Merge tag 'upstream/1.32'
Upstream version 1.32
This commit is contained in:
commit
ac46679343
27
doc/arch.html
Normal file
27
doc/arch.html
Normal file
|
@ -0,0 +1,27 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>postfwd - basic architecture</title>
|
||||
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
|
||||
<meta name="description" content="basic architecture of postfwd a postfix firewall policy daemon">
|
||||
<meta name="author" content="jpk">
|
||||
<meta name="keywords" content="postfwd, postfwd usage, postfwd architecture, postfwd workflow, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>postfwd workflow</h1> <br>
|
||||
<img src="postfwd-ARCH.png">
|
||||
<br><br>
|
||||
<p>
|
||||
<center>
|
||||
<table border="1" color="black" frame="hsides" rules="none" width="100%">
|
||||
<td width="33%" align="left"><small>http://www.postfwd.org/</small>
|
||||
<td width="34%" align="center"><small>2007 - 2009 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
|
||||
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
|
||||
</table>
|
||||
</center>
|
||||
</p>
|
||||
|
||||
</body>
|
||||
|
151
doc/hapolicy.html
Normal file
151
doc/hapolicy.html
Normal file
|
@ -0,0 +1,151 @@
|
|||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
||||
<head>
|
||||
<title>hapolicy - policy delegation high availability script</title>
|
||||
<link rev="made" href="mailto:root@localhost" />
|
||||
</head>
|
||||
|
||||
<body style="background-color: white">
|
||||
|
||||
<p><a name="__index__"></a></p>
|
||||
<!-- INDEX BEGIN -->
|
||||
|
||||
<ul>
|
||||
|
||||
<li><a href="#name">NAME</a></li>
|
||||
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||||
<li><a href="#description">DESCRIPTION</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#introduction">INTRODUCTION</a></li>
|
||||
<li><a href="#configuration">CONFIGURATION</a></li>
|
||||
<li><a href="#integration">INTEGRATION</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#links">LINKS</a></li>
|
||||
<li><a href="#license">LICENSE</a></li>
|
||||
<li><a href="#author">AUTHOR</a></li>
|
||||
</ul>
|
||||
<!-- INDEX END -->
|
||||
|
||||
<hr />
|
||||
<p>
|
||||
</p>
|
||||
<h1><a name="name">NAME</a></h1>
|
||||
<p>hapolicy - policy delegation high availability script</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||||
<p><strong>hapolicy</strong> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]</p>
|
||||
<pre>
|
||||
Services:
|
||||
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]</pre>
|
||||
<pre>
|
||||
Options:
|
||||
-d, --default <action> returns <action> if no service was available (default: 'dunno')
|
||||
-l, --logging log requests
|
||||
-v, --verbose increase logging verbosity
|
||||
-L, --stdout log to stdout, for debugging, do NOT use with postfix</pre>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="description">DESCRIPTION</a></h1>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="introduction">INTRODUCTION</a></h2>
|
||||
<p><strong>hapolicy</strong> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
|
||||
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
|
||||
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, <strong>hapolicy</strong> returns a default action (e.g. dunno) to postfix.</p>
|
||||
<p>With version 1.00 <strong>hapolicy</strong> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
|
||||
user account. This should allow fast and reliable operation.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="configuration">CONFIGURATION</a></h2>
|
||||
<p>A service has the following attributes</p>
|
||||
<pre>
|
||||
"servicename" => {
|
||||
ip => '127.0.0.1', # ip address
|
||||
port => '10040', # tcp port
|
||||
prio => '10', # optional, lower wins
|
||||
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
timeout => '30', # optional, query timeout in seconds
|
||||
},</pre>
|
||||
<p>You may define multiple services at the command line. Which means that</p>
|
||||
<pre>
|
||||
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"</pre>
|
||||
<p>will always try first service <em>grey1</em> at ip 10.0.0.1 port 10031 and if that service is not available or
|
||||
does not answer within the default of 30 seconds the next service <em>grey2</em> at ip 10.0.0.2 port 10031 will
|
||||
be queried.</p>
|
||||
<p>If you want to load balance connections you may define</p>
|
||||
<pre>
|
||||
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"</pre>
|
||||
<p>which queries service <em>polw1</em> at ip 10.0.0.1 twice as much as service <em>polw2</em> at ip 10.0.0.2. Note that this
|
||||
setup also ensures high availability for both services. If <em>polw1</em> is not available or does not answer
|
||||
within the default of 30 seconds <em>polw2</em> will be queried and vice versa. There is no reason to define a service twice.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="integration">INTEGRATION</a></h2>
|
||||
<p>Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):</p>
|
||||
<pre>
|
||||
# service description, note the leading blanks at the second line
|
||||
127.0.0.1:10060 inet n n n - 0 spawn
|
||||
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10</pre>
|
||||
<p>save the file and open postfix main.cf. Modify it as follows:</p>
|
||||
<pre>
|
||||
127.0.0.1:10060_time_limit = 3600</pre>
|
||||
<pre>
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
... other authed permits ...
|
||||
reject_unauth_destination,
|
||||
... other restrictions ...
|
||||
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query</pre>
|
||||
<p>Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
|
||||
using postfix restriction classes. Please see <a href="#links">LINKS</a> for further options.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="links">LINKS</a></h1>
|
||||
<p>[1] Postfix SMTP Access Policy Delegation
|
||||
<a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a></p>
|
||||
<p>[2] Postfix Per-Client/User/etc. Access Control
|
||||
<a href="http://www.postfix.org/RESTRICTION_CLASS_README.html">http://www.postfix.org/RESTRICTION_CLASS_README.html</a></p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="license">LICENSE</a></h1>
|
||||
<p>hapolicy is free software and released under BSD license, which basically means
|
||||
that you can do what you want as long as you keep the copyright notice:</p>
|
||||
<p>Copyright (c) 2008, Jan Peter Kessler
|
||||
All rights reserved.</p>
|
||||
<p>Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:</p>
|
||||
<pre>
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in
|
||||
the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of the authors nor the names of his contributors
|
||||
may be used to endorse or promote products derived from this
|
||||
software without specific prior written permission.</pre>
|
||||
<p>THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="author">AUTHOR</a></h1>
|
||||
<p>Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you have any suggestions.</p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
127
doc/hapolicy.txt
Normal file
127
doc/hapolicy.txt
Normal file
|
@ -0,0 +1,127 @@
|
|||
NAME
|
||||
hapolicy - policy delegation high availability script
|
||||
|
||||
SYNOPSIS
|
||||
hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
|
||||
|
||||
Services:
|
||||
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
|
||||
|
||||
Options:
|
||||
-d, --default <action> returns <action> if no service was available (default: 'dunno')
|
||||
-l, --logging log requests
|
||||
-v, --verbose increase logging verbosity
|
||||
-L, --stdout log to stdout, for debugging, do NOT use with postfix
|
||||
|
||||
DESCRIPTION
|
||||
INTRODUCTION
|
||||
hapolicy enables high availability, weighted loadbalancing and a
|
||||
fallback action for postfix policy delegation services. Invoked via
|
||||
postfix spawn it acts as a wrapper that queries other policy servers via
|
||||
tcp connection. The order of the service queries can be influenced by
|
||||
assigning a specific priority and weight to each service. A service is
|
||||
considered 'failing', if the connection is refused or the specified
|
||||
service timeout is reached. If all of the configured policy services
|
||||
were failing, hapolicy returns a default action (e.g. dunno) to postfix.
|
||||
|
||||
With version 1.00 hapolicy has less than 200 lines of perl code using
|
||||
only standard perl modules. It does not require any disk access nor
|
||||
configuration files and runs under an unpriviledged user account. This
|
||||
should allow fast and reliable operation.
|
||||
|
||||
CONFIGURATION
|
||||
A service has the following attributes
|
||||
|
||||
"servicename" => {
|
||||
ip => '127.0.0.1', # ip address
|
||||
port => '10040', # tcp port
|
||||
prio => '10', # optional, lower wins
|
||||
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
timeout => '30', # optional, query timeout in seconds
|
||||
},
|
||||
|
||||
You may define multiple services at the command line. Which means that
|
||||
|
||||
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
|
||||
|
||||
will always try first service *grey1* at ip 10.0.0.1 port 10031 and if
|
||||
that service is not available or does not answer within the default of
|
||||
30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be
|
||||
queried.
|
||||
|
||||
If you want to load balance connections you may define
|
||||
|
||||
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
|
||||
|
||||
which queries service *polw1* at ip 10.0.0.1 twice as much as service
|
||||
*polw2* at ip 10.0.0.2. Note that this setup also ensures high
|
||||
availability for both services. If *polw1* is not available or does not
|
||||
answer within the default of 30 seconds *polw2* will be queried and vice
|
||||
versa. There is no reason to define a service twice.
|
||||
|
||||
INTEGRATION
|
||||
Enter the following at the bottom of your postfix master.cf (usually
|
||||
located at /etc/postfix):
|
||||
|
||||
# service description, note the leading blanks at the second line
|
||||
127.0.0.1:10060 inet n n n - 0 spawn
|
||||
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
|
||||
|
||||
save the file and open postfix main.cf. Modify it as follows:
|
||||
|
||||
127.0.0.1:10060_time_limit = 3600
|
||||
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
... other authed permits ...
|
||||
reject_unauth_destination,
|
||||
... other restrictions ...
|
||||
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
|
||||
|
||||
Now issue 'postfix reload' at the command line. Of course you can have
|
||||
more enhanced setups using postfix restriction classes. Please see
|
||||
"LINKS" for further options.
|
||||
|
||||
LINKS
|
||||
[1] Postfix SMTP Access Policy Delegation
|
||||
<http://www.postfix.org/SMTPD_POLICY_README.html>
|
||||
|
||||
[2] Postfix Per-Client/User/etc. Access Control
|
||||
<http://www.postfix.org/RESTRICTION_CLASS_README.html>
|
||||
|
||||
LICENSE
|
||||
hapolicy is free software and released under BSD license, which
|
||||
basically means that you can do what you want as long as you keep the
|
||||
copyright notice:
|
||||
|
||||
Copyright (c) 2008, Jan Peter Kessler All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in
|
||||
the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of the authors nor the names of his contributors
|
||||
may be used to endorse or promote products derived from this
|
||||
software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
||||
NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
||||
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
AUTHOR
|
||||
Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you
|
||||
have any suggestions.
|
||||
|
BIN
doc/postfwd-ARCH.png
Normal file
BIN
doc/postfwd-ARCH.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 37 KiB |
|
@ -1,3 +1,90 @@
|
|||
1.32
|
||||
====
|
||||
- feature: new option --save_rates=<file> allows to load and save
|
||||
rate limit counters to disk on program start and termination.
|
||||
this allows rate limit persistence during restarts and reboots
|
||||
(requires perl module 'Storable')
|
||||
- feature: the --debugitem="sender=example\.org$" option
|
||||
allows verbose logging for particular requests
|
||||
- feature: the debug() action allows verbose logging for certain
|
||||
rules:
|
||||
------------------------------------------------------------
|
||||
id=R01
|
||||
client_address=1.1.1.1
|
||||
action=debug(on)
|
||||
id=R02
|
||||
...
|
||||
id=R42
|
||||
action=debug(off)
|
||||
------------------------------------------------------------
|
||||
- feature: nested commands are possible now, e.g.:
|
||||
------------------------------------------------------------
|
||||
# throttle
|
||||
action=rate(client_address/10/60/wait(3))
|
||||
------------------------------------------------------------
|
||||
- feature: new mail(server/helo/from/to/subject/body) action.
|
||||
Please take a look at the manual, especially about
|
||||
it's limitations, before using it!
|
||||
------------------------------------------------------------
|
||||
# alert
|
||||
action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text))
|
||||
------------------------------------------------------------
|
||||
|
||||
1.31
|
||||
====
|
||||
- feature: single cache items can be wiped using --delcache <item>
|
||||
or --delrate <item> options. use --dumpcache to identify
|
||||
- feature: sasl_username is logged if available
|
||||
(thanks to Bernhard Schmidt)
|
||||
- code: rate limit action is executed, if the first request exceeds the limit
|
||||
- code: exceeded ratecounters will not be kept permanently anymore. this
|
||||
allows further requests to pass, if they are below the limit
|
||||
- code: rate limits are evaluated at ruleset stage now, which leads to
|
||||
much more comprehensible behaviour. due to this change the request
|
||||
cache is now disabled, if rate limits are used. use the
|
||||
--fast_limit_evaluation option to revert to the former mode.
|
||||
|
||||
1.30
|
||||
====
|
||||
- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules,
|
||||
if the following lines are prefixed by whitespace characters:
|
||||
--------------------------------------
|
||||
id=RCPTCOUNT
|
||||
protocol_state == END-OF-MESSAGE
|
||||
client_address != 10.1.1.0/24
|
||||
recipient_count >= 100
|
||||
action=REJECT too many recipients
|
||||
--------------------------------------
|
||||
- feature: new plugin interface (BETA)
|
||||
- feature: Time::HiRes is used if available
|
||||
- feature: new $$ratecount variable for rate() actions
|
||||
- feature: ported --dumpstats and --dumpcache option from postfwd2
|
||||
- bugfix: fixed program usage statistics (--summary)
|
||||
- docs: documentation updates
|
||||
|
||||
1.22
|
||||
=====
|
||||
- feature: new option --keep_rates
|
||||
- feature: queueid is logged when available
|
||||
- bugfix: rate limits using the same item and the same limits
|
||||
did not work correctly (thanks to Yves Blusseau):
|
||||
id=INT01; INT_DOMAIN==1; \
|
||||
action=rate(sender/100/60/450 4.7.1 too much for internal domains)
|
||||
id=EXT01; EXT_DOMAIN==1; \
|
||||
action=rate(sender/100/60/450 4.7.1 too much for external domains)
|
||||
- bugfix: small fix for cleanup of old rate limits
|
||||
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
|
||||
|
||||
1.21
|
||||
=====
|
||||
- feature: postfwd supports multiple rate limits to the same items now.
|
||||
this means that the following will now work as expected:
|
||||
id=R001; recipient_count>=100; action=rate(sender/3/3600/WARN state RED)
|
||||
id=R002; recipient_count>=100; action=rate(sender/2/3600/WARN state YELLOW)
|
||||
id=R003; recipient_count>=100; action=rate(sender/1/3600/WARN state GREEN)
|
||||
- code: ported command-line option --facility from postfwd2
|
||||
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
|
||||
|
||||
1.20
|
||||
=====
|
||||
- code: changed the default umask for the server socket to 0111
|
540
doc/postfwd.html
540
doc/postfwd.html
|
@ -51,54 +51,70 @@
|
|||
<p>postfwd [OPTIONS] [SOURCE1, SOURCE2, ...]</p>
|
||||
<pre>
|
||||
Ruleset: (at least one, multiple use is allowed):
|
||||
-f, --file <file> reads rules from <file>
|
||||
-r, --rule <rule> adds <rule> to config</pre>
|
||||
-f, --file <file> reads rules from <file>
|
||||
-r, --rule <rule> adds <rule> to config</pre>
|
||||
<pre>
|
||||
Scoring:
|
||||
-s, --scores <v>=<r> returns <r> when score exceeds <v></pre>
|
||||
-s, --scores <v>=<r> returns <r> when score exceeds <v></pre>
|
||||
<pre>
|
||||
Control:
|
||||
-d, --daemon run postfwd as daemon
|
||||
-k, --kill stops daemon
|
||||
--reload reloads configuration
|
||||
--dumpstats displays usage statistics
|
||||
--dumpcache displays cache contents
|
||||
--delcache <item> removes an item from the request cache
|
||||
--delrate <item> removes an item from the rate cache</pre>
|
||||
<pre>
|
||||
Networking:
|
||||
-d, --daemon run postfwd as daemon
|
||||
-i, --interface <dev> listen on interface <dev>
|
||||
-p, --port <port> listen on port <port>
|
||||
--proto <proto> socket type (tcp or unix)
|
||||
-u, --user <name> set uid to user <name>
|
||||
-g, --group <name> set gid to group <name>
|
||||
--umask <mask> set umask for file permissions
|
||||
-R, --chroot <path> chroot the daemon to <path>
|
||||
--pidfile <path> create pidfile under <path>
|
||||
-l, --logname <label> label for syslog messages
|
||||
--loglen <int> truncates syslogs after <int> chars</pre>
|
||||
-i, --interface <dev> listen on interface <dev>
|
||||
-p, --port <port> listen on port <port>
|
||||
--proto <proto> socket type (tcp or unix)
|
||||
-u, --user <name> set uid to user <name>
|
||||
-g, --group <name> set gid to group <name>
|
||||
--umask <mask> set umask for file permissions
|
||||
-R, --chroot <path> chroot the daemon to <path>
|
||||
--pidfile <path> create pidfile under <path>
|
||||
--facility <f> syslog facility
|
||||
--socktype <s> syslog socktype
|
||||
-l, --logname <label> label for syslog messages
|
||||
--loglen <int> truncates syslogs after <int> chars</pre>
|
||||
<pre>
|
||||
Caching:
|
||||
-c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
--cache-no-size ignores size attribute for caching
|
||||
--cache-no-sender ignores sender address in cache
|
||||
--cache-rdomain-only ignores localpart of recipient address in cache
|
||||
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
--cache-rbl-default default rbl response pattern to match (regexp)
|
||||
--cacheid <item>, .. list of attributes for request cache identifier
|
||||
--cleanup-requests cleanup interval in seconds for request cache
|
||||
--cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
--cleanup-rates cleanup interval in seconds for rate cache</pre>
|
||||
-c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
--cache-no-size ignores size attribute for caching
|
||||
--cache-no-sender ignores sender address in cache
|
||||
--cache-rdomain-only ignores localpart of recipient address in cache
|
||||
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
--cache-rbl-default default rbl response pattern to match (regexp)
|
||||
--cacheid <item>, .. list of attributes for request cache identifier
|
||||
--cleanup-requests cleanup interval in seconds for request cache
|
||||
--cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
--cleanup-rates cleanup interval in seconds for rate cache</pre>
|
||||
<pre>
|
||||
Optional:
|
||||
-t, --test testing, always returns "dunno"
|
||||
-v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
-S, --summary <int> show some usage statistics every <int> seconds
|
||||
--norulelog disbles rule logging
|
||||
--norulestats disables per rule statistics
|
||||
--noidlestats disables statistics when idle
|
||||
-n, --nodns disable dns
|
||||
--nodnslog disable dns logging
|
||||
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
--dns_timeout timeout in seconds for asynchonous dns queries
|
||||
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
--dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
--dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
--dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
-I, --instantcfg re-reads rulefiles for every new request
|
||||
--config_timeout <i> parser timeout in seconds</pre>
|
||||
-t, --test testing, always returns "dunno"
|
||||
-v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
-S, --summary <int> show some usage statistics every <int> seconds
|
||||
--norulelog disbles rule logging
|
||||
--norulestats disables per rule statistics
|
||||
--noidlestats disables statistics when idle
|
||||
-n, --nodns disable dns
|
||||
--nodnslog disable dns logging
|
||||
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
--dns_timeout timeout in seconds for asynchonous dns queries
|
||||
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
--dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
--dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
--dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
-I, --instantcfg re-reads rulefiles for every new request
|
||||
--config_timeout <i> parser timeout in seconds
|
||||
--keep_rates do not clear rate limit counters on reload
|
||||
--save_rates <file> save and load rate limits on disk
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed</pre>
|
||||
<pre>
|
||||
Plugins:
|
||||
--plugins <file> loads postfwd plugins from file</pre>
|
||||
<pre>
|
||||
Informational (use only at command-line!):
|
||||
-C, --showconfig shows ruleset summary, -v for verbose
|
||||
|
@ -107,9 +123,6 @@
|
|||
-V, --version shows program version
|
||||
-h, --help shows usage
|
||||
-m, --manual shows program manual</pre>
|
||||
<pre>
|
||||
Plugins:
|
||||
--plugins <file> loads plugins from <file></pre>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
|
@ -138,7 +151,7 @@ which should allow straightforward and easy-to-read configurations.</p>
|
|||
<p>A configuration line consists of optional item=value pairs, separated by semicolons
|
||||
(`;`) and the appropriate desired action:</p>
|
||||
<pre>
|
||||
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result></pre>
|
||||
[ <item1>=<value>; <item2>=<value>; ... ] action=<result></pre>
|
||||
<p><em>Example:</em></p>
|
||||
<pre>
|
||||
client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT</pre>
|
||||
|
@ -167,10 +180,19 @@ or trailing whitespace characters will be ignored. Use '#' to comment your confi
|
|||
appreciate.</p>
|
||||
<p>A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
|
||||
arguments. Please see the COMMAND LINE section below for more information on this topic.</p>
|
||||
<p>Rules can span multiple lines by adding a trailing backslash ``\'' character:</p>
|
||||
<p>Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
|
||||
lines with one or multiple whitespace characters (or '}' for macros):</p>
|
||||
<pre>
|
||||
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
|
||||
action=REJECT please use your relay from there</pre>
|
||||
id=RULE001
|
||||
client_address=192.168.1.0/24
|
||||
sender==no@bad.local
|
||||
action=REJECT no access</pre>
|
||||
<p>postfwd versions prior to 1.30 require trailing ';' and '\'-characters:</p>
|
||||
<pre>
|
||||
id=RULE001; \
|
||||
client_address=192.168.1.0/24; \
|
||||
sender==no@bad.local; \
|
||||
action=REJECT no access</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="items">ITEMS</a></h2>
|
||||
|
@ -236,8 +258,14 @@ arguments. Please see the COMMAND LINE section below for more information on thi
|
|||
this enables version based checks in your rulesets
|
||||
(e.g. for migration). works with old versions too,
|
||||
because a non-existing item always returns false:
|
||||
id=R01; version~=1.10; sender_domain==some.org \
|
||||
# version >= 1.10
|
||||
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
|
||||
; action=REJECT sorry no access</pre>
|
||||
<pre>
|
||||
ratecount - only available for rate(), size() and rcpt() actions.
