postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /root/request.sample</pre>
+        postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /some/where/request.sample</pre>
 <p>will give</p>
 <pre>
        [LOGS info]: compare client_name:     &quot;unknown&quot;  -&gt;  &quot;!!($$helo_name)&quot;
@ -924,13 +950,14 @@ listening on the specified network settings.</p>
 </p>
 <h2><a name="performance">PERFORMANCE</a></h2>
 <p>Some of these proposals might not match your environment. Please check your requirements and test new options carefully!</p>
-<p>- use caching options
+<pre>
- use the correct match operator ==, &lt;=, &gt;=
+        - use caching options
- use ^ and $ in regular expressions
+        - use the correct match operator ==, &lt;=, &gt;=
- use item lists (faster than single rules)
+        - use ^ and/or $ in regular expressions
- use <code>set()</code> action on repeated item lists
+        - use item lists (faster than single rules)
- use jump action
+        - use set() action on repeated item lists
- use pre-lookup rule for rbl/rhsbls with empty <code>note()</code> action</p>
+        - use jumps and rate limits
        - use a pre-lookup rule for rbl/rhsbls with empty note() action</pre>
 <p>
 </p>
 <h2><a name="see_also">SEE ALSO</a></h2>
@ -969,8 +996,17 @@ POSSIBILITY OF SUCH DAMAGE.</p>
 </p>
 <hr />
 <h1><a name="author">AUTHOR</a></h1>
-<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
+<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info (AT) postfwd (DOT) org&gt;. Let me know, if you have any suggestions.</p>
 <p><center>
 <table border="1" color="black" frame="hsides" rules="none" width="100%">
  <td width="33%" align="left"><small>http://www.postfwd.org/doc.html</small>
  <td width="34%" align="center"><small>2007 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
  <td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
 </table>
 </center></p>
 </body>
 </html>
--- a/doc/postfwd.txt
+++ b/doc/postfwd.txt
@ -18,8 +18,9 @@ SYNOPSIS
            -u, --user <name>           set uid to user <name>
            -g, --group <name>          set gid to group <name>
            -R, --chroot <path>         chroot the daemon to <path>
            -l, --logname <label>       label for syslog messages
                --pidfile <path>        create pidfile under <path>
            -l, --logname <label>       label for syslog messages
                --loglen <int>          truncates syslogs after <int> chars
            Caching:
            -c, --cache <int>           sets the request-cache timeout to <int> seconds
@ -36,17 +37,16 @@ SYNOPSIS
            Optional:
            -t, --test                  testing, always returns "dunno"
            -v, --verbose               verbose logging, use twice (-vv) to increase level
                --shortlog              disables logging of some postfwd commands
            -S, --summary <int>         show some usage statistics every <int> seconds
                --no-rulestats          disables per rule statistics
            -n, --nodns                 disable dns
-                --dns_queuesize         sets the queue size for asynchonous dns queries
+                --nodnslog              disable dns logging
                --dns_retries           how many retries for a single asynchonous dns query
                --dns_timeout           timeout in seconds for asynchonous dns queries
                --dns_timeout_max       maximum of dns timeouts until a dnsbl will be deactivated
                --dns_timeout_interval  interval in seconds for dns timeout maximum counter
            -I, --instantcfg            re-reads rulefiles for every new request
-            Informational (use only at command-line, not with postfix!):
+            Informational (use only at command-line!):
            -C, --showconfig            shows ruleset summary, -v for verbose
            -L, --stdoutlog             redirect syslog messages to stdout
            -P, --perfmon               no syslogging, no stdout
@ -54,6 +54,9 @@ SYNOPSIS
            -h, --help                  shows usage
            -m, --manual                shows program manual
            Plugins:
                --plugins <file>        loads plugins from <file>
 DESCRIPTION
  INTRODUCTION
    postfwd is written to combine complex postfix restrictions in a ruleset
@ -138,6 +141,15 @@ DESCRIPTION
                                      ids also serve as targets for the "jump" command.