|
||||
contains the actual limit counter:
|
||||
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])</pre>
|
||||
<p>Besides these you can specify any attribute of the postfix policy delegation protocol.
|
||||
Feel free to combine them the way you need it (have a look at the EXAMPLES section below).</p>
|
||||
<p>Most values can be specified as regular expressions (PCRE). Please see the table below
|
||||
|
@ -287,34 +315,33 @@ for details:</p>
|
|||
encryption_keysize=256 mask = numeric, will match if keysize >= 256
|
||||
...</pre>
|
||||
<p>the current list can be found at <a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a>. Please read carefully about which
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level).
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
|
||||
Pattern matching is performed case insensitive.</p>
|
||||
<p>Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected:</p>
|
||||
<pre>
|
||||
id=TRUST001; action=OK; encryption_keysize=64; \
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
|
||||
id=TRUST001; action=OK; encryption_keysize=64
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
sender=@domain\.local$</pre>
|
||||
<p>client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:</p>
|
||||
<pre>
|
||||
id=SKIP01; action=dunno; \
|
||||
id=SKIP01; action=dunno
|
||||
client_address=192.168.1.0/24, 172.16.254.23
|
||||
id=SKIP02; action=dunno; \
|
||||
client_address= 10.10.3.32 \
|
||||
10.216.222.0/27</pre>
|
||||
id=SKIP02; action=dunno
|
||||
client_address=10.10.3.32 10.216.222.0/27</pre>
|
||||
<p>The following items currently have to be unique:</p>
|
||||
<pre>
|
||||
id, minimum and maximum values, rblcount and rhsblcount</pre>
|
||||
<p>Any item can be negated by preceeding '!!' to it, e.g.:</p>
|
||||
<pre>
|
||||
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please</pre>
|
||||
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please</pre>
|
||||
<p>or using the right compare operator:</p>
|
||||
<pre>
|
||||
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?</pre>
|
||||
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please</pre>
|
||||
<p>To avoid confusion with regexps or simply for better visibility you can use '!!(...)':</p>
|
||||
<pre>
|
||||
id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?</pre>
|
||||
id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?</pre>
|
||||
<p>Request attributes can be compared by preceeding '$$' characters, e.g.:</p>
|
||||
<pre>
|
||||
id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
|
||||
|
@ -322,6 +349,29 @@ Pattern matching is performed case insensitive.</p>
|
|||
id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS</pre>
|
||||
<p>This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match.
|
||||
Use the '-vv' option to debug.</p>
|
||||
<p>These special items will be reset for any new rule:</p>
|
||||
<pre>
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...</pre>
|
||||
<p>These special items will be changed for any matching rule:</p>
|
||||
<pre>
|
||||
request_hits - contains ids of all matching rules</pre>
|
||||
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
|
||||
<pre>
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net</pre>
|
||||
<pre>
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="files">FILES</a></h2>
|
||||
|
@ -341,15 +391,15 @@ Use the '-vv' option to debug.</p>
|
|||
id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO</pre>
|
||||
<p>This will ignore the right-hand value. Items can be mixed:</p>
|
||||
<pre>
|
||||
id=R002 ; action=REJECT \
|
||||
client_name==unknown; \
|
||||
id=R002 ; action=REJECT
|
||||
client_name==unknown
|
||||
client_name==<a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
|
||||
<p>and for non pcre (comma separated) items:</p>
|
||||
<pre>
|
||||
id=R003 ; action=REJECT \
|
||||
id=R003 ; action=REJECT
|
||||
client_address==10.1.1.1, <a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
|
||||
<pre>
|
||||
id=R004 ; action=REJECT \
|
||||
id=R004 ; action=REJECT
|
||||
rbl=myrbl.home.local, zen.spamhaus.org, <a href="file:/etc/postfwd/rbls_changing">file:/etc/postfwd/rbls_changing</a></pre>
|
||||
<p>You can check your configuration with the --show_config option at the command line:</p>
|
||||
<pre>
|
||||
|
@ -447,16 +497,25 @@ rule containing only an action statement:</p>
|
|||
please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
# no more than 3 requests per 5 minutes
|
||||
# from the same "unknown" client
|
||||
id=RATE01 ; client_name==unknown ; \
|
||||
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
|
||||
id=RATE01 ; client_name==unknown
|
||||
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
Please note also that the order of rate limits in your ruleset is important, which means
|
||||
that this:
|
||||
# works as expected
|
||||
id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
|
||||
id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
leads to different results than this:
|
||||
# rule R002 never gets executed
|
||||
id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)</pre>
|
||||
<pre>
|
||||
size (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
increased by the request's size attribute. to do this reliably you should call postfwd from
|
||||
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
# size limit 1.5mb per hour per client
|
||||
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
|
||||
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
|
||||
<pre>
|
||||
rcpt (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
|
@ -464,8 +523,8 @@ rule containing only an action statement:</p>
|
|||
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
check it within the ruleset:
|
||||
# recipient count limit 3 per hour per client
|
||||
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
|
||||
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
|
||||
<pre>
|
||||
ask (<addr>:<port>[:<ignore>])
|
||||
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||||
|
@ -473,9 +532,14 @@ rule containing only an action statement:</p>
|
|||
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
|
||||
# example1: query postgrey and return it's answer to postfix
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
|
||||
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
|
||||
# example2: query postgrey but ignore the answer, if it matches 'DUNNO'
|
||||
# and continue parsing postfwd's ruleset
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)</pre>
|
||||
<pre>
|
||||
mail(server/helo/from/to/subject/body)
|
||||
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
not track notification state and will notify you any time, the corresponding rule hits.</pre>
|
||||
<pre>
|
||||
wait (<delay>)
|
||||
pauses the program execution for <delay> seconds. use this for
|
||||
|
@ -483,7 +547,7 @@ rule containing only an action statement:</p>
|
|||
<pre>
|
||||
note (<string>)
|
||||
just logs the given string and continues parsing the ruleset.
|
||||
if the string is empty, nothing will be logged.</pre>
|
||||
if the string is empty, nothing will be logged (noop).</pre>
|
||||
<pre>
|
||||
quit (<code>)
|
||||
terminates the program with the given exit-code. postfix doesn`t
|
||||
|
@ -491,29 +555,6 @@ rule containing only an action statement:</p>
|
|||
<p>You can reference to request attributes, like</p>
|
||||
<pre>
|
||||
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'</pre>
|
||||
<p>These special attributes will be reset for any new rule:</p>
|
||||
<pre>
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...</pre>
|
||||
<p>These special attributes will be changed for any matching rule:</p>
|
||||
<pre>
|
||||
request_hits - contains ids of all matching rules</pre>
|
||||
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
|
||||
<pre>
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
|
||||
<pre>
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
|
||||
|
@ -536,18 +577,18 @@ First the macros have to be defined as follows:</p>
|
|||
&&GONOW ; &&RBLS ; client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]</pre>
|
||||
<p>Macros can contain macros, too:</p>
|
||||
<pre>
|
||||
# definition (note the trailing "\" characters)
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
# definition
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name=^unknown$ ; \
|
||||
client_name=(\d+[\.-_]){4} ; \
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name=^unknown$
|
||||
client_name=(\d+[\.-_]){4}
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
};
|
||||
&&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
# rules
|
||||
|
@ -556,7 +597,141 @@ First the macros have to be defined as follows:</p>
|
|||
<p>
|
||||
</p>
|
||||
<h2><a name="plugins">PLUGINS</a></h2>
|
||||
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
|
||||
<p><strong>Description</strong></p>
|
||||
<p>The plugin interface allow you to define your own checks and enhance postfwd's
|
||||
functionality. Feel free to share useful things!</p>
|
||||
<p><strong>Warning</strong></p>
|
||||
<p>Note that the plugin interface is still at devel stage. Please test your plugins
|
||||
carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that you know
|
||||
what you do because some of them are used internally.</p>
|
||||
<p>Please keep security in mind, when you access sensible ressources and never, ever
|
||||
run postfwd as privileged user! Also never trust your input (especially hostnames,
|
||||
and e-mail addresses).</p>
|
||||
<p><strong>ITEMS</strong></p>
|
||||
<p>Item plugins are perl subroutines which integrate additional attributes to requests
|
||||
before they are evaluated against postfwd's ruleset like any other item of the
|
||||
policy delegation protocol. This allows you to create your own checks.</p>
|
||||
<p>plugin-items can not be used selective. these functions will be executed for every
|
||||
request postfwd receives, so keep performance in mind.</p>
|
||||
<pre>
|
||||
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)</pre>
|
||||
<p>means that your subroutine, called <name>, has access to a hash called %request,
|
||||
which contains all request attributes, like $request{client_name} and must
|
||||
return a value in the following form:</p>
|
||||
<pre>
|
||||
save: $result{<item>} = <value></pre>
|
||||
<p>this creates the new item <item> containing <value>, which will be integrated in
|
||||
the policy delegation request and therefore may be used in postfwd's ruleset.</p>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_items_plugin = (</pre>
|
||||
<pre>
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# allows to check postfwd version in ruleset
|
||||
"version" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = (
|
||||
"version" => $NAME." ".$VERSION,
|
||||
);
|
||||
return %result;
|
||||
},
|
||||
|
||||
# sender_domain and recipient_domain
|
||||
"address_parts" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = ();
|
||||
$request{sender} =~ /@([^@]*)$/;
|
||||
$result{sender_domain} = ($1 || '');
|
||||
$request{recipient} =~ /@([^@]*)$/;
|
||||
$result{recipient_domain} = ($1 || '');
|
||||
return %result;
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p><strong>COMPARE</strong></p>
|
||||
<p>Compare plugins allow you to define how your new items should be compared to the ruleset.
|
||||
These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
|
||||
will be used.</p>
|
||||
<pre>
|
||||
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_compare_plugin = (</pre>
|
||||
<pre>
|
||||
EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# Simple example
|
||||
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
|
||||
# Complex example
|
||||
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
"numeric" => sub {
|
||||
my($cmp,$val,$myitem,%request) = @_;
|
||||
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
if ($cmp eq '==') {
|
||||
$myresult = ($myitem == $val);
|
||||
} elsif ($cmp eq '=<') {
|
||||
$myresult = ($myitem <= $val);
|
||||
} elsif ($cmp eq '=>') {
|
||||
$myresult = ($myitem >= $val);
|
||||
} elsif ($cmp eq '!=') {
|
||||
$myresult = not($myitem == $val);
|
||||
} elsif ($cmp eq '!<') {
|
||||
$myresult = not($myitem <= $val);
|
||||
} elsif ($cmp eq '!>') {
|
||||
$myresult = not($myitem >= $val);
|
||||
} else {
|
||||
$myresult = ($myitem >= $val);
|
||||
};
|
||||
return $myresult;
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p><strong>ACTIONS</strong></p>
|
||||
<p>Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to
|
||||
continue or to stop parsing the ruleset.</p>
|
||||
<pre>
|
||||
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_actions_plugin = (</pre>
|
||||
<pre>
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# note(<logstring>) command
|
||||
"note" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# skips next <myarg> rules
|
||||
"skip" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# dumps current request contents to syslog
|
||||
"dumprequest" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="command_line">COMMAND LINE</a></h2>
|
||||
|
@ -571,29 +746,51 @@ that at least one of the following is required for postfwd to work.</p>
|
|||
-r, --rule <rule>
|
||||
Adds <rule> to ruleset. Remember that you might have to quote
|
||||
strings that contain whitespaces or shell characters.</pre>
|
||||
<p><em>Plugins</em></p>
|
||||
<pre>
|
||||
--plugins
|
||||
A file containing plugin routines for postfwd. Please see the
|
||||
PLUGINS section for more information.</pre>
|
||||
<p><em>Scoring</em></p>
|
||||
<pre>
|
||||
-s, --scores <val>=<action>
|
||||
Returns <action> to postfix, when the request's score exceeds <val></pre>
|
||||
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
|
||||
<pre>
|
||||
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
or
|
||||
postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...</pre>
|
||||
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
|
||||
reflected in the postfwd ruleset.</p>
|
||||
<p><em>Networking</em></p>
|
||||
<p>postfwd can be run as daemon so that it listens on the network for incoming requests.
|
||||
The following arguments will control it's behaviour in this case.</p>
|
||||
<p><em>Control</em></p>
|
||||
<pre>
|
||||
-d, --daemon
|
||||
postfwd will run as daemon and listen on the network for incoming
|
||||
queries (default 127.0.0.1:10040).</pre>
|
||||
<pre>
|
||||
-k, --kill
|
||||
Stops a running postfwd daemon.</pre>
|
||||
<pre>
|
||||
--reload
|
||||
Reloads configuration.</pre>
|
||||
<pre>
|
||||
--dumpstats
|
||||
Displays program usage statistics.</pre>
|
||||
<pre>
|
||||
--dumpcache
|
||||
Displays cache contents.</pre>
|
||||
<pre>
|
||||
--delcache <item>
|
||||
Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
E.g.:
|
||||
# postfwd --dumpcache
|
||||
...
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
...
|
||||
# postfwd --delrate="sender=gmato@jqvo.org"
|
||||
rate cache item 'sender=gmato@jqvo.org' removed</pre>
|
||||
<pre>
|
||||
--delrate <item>
|
||||
Removes an item from the rate cache. Use --dumpcache to identify objects.</pre>
|
||||
<p><em>Networking</em></p>
|
||||
<p>postfwd can be run as daemon so that it listens on the network for incoming requests.
|
||||
The following arguments will control it's behaviour in this case.</p>
|
||||
<pre>
|
||||
-i, --interface <dev>
|
||||
Bind postfwd to the specified interface (default 127.0.0.1).</pre>
|
||||
|
@ -623,6 +820,13 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
--pidfile <path>
|
||||
The process id will be saved in the specified file.</pre>
|
||||
<pre>
|
||||
--facility <f>
|
||||
sets the syslog facility, default is 'mail'</pre>
|
||||
<pre>
|
||||
--socktype <s>
|
||||
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
Default is to auto-detect this depening on module version and os.</pre>
|
||||
<pre>
|
||||
-l, --logname <label>
|
||||
Labels the syslog messages. Useful when running multiple
|
||||
|
@ -630,6 +834,11 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
--loglen <int>
|
||||
Truncates any syslog message after <int> characters.</pre>
|
||||
<p><em>Plugins</em></p>
|
||||
<pre>
|
||||
--plugins <file>
|
||||
Loads postfwd plugins from file. Please see <a href="http://postfwd.org/postfwd.plugins">http://postfwd.org/postfwd.plugins</a>
|
||||
or the plugins.postfwd.sample that is available from the tarball for more info.</pre>
|
||||
<p><em>Optional arguments</em></p>
|
||||
<p>These parameters influence the way postfwd is working. Any of them can be combined.</p>
|
||||
<pre>
|
||||
|
@ -754,7 +963,23 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
--config_timeout (default=3)
|
||||
timeout in seconds to parse a single configuration line. if exceeded, the rule will
|
||||
be skipped. this is used to prevent problems due to large files or loops.</pre>
|
||||
be skipped. this is used to prevent problems due to large files or loops.
|
||||
|
||||
--keep_rates (default=0)
|
||||
With this option set postfwd does not clear the rate limit counters on reload. Please
|
||||
note that you have to restart (not reload) postfwd with this option if you change
|
||||
any rate limit rules.</pre>
|
||||
<pre>
|
||||
--save_rates (default=none)
|
||||
With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
Please note that postfwd needs read and write access to the specified file.</pre>
|
||||
<pre>
|
||||
--fast_limit_evaluation (default=0)
|
||||
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
With this mode rate limits will be faster, but also eventually set up
|
||||
whitelisting-rules within the ruleset might not work as expected.</pre>
|
||||
<p><em>Informational arguments</em></p>
|
||||
<p>These arguments are for command line usage only. Never ever use them with postfix spawn!</p>
|
||||
<pre>
|
||||
|
@ -812,18 +1037,25 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
# 1. 30MB for systems in *.customer1.tld
|
||||
# 2. 20MB for SASL user joejob
|
||||
# 3. 10MB default
|
||||
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large</pre>
|
||||
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large</pre>
|
||||
<pre>
|
||||
## Selective Greylisting
|
||||
##
|
||||
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
##
|
||||
## smtpd_restriction_classes = check_postgrey, ...
|
||||
## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
#
|
||||
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
# 2. Client has no rDNS
|
||||
# 3. Client comes from several dialin domains
|
||||
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=greylisting ; client_name=^unknown$
|
||||
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
|
||||
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
|
||||
<pre>
|
||||
## Date Time
|
||||
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
|
||||
|
@ -831,7 +1063,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
months=-Apr ; action=450 4.7.1 see you in may
|
||||
days=!!Mon-Fri ; action=greylist</pre>
|
||||
days=!!Mon-Fri ; action=check_postgrey</pre>
|
||||
<pre>
|
||||
## Usage of jump
|
||||
# The following allows a message size of 30MB for different
|
||||
|
@ -841,8 +1073,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
|
||||
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
|
||||
<pre>
|
||||
## Usage of score
|
||||
# The following rejects a mail, if the client
|
||||
|
@ -850,7 +1082,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
# - other clients without correct rDNS will be greylist-checked
|
||||
# - some whitelists are used to lower the score
|
||||
id=S01 ; score=2.6 ; action=greylisting
|
||||
id=S01 ; score=2.6 ; action=check_postgrey
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
|
@ -863,10 +1095,10 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
# The following temporary rejects requests from "unknown" clients, if they
|
||||
# 1. exceeded 30 requests per hour or
|
||||
# 2. tried to send more than 1.5mb within 10 minutes
|
||||
id=RATE01 ; client_name==unknown ; state==RCPT ; \
|
||||
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
|
||||
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
|
||||
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
|
||||
<pre>
|
||||
## Macros
|
||||
# definition
|
||||
|
@ -879,34 +1111,34 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
<pre>
|
||||
## Groups
|
||||
# definition
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&RHSBLS { \
|
||||
&&RHSBLS{
|
||||
...
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\d+[\.-_]){4} ; \
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name==unknown
|
||||
client_name~=(\d+[\.-_]){4}
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
...
|
||||
};
|
||||
&&BAD_HELO { \
|
||||
helo_name==my.name.tld; \
|
||||
helo_name~=^([^\.]+)$; \
|
||||
helo_name~=\.(local|lan)$; \
|
||||
&&BAD_HELO{
|
||||
helo_name==my.name.tld
|
||||
helo_name~=^([^\.]+)$
|
||||
helo_name~=\.(local|lan)$
|
||||
...
|
||||
};
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 ; \
|
||||
date=15.04.2007 ; \
|
||||
date=15.07.2007 ; \
|
||||
date=15.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
&&MAINTENANCE{
|
||||
date=15.01.2007
|
||||
date=15.04.2007
|
||||
date=15.07.2007
|
||||
date=15.10.2007
|
||||
time=03:00:00 - 04:00:00
|
||||
};
|
||||
# rules
|
||||
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -923,7 +1155,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
|
|||
<pre>
|
||||
## combined with enhanced rbl features
|
||||
#
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
|
||||
<p>
|
||||
|
|
569
doc/postfwd.txt
569
doc/postfwd.txt
|
@ -5,54 +5,70 @@ SYNOPSIS
|
|||
postfwd [OPTIONS] [SOURCE1, SOURCE2, ...]
|
||||
|
||||
Ruleset: (at least one, multiple use is allowed):
|
||||
-f, --file <file> reads rules from <file>
|
||||
-r, --rule <rule> adds <rule> to config
|
||||
-f, --file <file> reads rules from <file>
|
||||
-r, --rule <rule> adds <rule> to config
|
||||
|
||||
Scoring:
|
||||
-s, --scores <v>=<r> returns <r> when score exceeds <v>
|
||||
-s, --scores <v>=<r> returns <r> when score exceeds <v>
|
||||
|
||||
Control:
|
||||
-d, --daemon run postfwd as daemon
|
||||
-k, --kill stops daemon
|
||||
--reload reloads configuration
|
||||
--dumpstats displays usage statistics
|
||||
--dumpcache displays cache contents
|
||||
--delcache <item> removes an item from the request cache
|
||||
--delrate <item> removes an item from the rate cache
|
||||
|
||||
Networking:
|
||||
-d, --daemon run postfwd as daemon
|
||||
-i, --interface <dev> listen on interface <dev>
|
||||
-p, --port <port> listen on port <port>
|
||||
--proto <proto> socket type (tcp or unix)
|
||||
-u, --user <name> set uid to user <name>
|
||||
-g, --group <name> set gid to group <name>
|
||||
--umask <mask> set umask for file permissions
|
||||
-R, --chroot <path> chroot the daemon to <path>
|
||||
--pidfile <path> create pidfile under <path>
|
||||
-l, --logname <label> label for syslog messages
|
||||
--loglen <int> truncates syslogs after <int> chars
|
||||
-i, --interface <dev> listen on interface <dev>
|
||||
-p, --port <port> listen on port <port>
|
||||
--proto <proto> socket type (tcp or unix)
|
||||
-u, --user <name> set uid to user <name>
|
||||
-g, --group <name> set gid to group <name>
|
||||
--umask <mask> set umask for file permissions
|
||||
-R, --chroot <path> chroot the daemon to <path>
|
||||
--pidfile <path> create pidfile under <path>
|
||||
--facility <f> syslog facility
|
||||
--socktype <s> syslog socktype
|
||||
-l, --logname <label> label for syslog messages
|
||||
--loglen <int> truncates syslogs after <int> chars
|
||||
|
||||
Caching:
|
||||
-c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
--cache-no-size ignores size attribute for caching
|
||||
--cache-no-sender ignores sender address in cache
|
||||
--cache-rdomain-only ignores localpart of recipient address in cache
|
||||
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
--cache-rbl-default default rbl response pattern to match (regexp)
|
||||
--cacheid <item>, .. list of attributes for request cache identifier
|
||||
--cleanup-requests cleanup interval in seconds for request cache
|
||||
--cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
--cleanup-rates cleanup interval in seconds for rate cache
|
||||
-c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
--cache-no-size ignores size attribute for caching
|
||||
--cache-no-sender ignores sender address in cache
|
||||
--cache-rdomain-only ignores localpart of recipient address in cache
|
||||
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
--cache-rbl-default default rbl response pattern to match (regexp)
|
||||
--cacheid <item>, .. list of attributes for request cache identifier
|
||||
--cleanup-requests cleanup interval in seconds for request cache
|
||||
--cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
--cleanup-rates cleanup interval in seconds for rate cache
|
||||
|
||||
Optional:
|
||||
-t, --test testing, always returns "dunno"
|
||||
-v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
-S, --summary <int> show some usage statistics every <int> seconds
|
||||
--norulelog disbles rule logging
|
||||
--norulestats disables per rule statistics
|
||||
--noidlestats disables statistics when idle
|
||||
-n, --nodns disable dns
|
||||
--nodnslog disable dns logging
|
||||
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
--dns_timeout timeout in seconds for asynchonous dns queries
|
||||
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
--dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
--dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
--dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
-I, --instantcfg re-reads rulefiles for every new request
|
||||
--config_timeout <i> parser timeout in seconds
|
||||
-t, --test testing, always returns "dunno"
|
||||
-v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
-S, --summary <int> show some usage statistics every <int> seconds
|
||||
--norulelog disbles rule logging
|
||||
--norulestats disables per rule statistics
|
||||
--noidlestats disables statistics when idle
|
||||
-n, --nodns disable dns
|
||||
--nodnslog disable dns logging
|
||||
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
--dns_timeout timeout in seconds for asynchonous dns queries
|
||||
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
--dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
--dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
--dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
-I, --instantcfg re-reads rulefiles for every new request
|
||||
--config_timeout <i> parser timeout in seconds
|
||||
--keep_rates do not clear rate limit counters on reload
|
||||
--save_rates <file> save and load rate limits on disk
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
|
||||
|
||||
Plugins:
|
||||
--plugins <file> loads postfwd plugins from file
|
||||
|
||||
Informational (use only at command-line!):
|
||||
-C, --showconfig shows ruleset summary, -v for verbose
|
||||
|
@ -62,9 +78,6 @@ SYNOPSIS
|
|||
-h, --help shows usage
|
||||
-m, --manual shows program manual
|
||||
|
||||
Plugins:
|
||||
--plugins <file> loads plugins from <file>
|
||||
|
||||
DESCRIPTION
|
||||
INTRODUCTION
|
||||
postfwd is written to combine complex postfix restrictions in a ruleset
|
||||
|
@ -101,7 +114,7 @@ DESCRIPTION
|
|||
A configuration line consists of optional item=value pairs, separated by
|
||||
semicolons (`;`) and the appropriate desired action:
|
||||
|
||||
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
|
||||
[ <item1>=<value>; <item2>=<value>; ... ] action=<result>
|
||||
|
||||
*Example:*
|
||||
|
||||
|
@ -142,11 +155,21 @@ DESCRIPTION
|
|||
files or passed as command line arguments. Please see the COMMAND LINE
|
||||
section below for more information on this topic.
|
||||
|
||||
Rules can span multiple lines by adding a trailing backslash "\"
|
||||
character:
|
||||
Since postfwd version 1.30 rules spanning span multiple lines can be
|
||||
defined by prefixing the following lines with one or multiple whitespace
|
||||
characters (or '}' for macros):
|
||||
|
||||
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
|
||||
action=REJECT please use your relay from there
|
||||
id=RULE001
|
||||
client_address=192.168.1.0/24
|
||||
sender==no@bad.local
|
||||
action=REJECT no access
|
||||
|
||||
postfwd versions prior to 1.30 require trailing ';' and '\'-characters:
|
||||
|
||||
id=RULE001; \
|
||||
client_address=192.168.1.0/24; \
|
||||
sender==no@bad.local; \
|
||||
action=REJECT no access
|
||||
|
||||
ITEMS
|
||||
id - a unique rule id, which can be used for log analysis
|
||||
|
@ -210,9 +233,15 @@ DESCRIPTION
|
|||
this enables version based checks in your rulesets
|
||||
(e.g. for migration). works with old versions too,
|
||||
because a non-existing item always returns false:
|
||||
id=R01; version~=1.10; sender_domain==some.org \
|
||||
# version >= 1.10
|
||||
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
|
||||
; action=REJECT sorry no access
|
||||
|
||||
ratecount - only available for rate(), size() and rcpt() actions.
|
||||
contains the actual limit counter:
|
||||
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
|
||||
|
||||
Besides these you can specify any attribute of the postfix policy
|
||||
delegation protocol. Feel free to combine them the way you need it (have
|
||||
a look at the EXAMPLES section below).
|
||||
|
@ -267,26 +296,25 @@ DESCRIPTION
|
|||
the current list can be found at
|
||||
<http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully
|
||||
about which attribute can be used at which level of the smtp transaction
|
||||
(e.g. size will only work reliably at END_OF_DATA level). Pattern
|
||||
(e.g. size will only work reliably at END-OF-MESSAGE level). Pattern
|
||||
matching is performed case insensitive.
|
||||
|
||||
Multiple use of the same item is allowed and will compared as logical
|
||||
OR, which means that this will work as expected:
|
||||
|
||||
id=TRUST001; action=OK; encryption_keysize=64; \
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
|
||||
id=TRUST001; action=OK; encryption_keysize=64
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
sender=@domain\.local$
|
||||
|
||||
client_address, rbl and rhsbl items may also be specified as
|
||||
whitespace-or-comma-separated values:
|
||||
|
||||
id=SKIP01; action=dunno; \
|
||||
id=SKIP01; action=dunno
|
||||
client_address=192.168.1.0/24, 172.16.254.23
|
||||
id=SKIP02; action=dunno; \
|
||||
client_address= 10.10.3.32 \
|
||||
10.216.222.0/27
|
||||
id=SKIP02; action=dunno
|
||||
client_address=10.10.3.32 10.216.222.0/27
|
||||
|
||||
The following items currently have to be unique:
|
||||
|
||||
|
@ -294,16 +322,16 @@ DESCRIPTION
|
|||
|
||||
Any item can be negated by preceeding '!!' to it, e.g.:
|
||||
|
||||
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please
|
||||
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
|
||||
or using the right compare operator:
|
||||
|
||||
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
|
||||
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
|
||||
To avoid confusion with regexps or simply for better visibility you can
|
||||
use '!!(...)':
|
||||
|
||||
id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?
|
||||
id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?
|
||||
|
||||
Request attributes can be compared by preceeding '$$' characters, e.g.:
|
||||
|
||||
|
@ -315,6 +343,33 @@ DESCRIPTION
|
|||
be performed as case insensitive exact match. Use the '-vv' option to
|
||||
debug.
|
||||
|
||||
These special items will be reset for any new rule:
|
||||
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
|
||||
These special items will be changed for any matching rule:
|
||||
|
||||
request_hits - contains ids of all matching rules
|
||||
|
||||
This means that it might be necessary to save them, if you plan to use
|
||||
these values in later rules:
|
||||
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
|
||||
FILES
|
||||
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in
|
||||
separate files:
|
||||
|
@ -337,16 +392,16 @@ DESCRIPTION
|
|||
|
||||
This will ignore the right-hand value. Items can be mixed:
|
||||
|
||||
id=R002 ; action=REJECT \
|
||||
client_name==unknown; \
|
||||
id=R002 ; action=REJECT
|
||||
client_name==unknown
|
||||
client_name==file:/etc/postfwd/blacklisted
|
||||
|
||||
and for non pcre (comma separated) items:
|
||||
|
||||
id=R003 ; action=REJECT \
|
||||
id=R003 ; action=REJECT
|
||||
client_address==10.1.1.1, file:/etc/postfwd/blacklisted
|
||||
|
||||
id=R004 ; action=REJECT \
|
||||
id=R004 ; action=REJECT
|
||||
rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
|
||||
|
||||
You can check your configuration with the --show_config option at the
|
||||
|
@ -468,16 +523,25 @@ DESCRIPTION
|
|||
please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
# no more than 3 requests per 5 minutes
|
||||
# from the same "unknown" client
|
||||
id=RATE01 ; client_name==unknown ; \
|
||||
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
id=RATE01 ; client_name==unknown
|
||||
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
Please note also that the order of rate limits in your ruleset is important, which means
|
||||
that this:
|
||||
# works as expected
|
||||
id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
|
||||
id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
leads to different results than this:
|
||||
# rule R002 never gets executed
|
||||
id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
|
||||
|
||||
size (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
increased by the request's size attribute. to do this reliably you should call postfwd from
|
||||
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
# size limit 1.5mb per hour per client
|
||||
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
|
||||
rcpt (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
|
@ -485,8 +549,8 @@ DESCRIPTION
|
|||
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
check it within the ruleset:
|
||||
# recipient count limit 3 per hour per client
|
||||
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
|
||||
ask (<addr>:<port>[:<ignore>])
|
||||
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||||
|
@ -494,17 +558,22 @@ DESCRIPTION
|
|||
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
|
||||
# example1: query postgrey and return it's answer to postfix
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
|
||||
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
|
||||
# example2: query postgrey but ignore the answer, if it matches 'DUNNO'
|
||||
# and continue parsing postfwd's ruleset
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
|
||||
|
||||
mail(server/helo/from/to/subject/body)
|
||||
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
not track notification state and will notify you any time, the corresponding rule hits.
|
||||
|
||||
wait (<delay>)
|
||||
pauses the program execution for <delay> seconds. use this for
|
||||
delaying or throtteling connections.
|
||||
|
||||
note (<string>)
|
||||
just logs the given string and continues parsing the ruleset.
|
||||
if the string is empty, nothing will be logged.
|
||||
if the string is empty, nothing will be logged (noop).
|
||||
|
||||
quit (<code>)
|
||||
terminates the program with the given exit-code. postfix doesn`t
|
||||
|
@ -514,33 +583,6 @@ DESCRIPTION
|
|||
|
||||
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'
|
||||
|
||||
These special attributes will be reset for any new rule:
|
||||
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
|
||||
These special attributes will be changed for any matching rule:
|
||||
|
||||
request_hits - contains ids of all matching rules
|
||||
|
||||
This means that it might be necessary to save them, if you plan to use
|
||||
these values in later rules:
|
||||
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
|
||||
MACROS/ACLS
|
||||
Multiple use of long items or combinations of them may be abbreviated by
|
||||
macros. Those must be prefixed by '&&' (two '&' characters). First the
|
||||
|
@ -565,18 +607,18 @@ DESCRIPTION
|
|||
|
||||
Macros can contain macros, too:
|
||||
|
||||
# definition (note the trailing "\" characters)
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
# definition
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name=^unknown$ ; \
|
||||
client_name=(\d+[\.-_]){4} ; \
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name=^unknown$
|
||||
client_name=(\d+[\.-_]){4}
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
};
|
||||
&&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
# rules
|
||||
|
@ -586,7 +628,156 @@ DESCRIPTION
|
|||
section for more information.
|
||||
|
||||
PLUGINS
|
||||
Please visit <http://www.postfwd.org/postfwd.plugins>
|
||||
Description
|
||||
|
||||
The plugin interface allow you to define your own checks and enhance
|
||||
postfwd's functionality. Feel free to share useful things!
|
||||
|
||||
Warning
|
||||
|
||||
Note that the plugin interface is still at devel stage. Please test your
|
||||
plugins carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that
|
||||
you know what you do because some of them are used internally.
|
||||
|
||||
Please keep security in mind, when you access sensible ressources and
|
||||
never, ever run postfwd as privileged user! Also never trust your input
|
||||
(especially hostnames, and e-mail addresses).
|
||||
|
||||
ITEMS
|
||||
|
||||
Item plugins are perl subroutines which integrate additional attributes
|
||||
to requests before they are evaluated against postfwd's ruleset like any
|
||||
other item of the policy delegation protocol. This allows you to create
|
||||
your own checks.
|
||||
|
||||
plugin-items can not be used selective. these functions will be executed
|
||||
for every request postfwd receives, so keep performance in mind.
|
||||
|
||||
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
|
||||
|
||||
means that your subroutine, called <name>, has access to a hash called
|
||||
%request, which contains all request attributes, like
|
||||
$request{client_name} and must return a value in the following form:
|
||||
|
||||
save: $result{<item>} = <value>
|
||||
|
||||
this creates the new item <item> containing <value>, which will be
|
||||
integrated in the policy delegation request and therefore may be used in
|
||||
postfwd's ruleset.