            date, time              - a time or date range within the specified rule shall hit
                                      # FORMAT:
                                      # Feb, 29th
                                      date=29.02.2008
                                      # Dec, 24th - 26th
                                      date=24.12.2008-26.12.2008
                                      # from today until Nov, 23rd
                                      date=-23.09.2008
                                      # from April, 1st until today
                                      date=01.04.2008-
            days, months            - a range of weekdays (Sun-Sat) or months (Jan-Dec)
                                      within the specified rule shall hit
@ -360,21 +372,27 @@ DESCRIPTION
            rblcount        - contains the number of RBL answers
            rhsblcount      - contains the number of RHSBL answers
            matches         - contains the number of matched items
            dnsbltext       - contains the dns TXT part of all RBL and RHSBL replies in the form
                              rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
-    This means that you must save them, if you plan to use these values in
+    These special attributes will be changed for any matching rule:
-    later rules:
+
            request_hits    - contains ids of all matching rules
    This means that it might be necessary to save them, if you plan to use
    these values in later rules:
            # set vals
            id=RBL01 ; rhsblcount=all ; rblcount=all ; \
                    rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
                    rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
                    rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
-                    action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+                    action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
            # compare
-            id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
+            id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
-            id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
+            id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
-            id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
+            id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
  MACROS/ACLS
    Multiple use of long items or combinations of them may be abbreviated by
@ -420,6 +438,9 @@ DESCRIPTION
    Basically macros are simple text substitutions - see the "PARSER"
    section for more information.
  PLUGINS
    Please visit <http://www.postfwd.org/postfwd.plugins>
  COMMAND LINE
    *Ruleset*
@ -435,6 +456,12 @@ DESCRIPTION
            Adds <rule> to ruleset. Remember that you might have to quote
            strings that contain whitespaces or shell characters.
    *Plugins*
            --plugins
            A file containing plugin routines for postfwd. Please see the
            PLUGINS section for more information.
    *Scoring*
            -s, --scores <val>=<action>
@ -442,7 +469,7 @@ DESCRIPTION
    Multiple usage is allowed. Just chain your arguments, like:
-            postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
+            postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
              or
            postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
@ -475,12 +502,15 @@ DESCRIPTION
            Chroot the process to the specified path.
            Test this before using - you might need some libs there.
            --pidfile <path>
            The process id will be saved in the specified file.
            -l, --logname <label>
            Labels the syslog messages. Useful when running multiple
            instances of postfwd.
-            --pidfile <path>
+            --loglen <int>
-            The process id will be saved in the specified file.
+            Truncates any syslog message after <int> characters.
    *Optional arguments*
@ -558,13 +588,13 @@ DESCRIPTION
            Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003   matched: 3116 times
            ...
            --no-rulestats
            Disables per rule statistics. Keeps your log clean, if you do not use them.
            This option has no effect without --summary or --verbose set.
            -L, --stdoutlog
            Redirects all syslog messages to stdout for debugging. Never use this with postfix!
            --shortlog
            As postfwd now logs all hits for a request, you might find it unecessary to log the
            postfwd actions jump(), set() and score(). You may disable it with this option.
            -t, --test
            In test mode postfwd always returns "dunno", but logs according
            to it`s ruleset. -v will be set automatically with this option.
@ -573,15 +603,10 @@ DESCRIPTION
            Disables all DNS based checks like RBL checks. Rules containing
            such elements will be ignored.
-            --dns_queuesize   (default: 100)
+            -n, --nodnslog
-            Sets the queue size for asynchonous dns queries. If the query exceeds this value,
+            Disables logging of dns events.
            postfwd waits for answers of timeouts for previous queries.
-            --dns_retries     (default: 3)
+            --dns_timeout     (default: 14)
            Sets the retry counter for asynchonous dns queries. This value will apply to
            every single query.
            --dns_timeout     (default: 7)
            Sets the timeout for asynchonous dns queries in seconds. This value will apply to
            all dns items in a rule.
@ -746,11 +771,11 @@ DESCRIPTION
                    ...
            };
            &&MAINTENANCE { \
-                    date=15.01.2007  ; \
+                    date=15.01.2007 ; \
-                    date=15.04.2007  ; \
+                    date=15.04.2007 ; \
-                    date=15.07.2007  ; \
+                    date=15.07.2007 ; \
-                    date=15.10.2007  ; \
+                    date=15.10.2007 ; \
-                    time=03:00:00-04:00:00 ; \
+                    time=03:00:00 - 04:00:00 ; \
            };
            # rules
            id=COMBINED    ;  &&RBLS ;  &&DYNAMIC ;  action=REJECT dynamic client and listed on RBL
@ -765,14 +790,11 @@ DESCRIPTION
            id=REJECT02 ;  HIT_rbls==1 ;  HIT_dyna==1  ; action=REJECT please see http://some.org/info?reject=02 for more info
            id=REJECT03 ;  HIT_helo==1 ;  HIT_dyna==1  ; action=REJECT please see http://some.org/info?reject=03 for more info
-            # combined with enhanced rbl features
+            ## combined with enhanced rbl features
-            # set vals
+            #
            id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
-              action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+                 action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
-            # compare
+            id=RBL02 ; HIT_dnsbls>=2  ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
            id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
            id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
            id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
  PARSER
    *Configuration*
@ -834,7 +856,7 @@ DESCRIPTION
    Lists will be evaluated in the specified order. This allows to place
    faster expressions at first:
-            postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /root/request.sample
+            postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
    produces the following
@ -853,7 +875,7 @@ DESCRIPTION
    The negation operator !!(<value>) has the highest priority and therefore
    will be evaluated first. Then variable substitutions are performed:
-            postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /root/request.sample
+            postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
    will give
@ -1006,10 +1028,13 @@ DESCRIPTION
    Some of these proposals might not match your environment. Please check
    your requirements and test new options carefully!