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_items_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# allows to check postfwd version in ruleset
|
||||
"version" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = (
|
||||
"version" => $NAME." ".$VERSION,
|
||||
);
|
||||
return %result;
|
||||
},
|
||||
|
||||
# sender_domain and recipient_domain
|
||||
"address_parts" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = ();
|
||||
$request{sender} =~ /@([^@]*)$/;
|
||||
$result{sender_domain} = ($1 || '');
|
||||
$request{recipient} =~ /@([^@]*)$/;
|
||||
$result{recipient_domain} = ($1 || '');
|
||||
return %result;
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
COMPARE
|
||||
|
||||
Compare plugins allow you to define how your new items should be
|
||||
compared to the ruleset. These are optional. If you don't specify one,
|
||||
the default (== for exact match, =~ for PCRE, ...) will be used.
|
||||
|
||||
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_compare_plugin = (
|
||||
|
||||
EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# Simple example
|
||||
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
|
||||
# Complex example
|
||||
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
"numeric" => sub {
|
||||
my($cmp,$val,$myitem,%request) = @_;
|
||||
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
if ($cmp eq '==') {
|
||||
$myresult = ($myitem == $val);
|
||||
} elsif ($cmp eq '=<') {
|
||||
$myresult = ($myitem <= $val);
|
||||
} elsif ($cmp eq '=>') {
|
||||
$myresult = ($myitem >= $val);
|
||||
} elsif ($cmp eq '!=') {
|
||||
$myresult = not($myitem == $val);
|
||||
} elsif ($cmp eq '!<') {
|
||||
$myresult = not($myitem <= $val);
|
||||
} elsif ($cmp eq '!>') {
|
||||
$myresult = not($myitem >= $val);
|
||||
} else {
|
||||
$myresult = ($myitem >= $val);
|
||||
};
|
||||
return $myresult;
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
ACTIONS
|
||||
|
||||
Action plugins allow to define new postfwd actions. By setting the
|
||||
$stop-flag you can decide to continue or to stop parsing the ruleset.
|
||||
|
||||
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_actions_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# note(<logstring>) command
|
||||
"note" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# skips next <myarg> rules
|
||||
"skip" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# dumps current request contents to syslog
|
||||
"dumprequest" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
COMMAND LINE
|
||||
*Ruleset*
|
||||
|
@ -603,12 +794,6 @@ DESCRIPTION
|
|||
Adds <rule> to ruleset. Remember that you might have to quote
|
||||
strings that contain whitespaces or shell characters.
|
||||
|
||||
*Plugins*
|
||||
|
||||
--plugins
|
||||
A file containing plugin routines for postfwd. Please see the
|
||||
PLUGINS section for more information.
|
||||
|
||||
*Scoring*
|
||||
|
||||
-s, --scores <val>=<action>
|
||||
|
@ -616,23 +801,51 @@ DESCRIPTION
|
|||
|
||||
Multiple usage is allowed. Just chain your arguments, like:
|
||||
|
||||
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
or
|
||||
postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
|
||||
|
||||
In case of multiple scores, the highest match will count. The order of
|
||||
the arguments will be reflected in the postfwd ruleset.
|
||||
|
||||
*Control*
|
||||
|
||||
-d, --daemon
|
||||
postfwd will run as daemon and listen on the network for incoming
|
||||
queries (default 127.0.0.1:10040).
|
||||
|
||||
-k, --kill
|
||||
Stops a running postfwd daemon.
|
||||
|
||||
--reload
|
||||
Reloads configuration.
|
||||
|
||||
--dumpstats
|
||||
Displays program usage statistics.
|
||||
|
||||
--dumpcache
|
||||
Displays cache contents.
|
||||
|
||||
--delcache <item>
|
||||
Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
E.g.:
|
||||
# postfwd --dumpcache
|
||||
...
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
...
|
||||
# postfwd --delrate="sender=gmato@jqvo.org"
|
||||
rate cache item 'sender=gmato@jqvo.org' removed
|
||||
|
||||
--delrate <item>
|
||||
Removes an item from the rate cache. Use --dumpcache to identify objects.
|
||||
|
||||
*Networking*
|
||||
|
||||
postfwd can be run as daemon so that it listens on the network for
|
||||
incoming requests. The following arguments will control it's behaviour
|
||||
in this case.
|
||||
|
||||
-d, --daemon
|
||||
postfwd will run as daemon and listen on the network for incoming
|
||||
queries (default 127.0.0.1:10040).
|
||||
|
||||
-i, --interface <dev>
|
||||
Bind postfwd to the specified interface (default 127.0.0.1).
|
||||
|
||||
|
@ -662,6 +875,13 @@ DESCRIPTION
|
|||
--pidfile <path>
|
||||
The process id will be saved in the specified file.
|
||||
|
||||
--facility <f>
|
||||
sets the syslog facility, default is 'mail'
|
||||
|
||||
--socktype <s>
|
||||
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
Default is to auto-detect this depening on module version and os.
|
||||
|
||||
-l, --logname <label>
|
||||
Labels the syslog messages. Useful when running multiple
|
||||
instances of postfwd.
|
||||
|
@ -669,6 +889,12 @@ DESCRIPTION
|
|||
--loglen <int>
|
||||
Truncates any syslog message after <int> characters.
|
||||
|
||||
*Plugins*
|
||||
|
||||
--plugins <file>
|
||||
Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
|
||||
or the plugins.postfwd.sample that is available from the tarball for more info.
|
||||
|
||||
*Optional arguments*
|
||||
|
||||
These parameters influence the way postfwd is working. Any of them can
|
||||
|
@ -797,6 +1023,22 @@ DESCRIPTION
|
|||
timeout in seconds to parse a single configuration line. if exceeded, the rule will
|
||||
be skipped. this is used to prevent problems due to large files or loops.
|
||||
|
||||
--keep_rates (default=0)
|
||||
With this option set postfwd does not clear the rate limit counters on reload. Please
|
||||
note that you have to restart (not reload) postfwd with this option if you change
|
||||
any rate limit rules.
|
||||
|
||||
--save_rates (default=none)
|
||||
With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
Please note that postfwd needs read and write access to the specified file.
|
||||
|
||||
--fast_limit_evaluation (default=0)
|
||||
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
With this mode rate limits will be faster, but also eventually set up
|
||||
whitelisting-rules within the ruleset might not work as expected.
|
||||
|
||||
*Informational arguments*
|
||||
|
||||
These arguments are for command line usage only. Never ever use them
|
||||
|
@ -854,18 +1096,25 @@ DESCRIPTION
|
|||
# 1. 30MB for systems in *.customer1.tld
|
||||
# 2. 20MB for SASL user joejob
|
||||
# 3. 10MB default
|
||||
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
|
||||
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
|
||||
|
||||
## Selective Greylisting
|
||||
##
|
||||
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
##
|
||||
## smtpd_restriction_classes = check_postgrey, ...
|
||||
## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
#
|
||||
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
# 2. Client has no rDNS
|
||||
# 3. Client comes from several dialin domains
|
||||
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=greylisting ; client_name=^unknown$
|
||||
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
|
||||
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
|
||||
|
||||
## Date Time
|
||||
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
|
||||
|
@ -873,7 +1122,7 @@ DESCRIPTION
|
|||
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
months=-Apr ; action=450 4.7.1 see you in may
|
||||
days=!!Mon-Fri ; action=greylist
|
||||
days=!!Mon-Fri ; action=check_postgrey
|
||||
|
||||
## Usage of jump
|
||||
# The following allows a message size of 30MB for different
|
||||
|
@ -883,8 +1132,8 @@ DESCRIPTION
|
|||
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
|
||||
## Usage of score
|
||||
# The following rejects a mail, if the client
|
||||
|
@ -892,7 +1141,7 @@ DESCRIPTION
|
|||
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
# - other clients without correct rDNS will be greylist-checked
|
||||
# - some whitelists are used to lower the score
|
||||
id=S01 ; score=2.6 ; action=greylisting
|
||||
id=S01 ; score=2.6 ; action=check_postgrey
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
|
@ -905,10 +1154,10 @@ DESCRIPTION
|
|||
# The following temporary rejects requests from "unknown" clients, if they
|
||||
# 1. exceeded 30 requests per hour or
|
||||
# 2. tried to send more than 1.5mb within 10 minutes
|
||||
id=RATE01 ; client_name==unknown ; state==RCPT ; \
|
||||
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
|
||||
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
|
||||
## Macros
|
||||
# definition
|
||||
|
@ -921,34 +1170,34 @@ DESCRIPTION
|
|||
|
||||
## Groups
|
||||
# definition
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&RHSBLS { \
|
||||
&&RHSBLS{
|
||||
...
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\d+[\.-_]){4} ; \
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name==unknown
|
||||
client_name~=(\d+[\.-_]){4}
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
...
|
||||
};
|
||||
&&BAD_HELO { \
|
||||
helo_name==my.name.tld; \
|
||||
helo_name~=^([^\.]+)$; \
|
||||
helo_name~=\.(local|lan)$; \
|
||||
&&BAD_HELO{
|
||||
helo_name==my.name.tld
|
||||
helo_name~=^([^\.]+)$
|
||||
helo_name~=\.(local|lan)$
|
||||
...
|
||||
};
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 ; \
|
||||
date=15.04.2007 ; \
|
||||
date=15.07.2007 ; \
|
||||
date=15.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
&&MAINTENANCE{
|
||||
date=15.01.2007
|
||||
date=15.04.2007
|
||||
date=15.07.2007
|
||||
date=15.10.2007
|
||||
time=03:00:00 - 04:00:00
|
||||
};
|
||||
# rules
|
||||
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -965,7 +1214,7 @@ DESCRIPTION
|
|||
|
||||
## combined with enhanced rbl features
|
||||
#
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
|
||||
|
||||
|
|
99
doc/postfwd2-chroot.html
Normal file
99
doc/postfwd2-chroot.html
Normal file
|
@ -0,0 +1,99 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>postfwd2 - chroot setup</title>
|
||||
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
|
||||
<meta name="description" content="postfwd version differences">
|
||||
<meta name="author" content="jpk">
|
||||
<meta name="keywords" content="postfwd, postfwd 2 chroot, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
<h1>postfwd2 - chroot setup</h1><br>
|
||||
If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared.
|
||||
|
||||
<p><pre>
|
||||
How to create a minimal chroot environment for postfwd2
|
||||
=======================================================
|
||||
|
||||
Tested with SLES 11 x86_64, customize this to suit your specific system.
|
||||
For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
|
||||
and glibc version 2.4 instead of 2.11.1.
|
||||
|
||||
cd $CHROOTDIR
|
||||
for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
|
||||
usr/lib/perl5/site_perl \
|
||||
usr/lib/perl5/site_perl/5.10.0 \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
|
||||
mkdir $dir
|
||||
chmod --reference /$dir $dir
|
||||
chown --reference /$dir $dir
|
||||
done
|
||||
for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
|
||||
lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
|
||||
cp -p /$file $file
|
||||
done
|
||||
grep nobody /etc/passwd > etc/passwd
|
||||
grep nobody /etc/group > etc/group
|
||||
echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf
|
||||
|
||||
=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
|
||||
echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
|
||||
>> /etc/sysconfig/syslog
|
||||
/etc/init.d/syslog restart
|
||||
|
||||
=> Place your postfwd configuration in $CHROOTDIR:
|
||||
cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf
|
||||
|
||||
=> Start postfwd2:
|
||||
/usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR
|
||||
|
||||
|
||||
List of directories
|
||||
===================
|
||||
|
||||
tmp
|
||||
lib64
|
||||
dev
|
||||
var
|
||||
var/tmp
|
||||
etc
|
||||
usr
|
||||
usr/lib
|
||||
usr/lib/perl5
|
||||
usr/lib/perl5/site_perl
|
||||
usr/lib/perl5/site_perl/5.10.0
|
||||
usr/lib/perl5/site_perl/5.10.0/Net
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto
|
||||
|
||||
|
||||
List of files
|
||||
=============
|
||||
|
||||
lib64/libnss_files.so.2
|
||||
lib64/libnss_files-2.11.1.so
|
||||
dev/null
|
||||
dev/log
|
||||
etc/localtime
|
||||
etc/protocols
|
||||
etc/postfwd.conf
|
||||
etc/nsswitch.conf
|
||||
etc/passwd
|
||||
etc/resolv.conf
|
||||
etc/group
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm
|
||||
</pre></p>
|
||||
|
||||
Thanks to Lukas Wunner for providing this howto and the patch for postfwd2!
|
||||
|
||||
</body>
|
||||
</html>
|
82
doc/postfwd2-chroot.txt
Normal file
82
doc/postfwd2-chroot.txt
Normal file
|
@ -0,0 +1,82 @@
|
|||
postfwd2 - chroot setup
|
||||
=======================
|
||||
If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared.
|
||||
|
||||
How to create a minimal chroot environment for postfwd2
|
||||
=======================================================
|
||||
|
||||
Tested with SLES 11 x86_64, customize this to suit your specific system.
|
||||
For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
|
||||
and glibc version 2.4 instead of 2.11.1.
|
||||
|
||||
cd $CHROOTDIR
|
||||
for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
|
||||
usr/lib/perl5/site_perl \
|
||||
usr/lib/perl5/site_perl/5.10.0 \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
|
||||
mkdir $dir
|
||||
chmod --reference /$dir $dir
|
||||
chown --reference /$dir $dir
|
||||
done
|
||||
for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
|
||||
lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
|
||||
cp -p /$file $file
|
||||
done
|
||||
grep nobody /etc/passwd > etc/passwd
|
||||
grep nobody /etc/group > etc/group
|
||||
echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf
|
||||
|
||||
=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
|
||||
echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
|
||||
>> /etc/sysconfig/syslog
|
||||
/etc/init.d/syslog restart
|
||||
|
||||
=> Place your postfwd configuration in $CHROOTDIR:
|
||||
cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf
|
||||
|
||||
=> Start postfwd2:
|
||||
/usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR
|
||||
|
||||
|
||||
List of directories
|
||||
===================
|
||||
|
||||
tmp
|
||||
lib64
|
||||
dev
|
||||
var
|
||||
var/tmp
|
||||
etc
|
||||
usr
|
||||
usr/lib
|
||||
usr/lib/perl5
|
||||
usr/lib/perl5/site_perl
|
||||
usr/lib/perl5/site_perl/5.10.0
|
||||
usr/lib/perl5/site_perl/5.10.0/Net
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto
|
||||
|
||||
|
||||
List of files
|
||||
=============
|
||||
|
||||
lib64/libnss_files.so.2
|
||||
lib64/libnss_files-2.11.1.so
|
||||
dev/null
|
||||
dev/log
|
||||
etc/localtime
|
||||
etc/protocols
|
||||
etc/postfwd.conf
|
||||
etc/nsswitch.conf
|
||||
etc/passwd
|
||||
etc/resolv.conf
|
||||
etc/group
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
|
||||
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm
|
||||
|
||||
Thanks to Lukas Wunner for providing this howto and the patch for postfwd2!
|
||||
|
|
@ -1,3 +1,78 @@
|
|||
postfwd2 1.32
|
||||
=============
|
||||
- feature: new option --save_rates=<file> allows to load and save
|
||||
rate limit counters to disk on program start and termination.
|
||||
this allows rate limit persistence during restarts and reboots
|
||||
(requires perl module 'Storable')
|
||||
- feature: the --debugitem="sender=example\.org$" option
|
||||
allows verbose logging for particular requests
|
||||
- feature: the debug() action allows verbose logging for certain
|
||||
rules:
|
||||
------------------------------------------------------------
|
||||
id=R01
|
||||
client_address=1.1.1.1
|
||||
action=debug(on)
|
||||
id=R02
|
||||
...
|
||||
id=R42
|
||||
action=debug(off)
|
||||
------------------------------------------------------------
|
||||
- feature: nested commands are possible now, e.g.:
|
||||
------------------------------------------------------------
|
||||
# throttle
|
||||
action=rate(client_address/10/60/wait(3))
|
||||
------------------------------------------------------------
|
||||
- feature: new mail(server/helo/from/to/subject/body) action.
|
||||
Please take a look at the manual, especially about
|
||||
it's limitations, before using it!
|
||||
------------------------------------------------------------
|
||||
# alert
|
||||
action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text))
|
||||
------------------------------------------------------------
|
||||
- feature: --chroot option works now (patch by Lukas Wunner).
|
||||
Look for his notes at http://postfwd.org/postfwd2-chroot.html
|
||||
on how to set up the required chroot environment.
|
||||
|
||||
postfwd2 1.31
|
||||
=============
|
||||
- feature: single cache items can be wiped using --delcache <item>
|
||||
or --delrate <item> options. use --dumpcache to identify
|
||||
- feature: sasl_username is logged if available
|
||||
(thanks to Bernhard Schmidt)
|
||||
- code: rate limit action is executed, if the first request exceeds the limit
|
||||
- code: exceeded ratecounters will not be kept permanently anymore. this
|
||||
allows further requests to pass, if they are below the limit
|
||||
- code: rate limits are evaluated at ruleset stage now, which leads to
|
||||
much more comprehensible behaviour. due to this change the request
|
||||
cache is now disabled, if rate limits are used. use the
|
||||
--fast_limit_evaluation option to return to the former mode.
|
||||
|
||||
postfwd2 1.30
|
||||
=============
|
||||
- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules,
|
||||
if the following lines are prefixed by whitespace characters:
|
||||
--------------------------------------
|
||||
id=RCPTCOUNT
|
||||
protocol_state == END-OF-MESSAGE
|
||||
client_address != 10.1.1.0/24
|
||||
recipient_count >= 100
|
||||
action=REJECT too many recipients
|
||||
--------------------------------------
|
||||
- feature: new plugin interface (BETA)
|
||||
- feature: Time::HiRes is used if available
|
||||
- feature: multiple rate limits for the same items are supported now
|
||||
- feature: new $$ratecount variable for rate() actions
|
||||
- feature: new option --keep_rates
|
||||
- code: new --debug class 'cleanup'
|
||||
- docs: documentation updates
|
||||
|
||||
postfwd2 1.22
|
||||
=============
|
||||
- general: adapted postfwd1 versioning scheme
|
||||
- feature: queueid is logged when available
|
||||
- bugfix: rate limits did not work correctly (thanks to Yves Blusseau)
|
||||
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
|
||||
|
||||
postfwd2 1.00
|
||||
=============
|
||||
- code: changed the default umask for the server socket to 0111
|
|
@ -85,7 +85,7 @@
|
|||
--cache-no-size skip size for cache-id
|
||||
--no_parent_request_cache disable parent request cache
|
||||
--no_parent_rate_cache disable parent rate cache
|
||||
--no_parent_dns_cache disable parent dns cache
|
||||
--no_parent_dns_cache disable parent dns cache (default)
|
||||
--no_parent_cache disable all parent caches</pre>
|
||||
<pre>
|
||||
Rates:
|
||||
|
@ -99,7 +99,10 @@
|
|||
--failures <f> max respawn failure counter
|
||||
--daemons <list> list of daemons to start
|
||||
--dumpcache show cache contents
|
||||
--dumpstats show statistics</pre>
|
||||
--dumpstats show statistics
|
||||
-R, --chroot <path> chroot to <path> before start
|
||||
--delcache <item> removes an item from the request cache
|
||||
--delrate <item> removes an item from the rate cache</pre>
|
||||
<pre>
|
||||
DNS:
|
||||
-n, --nodns skip any dns based test
|
||||
|
@ -119,11 +122,18 @@
|
|||
--noidlestats disables statistics when idle
|
||||
--norulestats disables per rule statistics
|
||||
-I, --instantcfg reloads ruleset on every new request
|
||||
--config_timeout <i> parser timeout in seconds</pre>
|
||||
--config_timeout <i> parser timeout in seconds
|
||||
--keep_rates do not clear rate limit counters on reload
|
||||
--save_rates <file> save and load rate limits on disk
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed</pre>
|
||||
<pre>
|
||||
Plugins:
|
||||
--plugins <file> loads postfwd plugins from file</pre>
|
||||
<pre>
|
||||
Logging:
|
||||
-l, --logname <label> label for syslog messages
|
||||
--facility <s> use syslog facility <s>
|
||||
--socktype <s> use syslog socktype <s>
|
||||
--nodnslog do not log dns results
|
||||
--anydnslog log any dns (even cached) results
|
||||
--norulelog do not log rule actions
|
||||
|
@ -170,7 +180,7 @@ which should allow straightforward and easy-to-read configurations.</p>
|
|||
<p>A configuration line consists of optional item=value pairs, separated by semicolons
|
||||
(`;`) and the appropriate desired action:</p>
|
||||
<pre>
|
||||
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result></pre>
|
||||
[ <item1>=<value>; <item2>=<value>; ... ] action=<result></pre>
|
||||
<p><em>Example:</em></p>
|
||||
<pre>
|
||||
client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT</pre>
|
||||
|
@ -199,10 +209,19 @@ or trailing whitespace characters will be ignored. Use '#' to comment your confi
|
|||
appreciate.</p>
|
||||
<p>A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
|
||||
arguments. Please see the COMMAND LINE section below for more information on this topic.</p>
|
||||
<p>Rules can span multiple lines by adding a trailing backslash ``\'' character:</p>
|
||||
<p>Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
|
||||
lines with one or multiple whitespace characters (or '}' for macros):</p>
|
||||
<pre>
|
||||
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
|
||||
action=REJECT please use your relay from there</pre>
|
||||
id=RULE001
|
||||
client_address=192.168.1.0/24
|
||||
sender==no@bad.local
|
||||
action=REJECT no access</pre>
|
||||
<p>postfwd versions prior to 1.30 require trailing ';' and '\'-characters:</p>
|
||||
<pre>
|
||||
id=RULE001; \
|
||||
client_address=192.168.1.0/24; \
|
||||
sender==no@bad.local; \
|
||||
action=REJECT no access</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="items">ITEMS</a></h2>
|
||||
|
@ -268,8 +287,14 @@ arguments. Please see the COMMAND LINE section below for more information on thi
|
|||
this enables version based checks in your rulesets
|
||||
(e.g. for migration). works with old versions too,
|
||||
because a non-existing item always returns false:
|
||||
id=R01; version~=1.10; sender_domain==some.org \
|
||||
# version >= 1.10
|
||||
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
|
||||
; action=REJECT sorry no access</pre>
|
||||
<pre>
|
||||
ratecount - only available for rate(), size() and rcpt() actions.
|
||||
contains the actual limit counter:
|
||||
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])</pre>
|
||||
<p>Besides these you can specify any attribute of the postfix policy delegation protocol.
|
||||
Feel free to combine them the way you need it (have a look at the EXAMPLES section below).</p>
|
||||
<p>Most values can be specified as regular expressions (PCRE). Please see the table below
|
||||
|
@ -319,34 +344,33 @@ for details:</p>
|
|||
encryption_keysize=256 mask = numeric, will match if keysize >= 256
|
||||
...</pre>
|
||||
<p>the current list can be found at <a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a>. Please read carefully about which
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level).
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
|
||||
Pattern matching is performed case insensitive.</p>
|
||||
<p>Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected:</p>
|
||||
<pre>
|
||||
id=TRUST001; action=OK; encryption_keysize=64; \
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
|
||||
id=TRUST001; action=OK; encryption_keysize=64
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
sender=@domain\.local$</pre>
|
||||
<p>client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:</p>
|
||||
<pre>
|
||||
id=SKIP01; action=dunno; \
|
||||
id=SKIP01; action=dunno
|
||||
client_address=192.168.1.0/24, 172.16.254.23
|
||||
id=SKIP02; action=dunno; \
|
||||
client_address= 10.10.3.32 \
|
||||
10.216.222.0/27</pre>
|
||||
id=SKIP02; action=dunno
|
||||
client_address= 10.10.3.32 10.216.222.0/27</pre>
|
||||
<p>The following items must be unique:</p>
|
||||
<pre>
|
||||
id, minimum and maximum values, rblcount and rhsblcount</pre>
|
||||
<p>Any item can be negated by preceeding '!!' to it, e.g.:</p>
|
||||
<pre>
|
||||
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please</pre>
|
||||
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please</pre>
|
||||
<p>or using the right compare operator:</p>
|
||||
<pre>
|
||||
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?</pre>
|
||||
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please</pre>
|
||||
<p>To avoid confusion with regexps or simply for better visibility you can use '!!(...)':</p>
|
||||
<pre>
|
||||
id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that?</pre>
|
||||
id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?</pre>
|
||||
<p>Request attributes can be compared by preceeding '$$' characters, e.g.:</p>
|
||||
<pre>
|
||||
id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
|
||||
|
@ -354,6 +378,29 @@ Pattern matching is performed case insensitive.</p>
|
|||
id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS</pre>
|
||||
<p>This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match.
|
||||
Use the '-vv' option to debug.</p>
|
||||
<p>These special items will be reset for any new rule:</p>
|
||||
<pre>
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...</pre>
|
||||
<p>These special items will be changed for any matching rule:</p>
|
||||
<pre>
|
||||
request_hits - contains ids of all matching rules</pre>
|
||||
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
|
||||
<pre>
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net</pre>
|
||||
<pre>
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="files">FILES</a></h2>
|
||||
|
@ -373,15 +420,15 @@ Use the '-vv' option to debug.</p>
|
|||
id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO</pre>
|
||||
<p>This will ignore the right-hand value. Items can be mixed:</p>
|
||||
<pre>
|
||||
id=R002 ; action=REJECT \
|
||||
client_name==unknown; \
|
||||
id=R002 ; action=REJECT
|
||||
client_name==unknown
|
||||
client_name==<a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
|
||||
<p>and for non pcre (comma separated) items:</p>
|
||||
<pre>
|
||||
id=R003 ; action=REJECT \
|
||||
id=R003 ; action=REJECT
|
||||
client_address==10.1.1.1, <a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
|
||||
<pre>
|
||||
id=R004 ; action=REJECT \
|
||||
id=R004 ; action=REJECT
|
||||
rbl=myrbl.home.local, zen.spamhaus.org, <a href="file:/etc/postfwd/rbls_changing">file:/etc/postfwd/rbls_changing</a></pre>
|
||||
<p>You can check your configuration with the --show_config option at the command line:</p>
|
||||
<pre>
|
||||
|
@ -479,16 +526,16 @@ rule containing only an action statement:</p>
|
|||
please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
# no more than 3 requests per 5 minutes
|
||||
# from the same "unknown" client
|
||||
id=RATE01 ; client_name==unknown ; \
|
||||
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
|
||||
id=RATE01 ; client_name==unknown
|
||||
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
|
||||
<pre>
|
||||
size (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
increased by the request's size attribute. to do this reliably you should call postfwd2 from
|
||||
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
# size limit 1.5mb per hour per client
|
||||
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
|
||||
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
|
||||
<pre>
|
||||
rcpt (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
|
@ -496,8 +543,8 @@ rule containing only an action statement:</p>
|
|||
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
check it within the ruleset:
|
||||
# recipient count limit 3 per hour per client
|
||||
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
|
||||
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
|
||||
<pre>
|
||||
ask (<addr>:<port>[:<ignore>])
|
||||
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||||
|
@ -508,6 +555,11 @@ rule containing only an action statement:</p>
|
|||
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
|
||||
# and continue parsing postfwd's ruleset
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)</pre>
|
||||
<pre>
|
||||
mail(server/helo/from/to/subject/body)
|
||||
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
not track notification state and will notify you any time, the corresponding rule hits.</pre>
|
||||
<pre>
|
||||
wait (<delay>)
|
||||
pauses the program execution for <delay> seconds. use this for
|
||||
|
@ -515,7 +567,7 @@ rule containing only an action statement:</p>
|
|||
<pre>
|
||||
note (<string>)
|
||||
just logs the given string and continues parsing the ruleset.
|
||||
if the string is empty, nothing will be logged.</pre>
|
||||
if the string is empty, nothing will be logged (noop).</pre>
|
||||
<pre>
|
||||
quit (<code>)
|
||||
terminates the program with the given exit-code. postfix doesn`t
|
||||
|
@ -523,29 +575,6 @@ rule containing only an action statement:</p>
|
|||
<p>You can reference to request attributes, like</p>
|
||||
<pre>
|
||||
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'</pre>
|
||||
<p>These special attributes will be reset for any new rule:</p>
|
||||
<pre>
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...</pre>
|
||||
<p>These special attributes will be changed for any matching rule:</p>
|
||||
<pre>
|
||||
request_hits - contains ids of all matching rules</pre>
|
||||
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
|
||||
<pre>
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
|
||||
<pre>
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
|
||||
|
@ -568,18 +597,18 @@ First the macros have to be defined as follows:</p>
|
|||
&&GONOW ; &&RBLS ; client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]</pre>
|
||||
<p>Macros can contain macros, too:</p>
|
||||
<pre>
|
||||
# definition (note the trailing "\" characters)
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
# definition
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name=^unknown$ ; \
|
||||
client_name=(\d+[\.-_]){4} ; \
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name=^unknown$
|
||||
client_name=(\d+[\.-_]){4}
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
};
|
||||
&&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
# rules
|
||||
|
@ -588,7 +617,141 @@ First the macros have to be defined as follows:</p>
|
|||
<p>
|
||||
</p>
|
||||
<h2><a name="plugins">PLUGINS</a></h2>
|
||||
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
|
||||
<p><strong>Description</strong></p>
|
||||
<p>The plugin interface allow you to define your own checks and enhance postfwd's
|
||||
functionality. Feel free to share useful things!</p>
|
||||
<p><strong>Warning</strong></p>
|
||||
<p>Note that the plugin interface is still at devel stage. Please test your plugins
|
||||
carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that you know
|
||||
what you do because some of them are used internally.</p>
|
||||
<p>Please keep security in mind, when you access sensible ressources and never, ever
|
||||
run postfwd as privileged user! Also never trust your input (especially hostnames,
|
||||
and e-mail addresses).</p>
|
||||
<p><strong>ITEMS</strong></p>
|
||||
<p>Item plugins are perl subroutines which integrate additional attributes to requests
|
||||
before they are evaluated against postfwd's ruleset like any other item of the
|
||||
policy delegation protocol. This allows you to create your own checks.</p>
|
||||
<p>plugin-items can not be used selective. these functions will be executed for every
|
||||
request postfwd receives, so keep performance in mind.</p>
|
||||
<pre>
|
||||
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)</pre>
|
||||
<p>means that your subroutine, called <name>, has access to a hash called %request,
|
||||
which contains all request attributes, like $request{client_name} and must
|
||||
return a value in the following form:</p>
|
||||
<pre>
|
||||
save: $result{<item>} = <value></pre>
|
||||
<p>this creates the new item <item> containing <value>, which will be integrated in
|
||||
the policy delegation request and therefore may be used in postfwd's ruleset.</p>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_items_plugin = (</pre>
|
||||
<pre>
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# allows to check postfwd version in ruleset
|
||||
"version" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = (
|
||||
"version" => $NAME." ".$VERSION,
|
||||
);
|
||||
return %result;
|
||||
},
|
||||
|
||||
# sender_domain and recipient_domain
|
||||
"address_parts" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = ();
|
||||
$request{sender} =~ /@([^@]*)$/;
|
||||
$result{sender_domain} = ($1 || '');
|
||||
$request{recipient} =~ /@([^@]*)$/;
|
||||
$result{recipient_domain} = ($1 || '');
|
||||
return %result;
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p><strong>COMPARE</strong></p>
|
||||
<p>Compare plugins allow you to define how your new items should be compared to the ruleset.
|
||||
These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
|
||||
will be used.</p>
|
||||
<pre>
|
||||
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_compare_plugin = (</pre>
|
||||
<pre>
|
||||
EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# Simple example
|
||||
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
|
||||
# Complex example
|
||||
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
"numeric" => sub {
|
||||
my($cmp,$val,$myitem,%request) = @_;
|
||||
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
if ($cmp eq '==') {
|
||||
$myresult = ($myitem == $val);
|
||||
} elsif ($cmp eq '=<') {
|
||||
$myresult = ($myitem <= $val);
|
||||
} elsif ($cmp eq '=>') {
|
||||
$myresult = ($myitem >= $val);
|
||||
} elsif ($cmp eq '!=') {
|
||||
$myresult = not($myitem == $val);
|
||||
} elsif ($cmp eq '!<') {
|
||||
$myresult = not($myitem <= $val);
|
||||
} elsif ($cmp eq '!>') {
|
||||
$myresult = not($myitem >= $val);
|
||||
} else {
|
||||
$myresult = ($myitem >= $val);
|
||||
};
|
||||
return $myresult;
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p><strong>ACTIONS</strong></p>
|
||||
<p>Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to
|
||||
continue or to stop parsing the ruleset.</p>
|
||||
<pre>
|
||||
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
%postfwd_actions_plugin = (</pre>
|
||||
<pre>
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# note(<logstring>) command
|
||||
"note" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# skips next <myarg> rules
|
||||
"skip" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# dumps current request contents to syslog
|
||||
"dumprequest" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},</pre>
|
||||
<pre>
|
||||
# do NOT remove the next line
|
||||
);</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="command_line">COMMAND LINE</a></h2>
|
||||
|
@ -603,18 +766,13 @@ that at least one of the following is required for postfwd2 to work.</p>
|
|||
-r, --rule <rule>
|
||||
Adds <rule> to ruleset. Remember that you might have to quote
|
||||
strings that contain whitespaces or shell characters.</pre>
|
||||
<p><em>Plugins</em></p>
|
||||
<pre>
|
||||
--plugins
|
||||
A file containing plugin routines for postfwd. Please see the
|
||||
PLUGINS section for more information.</pre>
|
||||
<p><em>Scoring</em></p>
|
||||
<pre>
|
||||
-s, --scores <val>=<action>
|
||||
Returns <action> to postfix, when the request's score exceeds <val></pre>
|
||||
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
|
||||
<pre>
|
||||
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
or
|
||||
postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ...</pre>
|
||||
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
|
||||
|
@ -625,13 +783,13 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
-d, --daemon
|
||||
postfwd2 will run as daemon and listen on the network for incoming
|
||||
queries (default 127.0.0.1:10040).</pre>
|
||||
queries (default 127.0.0.1:10045).</pre>
|
||||
<pre>
|
||||
-i, --interface <dev>
|
||||
Bind postfwd2 to the specified interface (default 127.0.0.1).</pre>
|
||||
<pre>
|
||||
-p, --port <port>
|
||||
postfwd2 listens on the specified port (default tcp/10040).</pre>
|
||||
postfwd2 listens on the specified port (default tcp/10045).</pre>
|
||||
<pre>
|
||||
--proto <type>
|
||||
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
|
||||
|
@ -657,10 +815,17 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
-R, --chroot <path>
|
||||
Chroot the process to the specified path.