-    - use caching options - use the correct match operator ==, <=, >= - use
+            - use caching options
-    ^ and $ in regular expressions - use item lists (faster than single
+            - use the correct match operator ==, <=, >=
-    rules) - use set() action on repeated item lists - use jump action - use
+            - use ^ and/or $ in regular expressions
-    pre-lookup rule for rbl/rhsbls with empty note() action
+            - use item lists (faster than single rules)
            - use set() action on repeated item lists
            - use jumps and rate limits
            - use a pre-lookup rule for rbl/rhsbls with empty note() action
  SEE ALSO
    See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description
--- a/etc/postfwd.cf
+++ b/etc/postfwd.cf
@ -1,9 +1,11 @@
-#################################################################################################
+
 ###################################################################################################
 ##
-##   ATTENTION: This example configuration uses features which require postfwd 1.10pre6!
+##   ATTENTION: This example configuration uses features which require at least postfwd 1.10pre6!
 ##              Please see the manual ('postfwd -m') for example syntax for prior versions.
 ##
-#################################################################################################
+###################################################################################################
 ##
@ -12,11 +14,11 @@
 # Maintenance times
 &&MAINTENANCE { \
-        date=15.01.2007  ; \
+        date=15.01.2007 - 15.01.2007 ; \
-        date=15.04.2007  ; \
+        date=15.04.2007 - 15.04.2007 ; \
-        date=15.07.2007  ; \
+        date=15.07.2007 - 15.07.2007 ; \
-        date=15.10.2007  ; \
+        date=15.10.2007 - 15.10.2007 ; \
-        time=03:00:00-04:00:00 ; \
+        time=03:00:00 - 04:00:00 ; \
 };
 # Whitelists
@ -48,6 +50,13 @@
        client_name~=[\.\-]static[[\.\-] ;               \
        client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
 };
 &&DNSWLS { \
        rbl=list.dnswl.org ;                                             \
        rbl=exemptions.ahbl.org ;                                        \
        rbl=query.bondedsender.org ;                                     \
        rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ;          \
        rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
 };
 # Spamchecks
 &&BADHELO { \
@ -59,17 +68,15 @@
        client_name~=\d{5} ;     \
        client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
 };
-&&RBLS { \
+&&DNSBLS { \
        rbl=zen.spamhaus.org ;     \
        rbl=list.dsbl.org ;        \
        rbl=bl.spamcop.net ;       \
        rbl=dnsbl.sorbs.net ;      \
        rbl=ix.dnsbl.manitu.net ;  \
-};
+        rhsbl=rddn.dnsbl.net.au ;  \
-&&RHSBLS { \
+        rhsbl=rhsbl.ahbl.org ;     \
-        rhsbl=rddn.dnsbl.net.au ; \
+        rhsbl=rhsbl.sorbs.net ;    \
        rhsbl=rhsbl.ahbl.org ; \
        rhsbl=rhsbl.sorbs.net ; \
 };
@ -89,32 +96,38 @@ id=WL_002   ;  &&TRUSTED_HOSTS    ;  action=dunno
 id=WL_003   ;  &&TRUSTED_USERS    ;  action=dunno
 id=WL_004   ;  &&TRUSTED_TLS      ;  action=dunno
-# DNSBL checks
+# DNSWL checks - lookup
-id=RBL_001  ;  &&RHSBLS ; &&RBLS ; \
+id=RWL_001  ;  &&DNSWLS ;  rhsblcount=all ; rblcount=all ; \
-               rhsblcount=all ; rblcount=all ; \
+	action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
-               action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+
-id=RBL_002  ;  HIT_rhls>=1 ; HIT_rbls>=1 ;  action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
+# DNSWL - whitelisting
-id=RBL_003  ;  HIT_rhls>=2               ;  action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
+id=RWL_002  ;  HIT_dnswls>=2 ;  action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
-id=RBL_004  ;  HIT_rbls>=2               ;  action=554 5.7.1 blocked using $$HIT_rbls RBLs
+id=RWL_003  ;  HIT_dnswls>=1 ;  action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  &&STATIC
-id=RBL_005  ;  HIT_rbls>=1 ; &&DYNAMIC   ;  action=REJECT listed on RBL and $$client_name looks like dynip
+id=RWL_004  ;  HIT_dnswls>=1 ;  action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ;  $$client_name~=$$(sender_domain)$
-id=RBL_006  ;  HIT_rhls>=1 ; &&DYNAMIC   ;  action=REJECT listed on RHSBL and $$client_name looks like dynip