|
||||
Test this before using - you might need some libs there.</pre>
|
||||
Please look at <a href="http://postfwd.org/postfwd2-chroot.html">http://postfwd.org/postfwd2-chroot.html</a> before use!</pre>
|
||||
<pre>
|
||||
--pidfile <path>
|
||||
The process id will be saved in the specified file.</pre>
|
||||
<pre>
|
||||
--facility <f>
|
||||
sets the syslog facility, default is 'mail'</pre>
|
||||
<pre>
|
||||
--socktype <s>
|
||||
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
Default is to auto-detect this depening on module version and os.</pre>
|
||||
<pre>
|
||||
-l, --logname <label>
|
||||
Labels the syslog messages. Useful when running multiple
|
||||
|
@ -668,6 +833,11 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
<pre>
|
||||
--loglen <int>
|
||||
Truncates any syslog message after <int> characters.</pre>
|
||||
<p><em>Plugins</em></p>
|
||||
<pre>
|
||||
--plugins <file>
|
||||
Loads postfwd plugins from file. Please see <a href="http://postfwd.org/postfwd.plugins">http://postfwd.org/postfwd.plugins</a>
|
||||
or the plugins.postfwd.sample that is available from the tarball for more info.</pre>
|
||||
<p><em>Optional arguments</em></p>
|
||||
<p>These parameters influence the way postfwd2 is working. Any of them can be combined.</p>
|
||||
<pre>
|
||||
|
@ -794,7 +964,22 @@ The following arguments will control it's behaviour in this case.</p>
|
|||
timeout in seconds to parse a single configuration line. if exceeded, the rule will
|
||||
be skipped. this is used to prevent problems due to large files or loops.
|
||||
|
||||
I<Informational arguments></pre>
|
||||
--keep_rates (default=0)
|
||||
With this option set postfwd2 does not clear the rate limit counters on reload. Please
|
||||
note that you have to restart (not reload) postfwd with this option if you change
|
||||
any rate limit rules.</pre>
|
||||
<pre>
|
||||
--save_rates (default=none)
|
||||
With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
Please note that postfwd needs read and write access to the specified file.</pre>
|
||||
<pre>
|
||||
--fast_limit_evaluation (default=0)
|
||||
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
With this mode rate limits will be faster, but also eventually set up
|
||||
whitelisting-rules within the ruleset might not work as expected.</pre>
|
||||
<p><em>Informational arguments</em></p>
|
||||
<p>These arguments are for command line usage only. Never ever use them with postfix!</p>
|
||||
<pre>
|
||||
-C, --showconfig
|
||||
|
@ -815,6 +1000,26 @@ I<Informational arguments></pre>
|
|||
-P, --perfmon
|
||||
This option turns of any syslogging and output. It is included
|
||||
for performance testing.</pre>
|
||||
<pre>
|
||||
--dumpstats
|
||||
Displays program usage statistics.</pre>
|
||||
<pre>
|
||||
--dumpcache
|
||||
Displays cache contents.</pre>
|
||||
<pre>
|
||||
--delcache <item>
|
||||
Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
E.g.:
|
||||
# postfwd --dumpcache
|
||||
...
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
...
|
||||
# postfwd --delrate="sender=gmato@jqvo.org"
|
||||
rate cache item 'sender=gmato@jqvo.org' removed</pre>
|
||||
<pre>
|
||||
--delrate <item>
|
||||
Removes an item from the rate cache. Use --dumpcache to identify objects.</pre>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="refresh">REFRESH</a></h2>
|
||||
|
@ -854,18 +1059,25 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
# 1. 30MB for systems in *.customer1.tld
|
||||
# 2. 20MB for SASL user joejob
|
||||
# 3. 10MB default
|
||||
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large</pre>
|
||||
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large</pre>
|
||||
<pre>
|
||||
## Selective Greylisting
|
||||
##
|
||||
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
##
|
||||
## smtpd_restriction_classes = check_postgrey, ...
|
||||
## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
#
|
||||
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
# 2. Client has no rDNS
|
||||
# 3. Client comes from several dialin domains
|
||||
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=greylisting ; client_name=^unknown$
|
||||
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
|
||||
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
|
||||
<pre>
|
||||
## Date Time
|
||||
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
|
||||
|
@ -873,7 +1085,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
months=-Apr ; action=450 4.7.1 see you in may
|
||||
days=!!Mon-Fri ; action=greylist</pre>
|
||||
days=!!Mon-Fri ; action=check_postgrey</pre>
|
||||
<pre>
|
||||
## Usage of jump
|
||||
# The following allows a message size of 30MB for different
|
||||
|
@ -883,8 +1095,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
|
||||
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
|
||||
<pre>
|
||||
## Usage of score
|
||||
# The following rejects a mail, if the client
|
||||
|
@ -892,8 +1104,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
# - other clients without correct rDNS will be greylist-checked
|
||||
# - some whitelists are used to lower the score
|
||||
id=S01 ; score=2.6 ; action=greylisting
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high
|
||||
id=S01 ; score=2.6 ; action=check_postgrey
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
|
@ -905,10 +1117,10 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
# The following temporary rejects requests from "unknown" clients, if they
|
||||
# 1. exceeded 30 requests per hour or
|
||||
# 2. tried to send more than 1.5mb within 10 minutes
|
||||
id=RATE01 ; client_name==unknown ; state==RCPT ; \
|
||||
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
|
||||
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
|
||||
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
|
||||
<pre>
|
||||
## Macros
|
||||
# definition
|
||||
|
@ -921,34 +1133,34 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
<pre>
|
||||
## Groups
|
||||
# definition
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&RHSBLS { \
|
||||
&&RHSBLS{
|
||||
...
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\d+[\.-_]){4} ; \
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name==unknown
|
||||
client_name~=(\d+[\.-_]){4}
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
...
|
||||
};
|
||||
&&BAD_HELO { \
|
||||
helo_name==my.name.tld; \
|
||||
helo_name~=^([^\.]+)$; \
|
||||
helo_name~=\.(local|lan)$; \
|
||||
&&BAD_HELO{
|
||||
helo_name==my.name.tld
|
||||
helo_name~=^([^\.]+)$
|
||||
helo_name~=\.(local|lan)$
|
||||
...
|
||||
};
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 ; \
|
||||
date=15.04.2007 ; \
|
||||
date=15.07.2007 ; \
|
||||
date=15.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
&&MAINTENANCE{
|
||||
date=15.01.2007
|
||||
date=15.04.2007
|
||||
date=15.07.2007
|
||||
date=15.10.2007
|
||||
time=03:00:00 - 04:00:00
|
||||
};
|
||||
# rules
|
||||
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -965,7 +1177,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
|
|||
<pre>
|
||||
## combined with enhanced rbl features
|
||||
#
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
|
||||
<p>
|
||||
|
@ -1068,21 +1280,21 @@ place a last catch-all rule to change that behaviour:</p>
|
|||
postfwd2 will spawn multiple child processes which communicate with a parent cache. This is
|
||||
the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:</p>
|
||||
<pre>
|
||||
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S</pre>
|
||||
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S</pre>
|
||||
<p>For efficient caching you should check if you can use the options --cacheid, --cache-rdomain-only,
|
||||
--cache-no-sender and --cache-no-size.</p>
|
||||
<p>Now check your syslogs (default facility ``mail'') for a line like:</p>
|
||||
<pre>
|
||||
Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input</pre>
|
||||
<p>and use `netstat -an|grep 10040` to check for something like</p>
|
||||
<p>and use `netstat -an|grep 10045` to check for something like</p>
|
||||
<pre>
|
||||
tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN</pre>
|
||||
tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN</pre>
|
||||
<p>If everything works, open your postfix main.cf and insert the following</p>
|
||||
<pre>
|
||||
127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
smtpd_recipient_restrictions = permit_mynetworks <--- recommended
|
||||
reject_unauth_destination <--- recommended
|
||||
check_policy_service inet:127.0.0.1:10040 <--- integration</pre>
|
||||
check_policy_service inet:127.0.0.1:10045 <--- integration</pre>
|
||||
<p>Reload your configuration with `postfix reload` and watch your logs. In it works you should see
|
||||
lines like the following in your mail log:</p>
|
||||
<pre>
|
||||
|
@ -1098,9 +1310,9 @@ tables. First create a file /etc/postfix/policy containing:</p>
|
|||
<pre>
|
||||
# Restriction Classes
|
||||
smtpd_restriction_classes = postfwdcheck, <some more>... <--- integration
|
||||
postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration</pre>
|
||||
postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration</pre>
|
||||
<pre>
|
||||
127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
smtpd_recipient_restrictions = permit_mynetworks, <--- recommended
|
||||
reject_unauth_destination, <--- recommended
|
||||
... <--- optional
|
||||
|
@ -1122,7 +1334,7 @@ Simply change it to meet your requirements and use</p>
|
|||
action=<whateveryouconfigured></pre>
|
||||
<p>For network tests I use netcat:</p>
|
||||
<pre>
|
||||
nc 127.0.0.1 10040 <request.sample</pre>
|
||||
nc 127.0.0.1 10045 <request.sample</pre>
|
||||
<p>to send a request to postfwd. If you receive nothing, make sure that postfwd2 is running and
|
||||
listening on the specified network settings.</p>
|
||||
<p>
|
||||
|
|
479
doc/postfwd2.txt
479
doc/postfwd2.txt
|
@ -38,7 +38,7 @@ SYNOPSIS
|
|||
--cache-no-size skip size for cache-id
|
||||
--no_parent_request_cache disable parent request cache
|
||||
--no_parent_rate_cache disable parent rate cache
|
||||
--no_parent_dns_cache disable parent dns cache
|
||||
--no_parent_dns_cache disable parent dns cache (default)
|
||||
--no_parent_cache disable all parent caches
|
||||
|
||||
Rates:
|
||||
|
@ -53,6 +53,9 @@ SYNOPSIS
|
|||
--daemons <list> list of daemons to start
|
||||
--dumpcache show cache contents
|
||||
--dumpstats show statistics
|
||||
-R, --chroot <path> chroot to <path> before start
|
||||
--delcache <item> removes an item from the request cache
|
||||
--delrate <item> removes an item from the rate cache
|
||||
|
||||
DNS:
|
||||
-n, --nodns skip any dns based test
|
||||
|
@ -73,10 +76,17 @@ SYNOPSIS
|
|||
--norulestats disables per rule statistics
|
||||
-I, --instantcfg reloads ruleset on every new request
|
||||
--config_timeout <i> parser timeout in seconds
|
||||
--keep_rates do not clear rate limit counters on reload
|
||||
--save_rates <file> save and load rate limits on disk
|
||||
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
|
||||
|
||||
Plugins:
|
||||
--plugins <file> loads postfwd plugins from file
|
||||
|
||||
Logging:
|
||||
-l, --logname <label> label for syslog messages
|
||||
--facility <s> use syslog facility <s>
|
||||
--socktype <s> use syslog socktype <s>
|
||||
--nodnslog do not log dns results
|
||||
--anydnslog log any dns (even cached) results
|
||||
--norulelog do not log rule actions
|
||||
|
@ -132,7 +142,7 @@ DESCRIPTION
|
|||
A configuration line consists of optional item=value pairs, separated by
|
||||
semicolons (`;`) and the appropriate desired action:
|
||||
|
||||
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
|
||||
[ <item1>=<value>; <item2>=<value>; ... ] action=<result>
|
||||
|
||||
*Example:*
|
||||
|
||||
|
@ -173,11 +183,21 @@ DESCRIPTION
|
|||
files or passed as command line arguments. Please see the COMMAND LINE
|
||||
section below for more information on this topic.
|
||||
|
||||
Rules can span multiple lines by adding a trailing backslash "\"
|
||||
character:
|
||||
Since postfwd version 1.30 rules spanning span multiple lines can be
|
||||
defined by prefixing the following lines with one or multiple whitespace
|
||||
characters (or '}' for macros):
|
||||
|
||||
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
|
||||
action=REJECT please use your relay from there
|
||||
id=RULE001
|
||||
client_address=192.168.1.0/24
|
||||
sender==no@bad.local
|
||||
action=REJECT no access
|
||||
|
||||
postfwd versions prior to 1.30 require trailing ';' and '\'-characters:
|
||||
|
||||
id=RULE001; \
|
||||
client_address=192.168.1.0/24; \
|
||||
sender==no@bad.local; \
|
||||
action=REJECT no access
|
||||
|
||||
ITEMS
|
||||
id - a unique rule id, which can be used for log analysis
|
||||
|
@ -241,9 +261,15 @@ DESCRIPTION
|
|||
this enables version based checks in your rulesets
|
||||
(e.g. for migration). works with old versions too,
|
||||
because a non-existing item always returns false:
|
||||
id=R01; version~=1.10; sender_domain==some.org \
|
||||
# version >= 1.10
|
||||
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
|
||||
; action=REJECT sorry no access
|
||||
|
||||
ratecount - only available for rate(), size() and rcpt() actions.
|
||||
contains the actual limit counter:
|
||||
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
|
||||
|
||||
Besides these you can specify any attribute of the postfix policy
|
||||
delegation protocol. Feel free to combine them the way you need it (have
|
||||
a look at the EXAMPLES section below).
|
||||
|
@ -298,26 +324,25 @@ DESCRIPTION
|
|||
the current list can be found at
|
||||
<http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully
|
||||
about which attribute can be used at which level of the smtp transaction
|
||||
(e.g. size will only work reliably at END_OF_DATA level). Pattern
|
||||
(e.g. size will only work reliably at END-OF-MESSAGE level). Pattern
|
||||
matching is performed case insensitive.
|
||||
|
||||
Multiple use of the same item is allowed and will compared as logical
|
||||
OR, which means that this will work as expected:
|
||||
|
||||
id=TRUST001; action=OK; encryption_keysize=64; \
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
|
||||
id=TRUST001; action=OK; encryption_keysize=64
|
||||
ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
sender=@domain\.local$
|
||||
|
||||
client_address, rbl and rhsbl items may also be specified as
|
||||
whitespace-or-comma-separated values:
|
||||
|
||||
id=SKIP01; action=dunno; \
|
||||
id=SKIP01; action=dunno
|
||||
client_address=192.168.1.0/24, 172.16.254.23
|
||||
id=SKIP02; action=dunno; \
|
||||
client_address= 10.10.3.32 \
|
||||
10.216.222.0/27
|
||||
id=SKIP02; action=dunno
|
||||
client_address= 10.10.3.32 10.216.222.0/27
|
||||
|
||||
The following items must be unique:
|
||||
|
||||
|
@ -325,16 +350,16 @@ DESCRIPTION
|
|||
|
||||
Any item can be negated by preceeding '!!' to it, e.g.:
|
||||
|
||||
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please
|
||||
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
|
||||
or using the right compare operator:
|
||||
|
||||
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
|
||||
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
|
||||
To avoid confusion with regexps or simply for better visibility you can
|
||||
use '!!(...)':
|
||||
|
||||
id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that?
|
||||
id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?
|
||||
|
||||
Request attributes can be compared by preceeding '$$' characters, e.g.:
|
||||
|
||||
|
@ -346,6 +371,33 @@ DESCRIPTION
|
|||
be performed as case insensitive exact match. Use the '-vv' option to
|
||||
debug.
|
||||
|
||||
These special items will be reset for any new rule:
|
||||
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
|
||||
These special items will be changed for any matching rule:
|
||||
|
||||
request_hits - contains ids of all matching rules
|
||||
|
||||
This means that it might be necessary to save them, if you plan to use
|
||||
these values in later rules:
|
||||
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
|
||||
FILES
|
||||
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in
|
||||
separate files:
|
||||
|
@ -368,16 +420,16 @@ DESCRIPTION
|
|||
|
||||
This will ignore the right-hand value. Items can be mixed:
|
||||
|
||||
id=R002 ; action=REJECT \
|
||||
client_name==unknown; \
|
||||
id=R002 ; action=REJECT
|
||||
client_name==unknown
|
||||
client_name==file:/etc/postfwd/blacklisted
|
||||
|
||||
and for non pcre (comma separated) items:
|
||||
|
||||
id=R003 ; action=REJECT \
|
||||
id=R003 ; action=REJECT
|
||||
client_address==10.1.1.1, file:/etc/postfwd/blacklisted
|
||||
|
||||
id=R004 ; action=REJECT \
|
||||
id=R004 ; action=REJECT
|
||||
rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
|
||||
|
||||
You can check your configuration with the --show_config option at the
|
||||
|
@ -499,16 +551,16 @@ DESCRIPTION
|
|||
please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
# no more than 3 requests per 5 minutes
|
||||
# from the same "unknown" client
|
||||
id=RATE01 ; client_name==unknown ; \
|
||||
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
id=RATE01 ; client_name==unknown
|
||||
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
|
||||
size (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
increased by the request's size attribute. to do this reliably you should call postfwd2 from
|
||||
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
# size limit 1.5mb per hour per client
|
||||
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
|
||||
rcpt (<item>/<max>/<time>/<action>)
|
||||
this command works similar to the rate() command with the difference, that the rate counter is
|
||||
|
@ -516,8 +568,8 @@ DESCRIPTION
|
|||
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
check it within the ruleset:
|
||||
# recipient count limit 3 per hour per client
|
||||
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
|
||||
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
|
||||
ask (<addr>:<port>[:<ignore>])
|
||||
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||||
|
@ -529,13 +581,18 @@ DESCRIPTION
|
|||
# and continue parsing postfwd's ruleset
|
||||
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
|
||||
|
||||
mail(server/helo/from/to/subject/body)
|
||||
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
not track notification state and will notify you any time, the corresponding rule hits.
|
||||
|
||||
wait (<delay>)
|
||||
pauses the program execution for <delay> seconds. use this for
|
||||
delaying or throtteling connections.
|
||||
|
||||
note (<string>)
|
||||
just logs the given string and continues parsing the ruleset.
|
||||
if the string is empty, nothing will be logged.
|
||||
if the string is empty, nothing will be logged (noop).
|
||||
|
||||
quit (<code>)
|
||||
terminates the program with the given exit-code. postfix doesn`t
|
||||
|
@ -545,33 +602,6 @@ DESCRIPTION
|
|||
|
||||
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'
|
||||
|
||||
These special attributes will be reset for any new rule:
|
||||
|
||||
rblcount - contains the number of RBL answers
|
||||
rhsblcount - contains the number of RHSBL answers
|
||||
matches - contains the number of matched items
|
||||
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
|
||||
These special attributes will be changed for any matching rule:
|
||||
|
||||
request_hits - contains ids of all matching rules
|
||||
|
||||
This means that it might be necessary to save them, if you plan to use
|
||||
these values in later rules:
|
||||
|
||||
# set vals
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
|
||||
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
|
||||
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
|
||||
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
|
||||
# compare
|
||||
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
|
||||
MACROS/ACLS
|
||||
Multiple use of long items or combinations of them may be abbreviated by
|
||||
macros. Those must be prefixed by '&&' (two '&' characters). First the
|
||||
|
@ -596,18 +626,18 @@ DESCRIPTION
|
|||
|
||||
Macros can contain macros, too:
|
||||
|
||||
# definition (note the trailing "\" characters)
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
# definition
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name=^unknown$ ; \
|
||||
client_name=(\d+[\.-_]){4} ; \
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name=^unknown$
|
||||
client_name=(\d+[\.-_]){4}
|
||||
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
};
|
||||
&&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
# rules
|
||||
|
@ -617,7 +647,156 @@ DESCRIPTION
|
|||
section for more information.
|
||||
|
||||
PLUGINS
|
||||
Please visit <http://www.postfwd.org/postfwd.plugins>
|
||||
Description
|
||||
|
||||
The plugin interface allow you to define your own checks and enhance
|
||||
postfwd's functionality. Feel free to share useful things!
|
||||
|
||||
Warning
|
||||
|
||||
Note that the plugin interface is still at devel stage. Please test your
|
||||
plugins carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that
|
||||
you know what you do because some of them are used internally.
|
||||
|
||||
Please keep security in mind, when you access sensible ressources and
|
||||
never, ever run postfwd as privileged user! Also never trust your input
|
||||
(especially hostnames, and e-mail addresses).
|
||||
|
||||
ITEMS
|
||||
|
||||
Item plugins are perl subroutines which integrate additional attributes
|
||||
to requests before they are evaluated against postfwd's ruleset like any
|
||||
other item of the policy delegation protocol. This allows you to create
|
||||
your own checks.
|
||||
|
||||
plugin-items can not be used selective. these functions will be executed
|
||||
for every request postfwd receives, so keep performance in mind.
|
||||
|
||||
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
|
||||
|
||||
means that your subroutine, called <name>, has access to a hash called
|
||||
%request, which contains all request attributes, like
|
||||
$request{client_name} and must return a value in the following form:
|
||||
|
||||
save: $result{<item>} = <value>
|
||||
|
||||
this creates the new item <item> containing <value>, which will be
|
||||
integrated in the policy delegation request and therefore may be used in
|
||||
postfwd's ruleset.
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_items_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# allows to check postfwd version in ruleset
|
||||
"version" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = (
|
||||
"version" => $NAME." ".$VERSION,
|
||||
);
|
||||
return %result;
|
||||
},
|
||||
|
||||
# sender_domain and recipient_domain
|
||||
"address_parts" => sub {
|
||||
my(%request) = @_;
|
||||
my(%result) = ();
|
||||
$request{sender} =~ /@([^@]*)$/;
|
||||
$result{sender_domain} = ($1 || '');
|
||||
$request{recipient} =~ /@([^@]*)$/;
|
||||
$result{recipient_domain} = ($1 || '');
|
||||
return %result;
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
COMPARE
|
||||
|
||||
Compare plugins allow you to define how your new items should be
|
||||
compared to the ruleset. These are optional. If you don't specify one,
|
||||
the default (== for exact match, =~ for PCRE, ...) will be used.
|
||||
|
||||
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_compare_plugin = (
|
||||
|
||||
EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# Simple example
|
||||
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
|
||||
# Complex example
|
||||
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
"numeric" => sub {
|
||||
my($cmp,$val,$myitem,%request) = @_;
|
||||
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
if ($cmp eq '==') {
|
||||
$myresult = ($myitem == $val);
|
||||
} elsif ($cmp eq '=<') {
|
||||
$myresult = ($myitem <= $val);
|
||||
} elsif ($cmp eq '=>') {
|
||||
$myresult = ($myitem >= $val);
|
||||
} elsif ($cmp eq '!=') {
|
||||
$myresult = not($myitem == $val);
|
||||
} elsif ($cmp eq '!<') {
|
||||
$myresult = not($myitem <= $val);
|
||||
} elsif ($cmp eq '!>') {
|
||||
$myresult = not($myitem >= $val);
|
||||
} else {
|
||||
$myresult = ($myitem >= $val);
|
||||
};
|
||||
return $myresult;
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
ACTIONS
|
||||
|
||||
Action plugins allow to define new postfwd actions. By setting the
|
||||
$stop-flag you can decide to continue or to stop parsing the ruleset.
|
||||
|
||||
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_actions_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
|
||||
# note(<logstring>) command
|
||||
"note" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# skips next <myarg> rules
|
||||
"skip" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# dumps current request contents to syslog
|
||||
"dumprequest" => sub {
|
||||
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
my($myaction) = $default_action; my($stop) = 0;
|
||||
map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
return ($stop,$index,$myaction,$myline,%request);
|
||||
},
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
COMMAND LINE
|
||||
*Ruleset*
|
||||
|
@ -634,12 +813,6 @@ DESCRIPTION
|
|||
Adds <rule> to ruleset. Remember that you might have to quote
|
||||
strings that contain whitespaces or shell characters.
|
||||
|
||||
*Plugins*
|
||||
|
||||
--plugins
|
||||
A file containing plugin routines for postfwd. Please see the
|
||||
PLUGINS section for more information.
|
||||
|
||||
*Scoring*
|
||||
|
||||
-s, --scores <val>=<action>
|
||||
|
@ -647,7 +820,7 @@ DESCRIPTION
|
|||
|
||||
Multiple usage is allowed. Just chain your arguments, like:
|
||||
|
||||
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
or
|
||||
postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ...
|
||||
|
||||
|
@ -662,13 +835,13 @@ DESCRIPTION
|
|||
|
||||
-d, --daemon
|
||||
postfwd2 will run as daemon and listen on the network for incoming
|
||||
queries (default 127.0.0.1:10040).
|
||||
queries (default 127.0.0.1:10045).
|
||||
|
||||
-i, --interface <dev>
|
||||
Bind postfwd2 to the specified interface (default 127.0.0.1).
|
||||
|
||||
-p, --port <port>
|
||||
postfwd2 listens on the specified port (default tcp/10040).
|
||||
postfwd2 listens on the specified port (default tcp/10045).
|
||||
|
||||
--proto <type>
|
||||
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
|
||||
|
@ -694,11 +867,18 @@ DESCRIPTION
|
|||
|
||||
-R, --chroot <path>
|
||||
Chroot the process to the specified path.
|
||||
Test this before using - you might need some libs there.
|
||||
Please look at http://postfwd.org/postfwd2-chroot.html before use!
|
||||
|
||||
--pidfile <path>
|
||||
The process id will be saved in the specified file.
|
||||
|
||||
--facility <f>
|
||||
sets the syslog facility, default is 'mail'
|
||||
|
||||
--socktype <s>
|
||||
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
Default is to auto-detect this depening on module version and os.
|
||||
|
||||
-l, --logname <label>
|
||||
Labels the syslog messages. Useful when running multiple
|
||||
instances of postfwd.
|
||||
|
@ -706,6 +886,12 @@ DESCRIPTION
|
|||
--loglen <int>
|
||||
Truncates any syslog message after <int> characters.
|
||||
|
||||
*Plugins*
|
||||
|
||||
--plugins <file>
|
||||
Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
|
||||
or the plugins.postfwd.sample that is available from the tarball for more info.
|
||||
|
||||
*Optional arguments*
|
||||
|
||||
These parameters influence the way postfwd2 is working. Any of them can
|
||||
|
@ -834,6 +1020,22 @@ DESCRIPTION
|
|||
timeout in seconds to parse a single configuration line. if exceeded, the rule will
|
||||
be skipped. this is used to prevent problems due to large files or loops.
|
||||
|
||||
--keep_rates (default=0)
|
||||
With this option set postfwd2 does not clear the rate limit counters on reload. Please
|
||||
note that you have to restart (not reload) postfwd with this option if you change
|
||||
any rate limit rules.
|
||||
|
||||
--save_rates (default=none)
|
||||
With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
Please note that postfwd needs read and write access to the specified file.
|
||||
|
||||
--fast_limit_evaluation (default=0)
|
||||
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
With this mode rate limits will be faster, but also eventually set up
|
||||
whitelisting-rules within the ruleset might not work as expected.
|
||||
|
||||
*Informational arguments*
|
||||
|
||||
These arguments are for command line usage only. Never ever use them
|
||||
|
@ -858,6 +1060,26 @@ DESCRIPTION
|
|||
This option turns of any syslogging and output. It is included
|
||||
for performance testing.
|
||||
|
||||
--dumpstats
|
||||
Displays program usage statistics.
|
||||
|
||||
--dumpcache
|
||||
Displays cache contents.
|
||||
|
||||
--delcache <item>
|
||||
Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
E.g.:
|
||||
# postfwd --dumpcache
|
||||
...
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
...
|
||||
# postfwd --delrate="sender=gmato@jqvo.org"
|
||||
rate cache item 'sender=gmato@jqvo.org' removed
|
||||
|
||||
--delrate <item>
|
||||
Removes an item from the rate cache. Use --dumpcache to identify objects.
|
||||
|
||||
REFRESH
|
||||
In daemon mode postfwd2 reloads it's ruleset after receiving a HUP
|
||||
signal. Please see the description of the '-I' switch to have your
|
||||
|
@ -894,18 +1116,25 @@ DESCRIPTION
|
|||
# 1. 30MB for systems in *.customer1.tld
|
||||
# 2. 20MB for SASL user joejob
|
||||
# 3. 10MB default
|
||||
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
|
||||
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
|
||||
|
||||
## Selective Greylisting
|
||||
##
|
||||
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
##
|
||||
## smtpd_restriction_classes = check_postgrey, ...
|
||||
## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
#
|
||||
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
# 2. Client has no rDNS
|
||||
# 3. Client comes from several dialin domains
|
||||
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=greylisting ; client_name=^unknown$
|
||||
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
|
||||
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
|
||||
|
||||
## Date Time
|
||||
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
|
||||
|
@ -913,7 +1142,7 @@ DESCRIPTION
|
|||
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
months=-Apr ; action=450 4.7.1 see you in may
|
||||
days=!!Mon-Fri ; action=greylist
|
||||
days=!!Mon-Fri ; action=check_postgrey
|
||||
|
||||
## Usage of jump
|
||||
# The following allows a message size of 30MB for different
|
||||
|
@ -923,8 +1152,8 @@ DESCRIPTION
|
|||
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
|
||||
## Usage of score
|
||||
# The following rejects a mail, if the client
|
||||
|
@ -932,8 +1161,8 @@ DESCRIPTION
|
|||
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
# - other clients without correct rDNS will be greylist-checked
|
||||
# - some whitelists are used to lower the score
|
||||
id=S01 ; score=2.6 ; action=greylisting
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high
|
||||
id=S01 ; score=2.6 ; action=check_postgrey
|
||||
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
|
@ -945,10 +1174,10 @@ DESCRIPTION
|
|||
# The following temporary rejects requests from "unknown" clients, if they
|
||||
# 1. exceeded 30 requests per hour or
|
||||
# 2. tried to send more than 1.5mb within 10 minutes
|
||||
id=RATE01 ; client_name==unknown ; state==RCPT ; \
|
||||
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
|
||||
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
|
||||
## Macros
|
||||
# definition
|
||||
|
@ -961,34 +1190,34 @@ DESCRIPTION
|
|||
|
||||
## Groups
|
||||
# definition
|
||||
&&RBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
&&RBLS{
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
};
|
||||
&&RHSBLS { \
|
||||
&&RHSBLS{
|
||||
...
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\d+[\.-_]){4} ; \
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
|
||||
&&DYNAMIC{
|
||||
client_name==unknown
|
||||
client_name~=(\d+[\.-_]){4}
|
||||
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
|
||||
...
|
||||
};
|
||||
&&BAD_HELO { \
|
||||
helo_name==my.name.tld; \
|
||||
helo_name~=^([^\.]+)$; \
|
||||
helo_name~=\.(local|lan)$; \
|
||||
&&BAD_HELO{
|
||||
helo_name==my.name.tld
|
||||
helo_name~=^([^\.]+)$
|
||||
helo_name~=\.(local|lan)$
|
||||
...
|
||||
};
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 ; \
|
||||
date=15.04.2007 ; \
|
||||
date=15.07.2007 ; \
|
||||
date=15.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
&&MAINTENANCE{
|
||||
date=15.01.2007
|
||||
date=15.04.2007
|
||||
date=15.07.2007
|
||||
date=15.10.2007
|
||||
time=03:00:00 - 04:00:00
|
||||
};
|
||||
# rules
|
||||
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -1005,7 +1234,7 @@ DESCRIPTION
|
|||
|
||||
## combined with enhanced rbl features
|
||||
#
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
|
||||
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
|
||||
|
||||
|
@ -1144,7 +1373,7 @@ DESCRIPTION
|
|||
postfwd2 in high volume environments. Start postfwd2 with the following
|
||||
parameters:
|
||||
|
||||
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S
|
||||
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S
|
||||
|
||||
For efficient caching you should check if you can use the options
|
||||
--cacheid, --cache-rdomain-only, --cache-no-sender and --cache-no-size.
|
||||
|
@ -1153,16 +1382,16 @@ DESCRIPTION
|
|||
|
||||
Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input
|
||||
|
||||
and use `netstat -an|grep 10040` to check for something like
|
||||
and use `netstat -an|grep 10045` to check for something like
|
||||
|
||||
tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN
|
||||
tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN
|
||||
|
||||
If everything works, open your postfix main.cf and insert the following
|
||||
|
||||
127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
smtpd_recipient_restrictions = permit_mynetworks <--- recommended
|
||||
reject_unauth_destination <--- recommended
|
||||
check_policy_service inet:127.0.0.1:10040 <--- integration
|
||||
check_policy_service inet:127.0.0.1:10045 <--- integration
|
||||
|
||||
Reload your configuration with `postfix reload` and watch your logs. In
|
||||
it works you should see lines like the following in your mail log:
|
||||
|
@ -1183,9 +1412,9 @@ DESCRIPTION
|
|||
|
||||
# Restriction Classes
|
||||
smtpd_restriction_classes = postfwdcheck, <some more>... <--- integration
|
||||
postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration
|
||||
postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration
|
||||
|
||||
127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
smtpd_recipient_restrictions = permit_mynetworks, <--- recommended
|
||||
reject_unauth_destination, <--- recommended
|
||||
... <--- optional
|
||||
|
@ -1211,7 +1440,7 @@ DESCRIPTION
|
|||
|
||||
For network tests I use netcat:
|
||||
|
||||
nc 127.0.0.1 10040 <request.sample
|
||||
nc 127.0.0.1 10045 <request.sample
|
||||
|
||||
to send a request to postfwd. If you receive nothing, make sure that
|
||||
postfwd2 is running and listening on the specified network settings.
|
||||
|
|
113
doc/quick.html
Normal file
113
doc/quick.html
Normal file
|
@ -0,0 +1,113 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>postfwd - quickstart guide</title>
|
||||
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
|
||||
<meta name="description" content="quickstart guid for postfwd a postfix firewall policy daemon">
|
||||
<meta name="author" content="jpk">
|
||||
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfwd quickstart, postfwd step-by-step, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<h1>postfwd quickstart guide</h1>
|
||||
<br>To use postfwd you have to perform the following steps:
|
||||
<br><br>
|
||||
<ol>
|
||||
<li><a href="#step1">Get postfwd or postfwd2
|
||||
<li><a href="#step2">Create your own postfwd ruleset
|
||||
<li><a href="#step3"><i>Optional: </i>Create a dedicated user/group for postfwd
|
||||
<li><a href="#step4">Launch postfwd
|
||||
<li><a href="#step5">Tell postfix to use postfwd
|
||||
<li><a href="#step6">Finished! How to go on?