+
-id=RBL_007  ;  HIT_rbls>=1 ; &&BADHELO   ;  action=REJECT listed on RBL and $$helo_name does not match $$client_name
+# DNSBL checks - lookup
-id=RBL_008  ;  HIT_rhls>=1 ; &&BADHELO   ;  action=REJECT listed on RHSBL and $$helo_name does not match $$client_name
+id=RBL_001  ;  &&DNSBLS ;  rhsblcount=all ; rblcount=all ; \
        action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
 # DNSBL checks - evaluation
 id=RBL_002  ;  HIT_dnsbls>=2             ;  action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
 id=RBL_003  ;  HIT_dnsbls>=1 ; &&DYNAMIC ;  action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
 id=RBL_004  ;  HIT_dnsbls>=1 ; &&BADHELO ;  action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
 # Rate limits
-id=RATE_001 ;  &&DYNAMIC                 ;  action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
+id=RATE_001 ;  HIT_dnsbls>=1; \
-id=RATE_002 ;  HIT_rhls>=1               ;  action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
+	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
-id=RATE_003 ;  HIT_rbls>=1               ;  action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
+id=RATE_002 ;  &&DYNAMIC ; \
-id=RATE_004 ; sasl_username==boss        ;  action=size($$sasl_username/30000000/300/450 4.7.1 please do not send more than 30mb within 5 minutes)
+	action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
 id=RATE_005 ; sasl_username~=\w          ;  action=size($$sasl_username/10000000/300/450 4.7.1 please do not send more than 10mb within 5 minutes)
 # Selective greylisting
-id=GREY_001 ;  action=dunno              ;  &&STATIC
+id=GREY_001 ;  action=dunno        ;  &&STATIC
-id=GREY_002 ;  action=dunno              ;  $$client_name~=$$(sender_domain)$
+id=GREY_002 ;  action=dunno        ;  $$client_name~=$$(sender_domain)$
-id=GREY_003 ;  action=greylisting        ;  &&DYNAMIC
+id=GREY_003 ;  action=dunno        ;  HIT_dnswls>=1
-id=GREY_004 ;  action=greylisting        ;  HIT_rhls>=1
+id=GREY_004 ;  action=greylisting  ;  &&DYNAMIC
-id=GREY_005 ;  action=greylisting        ;  HIT_rbls>=1
+id=GREY_005 ;  action=greylisting  ;  HIT_dnsbls>=1
-# greylisting should be safe during out-of-office times
+
-id=GREY_006 ;  action=greylisting        ;  days=Sat-Sun
+# Greylisting should be safe during out-of-office times
-id=GREY_007 ;  action=greylisting        ;  days=Mon-Fri ; time=!!06:00:00-20:00:00
+id=GREY_006 ;  action=greylisting  ;  days=Sat-Sun
 id=GREY_007 ;  action=greylisting  ;  days=Mon-Fri ; time=!!06:00:00-20:00:00
--- a/man/man8/postfwd.8
+++ b/man/man8/postfwd.8
@ -129,7 +129,7 @@
 .\" ========================================================================
 .\"
 .IX Title "POSTFWD 8"
-.TH POSTFWD 8 "2008-05-12" "perl v5.8.5" "User Contributed Perl Documentation"
+.TH POSTFWD 8 "2008-09-14" "perl v5.8.5" "User Contributed Perl Documentation"
 .SH "NAME"
 postfwd \- postfix firewall daemon
 .SH "SYNOPSIS"
@ -147,7 +147,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
 \&        -s, --scores <v>=<r>        returns <r> when score exceeds <v>
 .Ve
 .PP
-.Vb 9
+.Vb 10
 \&        Networking:
 \&        -d, --daemon                run postfwd as daemon
 \&        -i, --interface <dev>       listen on interface <dev>
@ -155,8 +155,9 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
 \&        -u, --user <name>           set uid to user <name>
 \&        -g, --group <name>          set gid to group <name>
 \&        -R, --chroot <path>         chroot the daemon to <path>
 \&        -l, --logname <label>       label for syslog messages
 \&            --pidfile <path>        create pidfile under <path>
 \&        -l, --logname <label>       label for syslog messages
 \&            --loglen <int>          truncates syslogs after <int> chars
 .Ve
 .PP
 .Vb 11
@ -173,15 +174,14 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
 \&            --cleanup-rates         cleanup interval in seconds for rate cache
 .Ve
 .PP
-.Vb 12
+.Vb 11
 \&        Optional:
 \&        -t, --test                  testing, always returns "dunno"
 \&        -v, --verbose               verbose logging, use twice (-vv) to increase level
 \&            --shortlog              disables logging of some postfwd commands
 \&        -S, --summary <int>         show some usage statistics every <int> seconds
 \&            --no-rulestats          disables per rule statistics
 \&        -n, --nodns                 disable dns
-\&            --dns_queuesize         sets the queue size for asynchonous dns queries
+\&            --nodnslog              disable dns logging
 \&            --dns_retries           how many retries for a single asynchonous dns query
 \&            --dns_timeout           timeout in seconds for asynchonous dns queries
 \&            --dns_timeout_max       maximum of dns timeouts until a dnsbl will be deactivated
 \&            --dns_timeout_interval  interval in seconds for dns timeout maximum counter
@ -189,7 +189,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
 .Ve
 .PP
 .Vb 7
-\&        Informational (use only at command-line, not with postfix!):
+\&        Informational (use only at command-line!):
 \&        -C, --showconfig            shows ruleset summary, -v for verbose
 \&        -L, --stdoutlog             redirect syslog messages to stdout
 \&        -P, --perfmon               no syslogging, no stdout
@ -197,6 +197,11 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
 \&        -h, --help                  shows usage
 \&        -m, --manual                shows program manual
 .Ve
 .PP
 .Vb 2
 \&        Plugins:
 \&            --plugins <file>        loads plugins from <file>
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 .Sh "\s-1INTRODUCTION\s0"
@ -286,8 +291,17 @@ Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" charac
 \&                                  ids also serve as targets for the "jump" command.
 .Ve
 .PP
-.Vb 1
+.Vb 10
 \&        date, time              - a time or date range within the specified rule shall hit
 \&                                  # FORMAT:
 \&                                  # Feb, 29th
 \&                                  date=29.02.2008
 \&                                  # Dec, 24th - 26th
 \&                                  date=24.12.2008-26.12.2008
 \&                                  # from today until Nov, 23rd
 \&                                  date=-23.09.2008
 \&                                  # from April, 1st until today
 \&                                  date=01.04.2008-
 .Ve
 .PP
 .Vb 2
@ -548,13 +562,21 @@ You can reference to request attributes, like
 .PP
 These special attributes will be reset for any new rule:
 .PP
-.Vb 3
+.Vb 5
 \&        rblcount        - contains the number of RBL answers
 \&        rhsblcount      - contains the number of RHSBL answers
 \&        matches         - contains the number of matched items
 \&        dnsbltext       - contains the dns TXT part of all RBL and RHSBL replies in the form
 \&                          rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
 .Ve
 .PP
-This means that you must save them, if you plan to use these values in later rules:
+These special attributes will be changed for any matching rule:
 .PP
 .Vb 1
 \&        request_hits    - contains ids of all matching rules
 .Ve
 .PP
 This means that it might be necessary to save them, if you plan to use these values in later rules:
 .PP
 .Vb 6
 \&        # set vals
@ -562,14 +584,14 @@ This means that you must save them, if you plan to use these values in later rul
 \&                rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e
 \&                rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
 \&                rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
-\&                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+\&                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
 .Ve
 .PP
 .Vb 4
 \&        # compare
-\&        id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
+\&        id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
-\&        id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
+\&        id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
-\&        id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
+\&        id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
 .Ve
 .Sh "\s-1MACROS/ACLS\s0"
 .IX Subsection "MACROS/ACLS"
@ -621,6 +643,9 @@ Macros can contain macros, too:
 .Ve
 .PP
 Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information.
 .Sh "\s-1PLUGINS\s0"
 .IX Subsection "PLUGINS"
 Please visit <http://www.postfwd.org/postfwd.plugins>
 .Sh "\s-1COMMAND\s0 \s-1LINE\s0"
 .IX Subsection "COMMAND LINE"
 \&\fIRuleset\fR
@ -640,6 +665,14 @@ that at least one of the following is required for postfwd to work.
 \&        strings that contain whitespaces or shell characters.
 .Ve
 .PP
 \&\fIPlugins\fR
 .PP
 .Vb 3
 \&        --plugins
 \&        A file containing plugin routines for postfwd. Please see the
 \&        PLUGINS section for more information.
 .Ve
 .PP
 \&\fIScoring\fR
 .PP
 .Vb 2
@ -650,7 +683,7 @@ that at least one of the following is required for postfwd to work.
 Multiple usage is allowed. Just chain your arguments, like:
 .PP
 .Vb 3
-\&        postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
+\&        postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
 \&          or
 \&        postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
 .Ve
@ -695,6 +728,11 @@ The following arguments will control it's behaviour in this case.
 \&        Test this before using - you might need some libs there.
 .Ve
 .PP
 .Vb 2
 \&        --pidfile <path>
 \&        The process id will be saved in the specified file.
 .Ve
 .PP
 .Vb 3
 \&        -l, --logname <label>
 \&        Labels the syslog messages. Useful when running multiple
@ -702,8 +740,8 @@ The following arguments will control it's behaviour in this case.
 .Ve
 .PP
 .Vb 2
-\&        --pidfile <path>
+\&        --loglen <int>
-\&        The process id will be saved in the specified file.
+\&        Truncates any syslog message after <int> characters.
 .Ve
 .PP
 \&\fIOptional arguments\fR
@ -807,18 +845,18 @@ These parameters influence the way postfwd is working. Any of them can be combin
 \&        ...
 .Ve
 .PP
 .Vb 3
 \&        --no-rulestats
 \&        Disables per rule statistics. Keeps your log clean, if you do not use them.
 \&        This option has no effect without --summary or --verbose set.
 .Ve
 .PP
 .Vb 2
 \&        -L, --stdoutlog
 \&        Redirects all syslog messages to stdout for debugging. Never use this with postfix!
 .Ve
 .PP
 .Vb 3
 \&        --shortlog
 \&        As postfwd now logs all hits for a request, you might find it unecessary to log the
 \&        postfwd actions jump(), set() and score(). You may disable it with this option.
 .Ve
 .PP
 .Vb 3
 \&        -t, --test
 \&        In test mode postfwd always returns "dunno", but logs according
 \&        to it`s ruleset. -v will be set automatically with this option.
@ -830,20 +868,13 @@ These parameters influence the way postfwd is working. Any of them can be combin
 \&        such elements will be ignored.
 .Ve
 .PP
-.Vb 3
+.Vb 2
-\&        --dns_queuesize   (default: 100)
+\&        -n, --nodnslog
-\&        Sets the queue size for asynchonous dns queries. If the query exceeds this value,
+\&        Disables logging of dns events.
 \&        postfwd waits for answers of timeouts for previous queries.
 .Ve
 .PP
 .Vb 3
-\&        --dns_retries     (default: 3)
+\&        --dns_timeout     (default: 14)
 \&        Sets the retry counter for asynchonous dns queries. This value will apply to
 \&        every single query.
 .Ve
 .PP
 .Vb 3
 \&        --dns_timeout     (default: 7)
 \&        Sets the timeout for asynchonous dns queries in seconds. This value will apply to
 \&        all dns items in a rule.
 .Ve
@ -1044,11 +1075,11 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
 \&                ...
 \&        };
 \&        &&MAINTENANCE { \e
-\&                date=15.01.2007  ; \e
+\&                date=15.01.2007 ; \e
-\&                date=15.04.2007  ; \e
+\&                date=15.04.2007 ; \e
-\&                date=15.07.2007  ; \e
+\&                date=15.07.2007 ; \e
-\&                date=15.10.2007  ; \e
+\&                date=15.10.2007 ; \e
-\&                time=03:00:00-04:00:00 ; \e
+\&                time=03:00:00 - 04:00:00 ; \e
 \&        };
 \&        # rules
 \&        id=COMBINED    ;  &&RBLS ;  &&DYNAMIC ;  action=REJECT dynamic client and listed on RBL
@ -1066,15 +1097,12 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
 \&        id=REJECT03 ;  HIT_helo==1 ;  HIT_dyna==1  ; action=REJECT please see http://some.org/info?reject=03 for more info
 .Ve
 .PP
-.Vb 8
+.Vb 5
-\&        # combined with enhanced rbl features
+\&        ## combined with enhanced rbl features
-\&        # set vals
+\&        #
 \&        id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e
-\&          action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
+\&             action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
-\&        # compare
+\&        id=RBL02 ; HIT_dnsbls>=2  ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
 \&        id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
 \&        id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
 \&        id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
 .Ve
 .Sh "\s-1PARSER\s0"
 .IX Subsection "PARSER"
@ -1147,7 +1175,7 @@ equals to
 Lists will be evaluated in the specified order. This allows to place faster expressions at first:
 .PP
 .Vb 1
-\&        postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /root/request.sample
+\&        postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
 .Ve
 .PP
 produces the following
@ -1169,7 +1197,7 @@ produces the following
 The negation operator !!(<value>) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:
 .PP
 .Vb 1
-\&        postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /root/request.sample
+\&        postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
 .Ve
 .PP
 will give
@ -1340,13 +1368,15 @@ listening on the specified network settings.
 .IX Subsection "PERFORMANCE"
 Some of these proposals might not match your environment. Please check your requirements and test new options carefully!
 .PP
-\&\- use caching options
+.Vb 7
-\&\- use the correct match operator ==, <=, >=
+\&        - use caching options
-\&\- use ^ and $ in regular expressions
+\&        - use the correct match operator ==, <=, >=
-\&\- use item lists (faster than single rules)
+\&        - use ^ and/or $ in regular expressions
-\&\- use \fIset()\fR action on repeated item lists
+\&        - use item lists (faster than single rules)
-\&\- use jump action
+\&        - use set() action on repeated item lists
-\&\- use pre-lookup rule for rbl/rhsbls with empty \fInote()\fR action
+\&        - use jumps and rate limits
 \&        - use a pre-lookup rule for rbl/rhsbls with empty note() action
 .Ve
 .Sh "\s-1SEE\s0 \s-1ALSO\s0"
 .IX Subsection "SEE ALSO"
 See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description
--- a/sbin/postfwd
+++ b/sbin/postfwd
--- a/tools/README.txt
+++ b/tools/README.txt
@ -3,9 +3,6 @@ Directory contents:
 -	lograte.sh [OPTIONS] <logfile>
 	generates per minute stats for generic syslog files
 -	postfwd-rblcheck.pl <hostname or ip> [<hostname or ip> ...]
 	queries a bunch of dnsbls for the given host(s)
 -	request.sample
 	a sample policy delegation request. you may test your postfwd config with
 	  postfwd -f <configfile> request.sample
--- a/tools/postfwd-rblcheck.pl
+++ b/tools/postfwd-rblcheck.pl
@ -1,174 +0,0 @@
 #!/usr/bin/perl -T -w
 #
 # Tool to query a bunch of dnsbls. Usage:
 #
 #	postfwd-rblcheck.pl <hostname or ip> [<hostname or ip> ...]
 #
 # by JPK
 use Net::DNS::Async;
 use strict;
 # length of screen
 my $mylen = 79;
 # RBLs (ip based)
 my @rbls = qw(
        query.bondedsender.org
        exemptions.ahbl.org
        spf.trusted-forwarder.org
        list.dnswl.org
        zz.countries.nerd.dk
        zen.spamhaus.org
        bl.spamcop.net
        list.dsbl.org
        multihop.dsbl.org
        unconfirmed.dsbl.org
        combined.njabl.org
        dnsbl.sorbs.net
        dnsbl.ahbl.org
        ix.dnsbl.manitu.net
        dnsbl-1.uceprotect.net
        dnsbl-2.uceprotect.net
        dnsbl-3.uceprotect.net
        ips.backscatterer.org
        sorbs.dnsbl.net.au
        korea.services.net
        blackholes.five-ten-sg.com
        cbl.anti-spam.org.cn
        cblplus.anti-spam.org.cn
        cblless.anti-spam.org.cn
        bogons.cymru.com
        dynamic.tqmrbl.com
        relays.tqmrbl.com
        clients.tqmrbl.com
 	hostkarma.junkemailfilter.com
 );
 # RHSBLs (domain based)
 my @rhsbls = qw(
 	rhsbl.sorbs.net
 	rhsbl.ahbl.org
 	multi.surbl.org
 	dsn.rfc-ignorant.org
 	abuse.rfc-ignorant.org
 	whois.rfc-ignorant.org
 	bogusmx.rfc-ignorant.org
 	blackhole.securitysage.com
 	ex.dnsbl.org
 	rddn.dnsbl.net.au
 	block.rhs.mailpolice.com
 	dynamic.rhs.mailpolice.com
 	dnsbl.cyberlogic.net
 	hostkarma.junkemailfilter.com
 );
 # async dns object
 my $DNS = new Net::DNS::Async ( QueueSize => 100, Retries => 3, Timeout => 20 );
 our %RBLres = ();
 # async dns callback method
 sub callback {
    my $myresponse = shift;
    my $query = ''; my $result = '';
 	# get query
 	if ( defined $myresponse ) {
 		foreach ($myresponse->question) {
       		 	next unless (($_->qtype eq 'A') or ($_->qtype eq 'TXT'));
 			$query = $_->qname;
 		};
 		# get answer and fill result hash
 		if ( defined $query ) {
 			foreach ($myresponse->answer) {
 				if ($_->type eq 'A') {
 					$result = $_->address;
 			        	$query ||= ''; $result ||= '';
 					$RBLres{$query}{result} = $result;
 					$RBLres{$query}{end} = time;
 				} elsif ($_->type eq 'TXT') {
 					$RBLres{$query}{text} = join(" ", $_->char_str_list());
 					$RBLres{$query}{end} = time;
 				};
 			};
 		};
 	};
 };
 # main, parse argument list
 foreach (@ARGV) {
    my $query = $_;
    my $now = time;
    my @lookups = ();
    my $name  = my $addr = my $res = 'unknown';
    my $rblcount = my $rhlcount = 0;
 	# clear result hash
 	%RBLres = ();
 	# lookup hostname or ip address, remove localpart if email address
 	if ($query =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
 		$addr = $query;
 		$name = $res
 			if ( defined($res = gethostbyaddr (pack ('C4', (split /\./, $addr)), 2)) );
 	} else {
 		$name = ($query =~ /@([^@]+)$/) ? $1 : $query;
 		$addr = ( join ".", (unpack ('C4', $res)) )
 			if ( defined ($res = gethostbyname ($name.".")) );
 	};
 	# header
 	print "\n", "=" x $mylen, "\n";
 	print "QUERY: ", $query, "  NAME: ", $name, "  ADDR: ", $addr, "\n";
 	# prepare rbl lookups
 	unless ($addr eq 'unknown') {
 		$addr = join ".", reverse split /\./, $addr;
 		foreach my $rbl (@rbls) {
 			$RBLres{$addr.".".$rbl}{query} = $rbl;
 			$RBLres{$addr.".".$rbl}{type}  = 'RBL';
 			$RBLres{$addr.".".$rbl}{start} = time;
 			push @lookups, $addr.".".$rbl;
 			#print "query ", $RBLres{$addr.".".$rbl}{query}, " for ", $addr.".".$rbl, "\n";
 		};
 	};
 	# prepare rhsbl lookups
 	unless ($name eq 'unknown') {
 		foreach my $rhsbl (@rhsbls) {
 			$RBLres{$name.".".$rhsbl}{query} = $rhsbl;
 			$RBLres{$name.".".$rhsbl}{type}  = 'RHSBL';
 			$RBLres{$name.".".$rhsbl}{start} = time;
 			push @lookups, $name.".".$rhsbl;
 			#print "name ", $RBLres{$name.".".$rhsbl}{query}, " for ", $name.".".$rhsbl, "\n";
 		};
 	};
 	# perform lookups
 	map { $DNS->add (\&callback, $_) } @lookups; 
 	map { $DNS->add (\&callback, $_, 'TXT') } @lookups; 
 	$DNS->await();
 	# evaluate results
 	foreach $query (sort keys %RBLres) {
 		if ($query and (defined $RBLres{$query}{result})) {
 			print "  ", "-" x ($mylen - 4), "\n";
 			printf "  listed on %s:%s, result: %s, time: %ds\n  %s\n",
 				$RBLres{$query}{type},
 				$RBLres{$query}{query}, $RBLres{$query}{result},
 				($RBLres{$query}{end} - $RBLres{$query}{start}),
 				((defined $RBLres{$query}{text}) ? "\"".$RBLres{$query}{text}."\"" : '<undef>');
 			$rblcount++ if $RBLres{$query}{type} eq 'RBL';
 			$rhlcount++ if $RBLres{$query}{type} eq 'RHSBL';
 		};
 	};
 	# footer
 	print "  ", "-" x ($mylen - 4), "\n";
 	printf "%d of %d RBLs, ", $rblcount, $#rbls if ($rblcount > 0);
 	printf "%d of %d RHSBLs, ", $rhlcount, $#rhsbls if ($rhlcount > 0);
 	printf "Finished after %d seconds\n", (time - $now);
 	print "=" x $mylen, "\n\n";
 };