|
||||
</ol>
|
||||
|
||||
<br><ol>
|
||||
<a name="step1"><li><strong>Get postfwd or postfwd2</strong></a>
|
||||
<br>You may skip this step, if your operating system distribution contains a version of postfwd, but it is recommended to use a recent version from <a href="index.html">postfwd.org</a>. It is also recommended to use recent versions of the perl modules Net::DNS and Net::Server (see <a href="index.html#REQUIRED">required perl modules</a> for more information).
|
||||
|
||||
<br><br><br><a name="step2"><li><strong>Create your own postfwd ruleset</strong></a>
|
||||
<br>postfwd is not a dedicated antispam tool (although it may be used as such). Instead of that it is basically a restriction language for postfix which allows to place complex policy expressions into a simple ruleset. For reasonable operation you have to create your own ruleset, like:
|
||||
|
||||
<p><pre>
|
||||
# reject @domain.local if request comes from outside 10.0.0.0/8 network
|
||||
id=RULE-01 ; sender_domain=domain.local ; client_address=!!(10.0.0.0/8) ; action=REJECT not allowed
|
||||
|
||||
# reject if sender equals recipient
|
||||
id=RULE-02 ; sender==$$recipient ; action=REJECT not allowed
|
||||
|
||||
# check some rbls and reject, if listed on >= 2 of them
|
||||
id=RULE-03 ; rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ; rblcount>=2 ; action=REJECT not allowed </tt></pre>
|
||||
|
||||
Now save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the <a href="doc.html#configuration">documentation</a> for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like:
|
||||
|
||||
<p><pre>
|
||||
# postfwd -f /etc/postfwd.cf -C
|
||||
Rule 0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)"
|
||||
Rule 1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient"
|
||||
Rule 2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net" </tt></pre>
|
||||
|
||||
If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too.
|
||||
|
||||
<br><br><br><a name="step3"><li><strong><i>Optional: </i>Create a dedicated user/group for postfwd </strong></a>
|
||||
<br>By default postfwd will try to use user 'nobody' and group 'nobody'. So it should be safe to skip this step in most environments. If you run a system that is exposed to dangerous networks and feel paranoid you may want to create a dedicated user and group for the postfwd process. On unix systems enter:
|
||||
|
||||
<p><pre>
|
||||
# groupadd postfwd
|
||||
# useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd
|
||||
# passwd -l postfwd </tt></pre>
|
||||
|
||||
<br><a name="step4"><li><strong>Launch postfwd</strong></a>
|
||||
<br>Start postfwd with your ruleset. Leave out the --user and --group options, if you have skipped step 3 and want to run postfwd as nobody/nobody.
|
||||
|
||||
<p><pre>
|
||||
# postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd </tt></pre>
|
||||
|
||||
Now watch your logs (default facility: mail) for lines like:
|
||||
|
||||
<p><pre>
|
||||
Jun 8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: Process Backgrounded
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271)
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003"
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010"
|
||||
Jun 8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for input </tt></pre>
|
||||
|
||||
To control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the <a href="doc.html#command_line">documentation</a> for more information.
|
||||
|
||||
<br><br><br><a name="step5"><li><strong>Tell postfix to use postfwd</strong></a>
|
||||
<br>Open your main.cf (usually located at /etc/postfix) and find or add a line starting with:
|
||||
|
||||
<p><pre>
|
||||
smtpd_recipient_restrictions = ... </pre></p>
|
||||
|
||||
To place the postfwd check here, modify this as follows:
|
||||
|
||||
<p><pre>
|
||||
# note the leading whitespaces from the 2nd line!
|
||||
smtpd_recipient_restrictions = permit_mynetworks, # recommended
|
||||
..., # optional
|
||||
reject_unauth_destination, # recommended
|
||||
check_policy_service inet:127.0.0.1:10040, # **postfwd integration**
|
||||
... # optional </tt></pre>
|
||||
|
||||
Please note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the <a href="http://www.postfix.org/SMTPD_POLICY_README.html#protocol">postfix documentation</a>.
|
||||
|
||||
<br><br><br><a name="step6"><li><strong>Finished! How to go on?</strong></a>
|
||||
<br>A good point to start is postfwd's manual. You should be able to view it using the `postfwd -m` command or visit the <a href="doc.html">documentation page</a>. There are also some configuration examples on the <a href="index.html">webpage</a>. Another very useful source of information is the <a href="http://www.postfix.org/SMTPD_POLICY_README.html">Postfix SMTP Access Policy Delegation</a> documentation.
|
||||
<br>
|
||||
</ol>
|
||||
|
||||
<p>
|
||||
<center>
|
||||
<table border="1" color="black" frame="hsides" rules="none" width="100%">
|
||||
<td width="33%" align="left"><small>http://www.postfwd.org/</small>
|
||||
<td width="34%" align="center"><small>2007 - 2009 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
|
||||
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
|
||||
</table>
|
||||
</center>
|
||||
</p>
|
||||
|
||||
</body>
|
||||
|
82
doc/versions.html
Normal file
82
doc/versions.html
Normal file
|
@ -0,0 +1,82 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<title>postfwd - version differences</title>
|
||||
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
|
||||
<meta name="description" content="postfwd version differences">
|
||||
<meta name="author" content="jpk">
|
||||
<meta name="keywords" content="postfwd, postfwd version differences, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<p>
|
||||
<h1>postfwd1 vs postfwd2</h1><br>
|
||||
As you might have noticed, there are two different versions of postfwd available - postfwd(1) and postfwd2.
|
||||
Which version fits best for you depends on your setup. Both versions use the same ruleset parser*. They also share the basic command line arguments (use both with --help for details). This allows to switch easily between them.
|
||||
<br><br>
|
||||
The following table might help you to decide which version to use. Basically you should stick with postfwd1 for the moment unless you encounter performance issues with dns based checks or very complex rulesets with thousands
|
||||
of checks. Please note that, due to implementation, rate limits are handled faster by postfwd1 at the moment. If performance really matters and you use a complex ruleset with rate limits and lots of dns based checks you should consider
|
||||
running two instances at different ports/sockets: postfwd1 for the rate limits and postfwd2 for the rest.
|
||||
<br><br>
|
||||
|
||||
</p>
|
||||
<table border=1 cellpadding="20">
|
||||
<tr>
|
||||
<th align="right">Version
|
||||
<th align="center">postfwd1
|
||||
<th align="center">postfwd2
|
||||
<tr>
|
||||
<td align="left" valign="top">
|
||||
<ul>Specs</ul>
|
||||
<td align="left" valign="top">
|
||||
<ul>
|
||||
<li>Single process (Multiplexer)
|
||||
<li>Default port: tcp/10040
|
||||
<li>Small memory footprint
|
||||
</ul>
|
||||
<td align="left" valign="top">
|
||||
<ul>
|
||||
<li>Multiple processes (Preforker)
|
||||
<li>Default port: tcp/10045
|
||||
<li>Scales with multiple cpus/cores
|
||||
<li>Builtin watchdog function
|
||||
<li>Debug classes
|
||||
</ul>
|
||||
<tr>
|
||||
<td align="left" valign="top">
|
||||
<ul>Usage</ul>
|
||||
<td align="left" valign="top">
|
||||
<ul>
|
||||
<li>Fits for most setups
|
||||
<li>Any single core system
|
||||
<li><i>Rate-limit-only</i> rulesets
|
||||
</ul>
|
||||
<td align="left" valign="top">
|
||||
<ul>
|
||||
<li>High throughput setups with lots of requests per second and
|
||||
<br>
|
||||
<ul>
|
||||
<li>rulesets that use a lot of dnsbl lookups
|
||||
<li>really huge rulesets containing tons of checks
|
||||
</ul>
|
||||
</ul>
|
||||
<tr>
|
||||
<td align="left" valign="top">
|
||||
<ul>*Issues</ul>
|
||||
<td align="left" valign="top">
|
||||
<td align="left" valign="top">
|
||||
<ul>
|
||||
<li>postfwd2 versions below 1.30 do not support multiple rate limits for the same item:
|
||||
<pre>
|
||||
# reject on 300+ connections/hour, warn at 200+
|
||||
id=R01; client_address=1.2.3.4; action=rate(client_address/300/3600/REJECT state RED)
|
||||
id=R02; client_address=1.2.3.4; action=rate(client_address/200/3600/WARN state YELLOW)
|
||||
</pre>
|
||||
</ul>
|
||||
</table>
|
||||
</p>
|
||||
|
||||
</body>
|
||||
</html>
|
135
etc/postfwd-old.cf.sample
Normal file
135
etc/postfwd-old.cf.sample
Normal file
|
@ -0,0 +1,135 @@
|
|||
|
||||
|
||||
###################################################################################################
|
||||
##
|
||||
## ATTENTION: This example configuration uses features which require at least postfwd 1.10pre8!
|
||||
## Please see the manual ('postfwd -m') for example syntax for prior versions.
|
||||
##
|
||||
## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without
|
||||
## modifications to suit your environment!
|
||||
##
|
||||
###################################################################################################
|
||||
|
||||
|
||||
##
|
||||
## Definitions
|
||||
##
|
||||
|
||||
# Maintenance times
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 ; \
|
||||
date=15.04.2007 ; \
|
||||
date=15.10.2007 - 17.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
};
|
||||
|
||||
# Whitelists
|
||||
&&TRUSTED_NETS { \
|
||||
client_address=192.168.1.0/22 ; \
|
||||
client_address=172.16.128.32/27 ; \
|
||||
};
|
||||
&&TRUSTED_HOSTS { \
|
||||
client_name~=\.domain1\.net$ ; \
|
||||
client_name~=\.domain2\.de$ ; \
|
||||
};
|
||||
&&TRUSTED_USERS { \
|
||||
sasl_username==bob ; \
|
||||
sasl_username==alice ; \
|
||||
};
|
||||
&&TRUSTED_TLS { \
|
||||
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
|
||||
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
|
||||
encryption_keysize>=64 ; \
|
||||
};
|
||||
&&FREEMAIL { \
|
||||
client_name~=\.gmx\.net$ ; \
|
||||
client_name~=\.web\.de$ ; \
|
||||
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
|
||||
};
|
||||
&&STATIC { \
|
||||
# contains freemailers
|
||||
&&FREEMAIL ; \
|
||||
client_name~=[\.\-]static[[\.\-] ; \
|
||||
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
|
||||
};
|
||||
&&DNSWLS { \
|
||||
rbl=list.dnswl.org ; \
|
||||
rbl=exemptions.ahbl.org ; \
|
||||
rbl=query.bondedsender.org ; \
|
||||
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
|
||||
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
|
||||
};
|
||||
|
||||
# Spamchecks
|
||||
&&BADHELO { \
|
||||
client_name==!!($$(helo_name)) ; \
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\-.+){4} ; \
|
||||
client_name~=\d{5} ; \
|
||||
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
|
||||
};
|
||||
&&DNSBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
rhsbl=rddn.dnsbl.net.au ; \
|
||||
rhsbl=rhsbl.ahbl.org ; \
|
||||
rhsbl=rhsbl.sorbs.net ; \
|
||||
};
|
||||
|
||||
|
||||
##
|
||||
## Ruleset
|
||||
##
|
||||
|
||||
# temporary reject and drop connection during maintenance window
|
||||
id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later
|
||||
|
||||
# stress-friendly behaviour (will not match on postfix version pre 2.5)
|
||||
id=STRESS ; stress==yes ; action=dunno
|
||||
|
||||
# Whitelists
|
||||
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
|
||||
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
|
||||
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
|
||||
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
|
||||
|
||||
# DNSWL checks - lookup
|
||||
id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \
|
||||
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
|
||||
|
||||
# DNSWL - whitelisting
|
||||
id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
|
||||
id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
|
||||
id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
|
||||
|
||||
# DNSBL checks - lookup
|
||||
id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
|
||||
|
||||
# DNSBL checks - evaluation
|
||||
id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
|
||||
id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
|
||||
id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
|
||||
|
||||
# Rate limits
|
||||
id=RATE_001 ; HIT_dnsbls>=1; \
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
id=RATE_002 ; &&DYNAMIC ; \
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
|
||||
# Selective greylisting
|
||||
id=GREY_001 ; action=dunno ; &&STATIC
|
||||
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
|
||||
id=GREY_003 ; action=dunno ; HIT_dnswls>=1
|
||||
id=GREY_004 ; action=greylisting ; &&DYNAMIC
|
||||
id=GREY_005 ; action=greylisting ; HIT_dnsbls>=1
|
||||
|
||||
# Greylisting should be safe during out-of-office times
|
||||
id=GREY_006 ; action=greylisting ; days=Sat-Sun
|
||||
id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00
|
||||
|
|
@ -2,8 +2,11 @@
|
|||
|
||||
###################################################################################################
|
||||
##
|
||||
## ATTENTION: Do NOT use this configuration without your own customizations!
|
||||
## Please see the manual ('postfwd -m') for more information.
|
||||
## ATTENTION: This example configuration uses features which require at least postfwd 1.30!
|
||||
## Please see the manual ('postfwd -m') for example syntax for prior versions.
|
||||
##
|
||||
## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without
|
||||
## modifications to suit your environment!
|
||||
##
|
||||
###################################################################################################
|
||||
|
||||
|
@ -12,77 +15,71 @@
|
|||
## Definitions
|
||||
##
|
||||
|
||||
# Greylisting with postgrey @ 127.0.0.1:10031
|
||||
&&GREYLIST { \
|
||||
action=ask(127.0.0.1:10031); \
|
||||
};
|
||||
|
||||
# Maintenance times
|
||||
&&MAINTENANCE { \
|
||||
date=15.01.2007 - 15.01.2007 ; \
|
||||
date=15.04.2007 - 15.04.2007 ; \
|
||||
date=15.07.2007 - 15.07.2007 ; \
|
||||
date=15.10.2007 - 15.10.2007 ; \
|
||||
time=03:00:00 - 04:00:00 ; \
|
||||
};
|
||||
&&MAINTENANCE {
|
||||
date=15.01.2007
|
||||
date=15.10.2007 - 17.10.2007
|
||||
days=Sat-Sun
|
||||
time=03:00:00 - 04:00:00
|
||||
}
|
||||
|
||||
# Whitelists
|
||||
&&TRUSTED_NETS { \
|
||||
client_address=192.168.1.0/22 ; \
|
||||
client_address=172.16.128.32/27 ; \
|
||||
};
|
||||
&&TRUSTED_HOSTS { \
|
||||
client_name~=\.domain1\.net$ ; \
|
||||
client_name~=\.domain2\.de$ ; \
|
||||
};
|
||||
&&TRUSTED_USERS { \
|
||||
sasl_username==bob ; \
|
||||
sasl_username==alice ; \
|
||||
};
|
||||
&&TRUSTED_TLS { \
|
||||
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
|
||||
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
|
||||
encryption_keysize>=64 ; \
|
||||
};
|
||||
&&FREEMAIL { \
|
||||
client_name~=\.gmx\.net$ ; \
|
||||
client_name~=\.web\.de$ ; \
|
||||
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
|
||||
};
|
||||
&&STATIC { \
|
||||
&&TRUSTED_NETS {
|
||||
client_address=192.168.1.0/22
|
||||
client_address=172.16.128.32/27
|
||||
}
|
||||
&&TRUSTED_HOSTS {
|
||||
client_name~=\.domain1\.net$
|
||||
client_name~=\.domain2\.de$
|
||||
}
|
||||
&&TRUSTED_USERS {
|
||||
sasl_username==bob
|
||||
sasl_username==alice
|
||||
}
|
||||
&&TRUSTED_TLS {
|
||||
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF
|
||||
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66
|
||||
encryption_keysize>=64
|
||||
}
|
||||
&&FREEMAIL {
|
||||
client_name~=\.gmx\.net$
|
||||
client_name~=\.web\.de$
|
||||
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$
|
||||
}
|
||||
&&STATIC {
|
||||
# contains freemailers
|
||||
&&FREEMAIL ; \
|
||||
client_name~=[\.\-]static[[\.\-] ; \
|
||||
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
|
||||
};
|
||||
&&DNSWLS { \
|
||||
rbl=list.dnswl.org ; \
|
||||
rbl=exemptions.ahbl.org ; \
|
||||
rbl=query.bondedsender.org ; \
|
||||
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
|
||||
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
|
||||
};
|
||||
&&FREEMAIL
|
||||
client_name~=[\.\-]static[[\.\-]
|
||||
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\.
|
||||
}
|
||||
&&DNSWLS {
|
||||
rbl=list.dnswl.org
|
||||
rbl=exemptions.ahbl.org
|
||||
rbl=query.bondedsender.org
|
||||
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
|
||||
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
|
||||
}
|
||||
|
||||
# Spamchecks
|
||||
&&BADHELO { \
|
||||
client_name==!!($$(helo_name)) ; \
|
||||
};
|
||||
&&DYNAMIC { \
|
||||
client_name==unknown ; \
|
||||
client_name~=(\-.+){4} ; \
|
||||
client_name~=\d{5} ; \
|
||||
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
|
||||
};
|
||||
&&DNSBLS { \
|
||||
rbl=zen.spamhaus.org ; \
|
||||
rbl=list.dsbl.org ; \
|
||||
rbl=bl.spamcop.net ; \
|
||||
rbl=dnsbl.sorbs.net ; \
|
||||
rbl=ix.dnsbl.manitu.net ; \
|
||||
rhsbl=rddn.dnsbl.net.au ; \
|
||||
rhsbl=rhsbl.ahbl.org ; \
|
||||
rhsbl=rhsbl.sorbs.net ; \
|
||||
};
|
||||
&&BADHELO {
|
||||
client_name==!!($$(helo_name))
|
||||
}
|
||||
&&DYNAMIC {
|
||||
client_name==unknown
|
||||
client_name~=(\-.+){4}
|
||||
client_name~=\d{5}
|
||||
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-]
|
||||
}
|
||||
&&DNSBLS {
|
||||
rbl=zen.spamhaus.org
|
||||
rbl=list.dsbl.org
|
||||
rbl=bl.spamcop.net
|
||||
rbl=dnsbl.sorbs.net
|
||||
rbl=ix.dnsbl.manitu.net
|
||||
rhsbl=rddn.dnsbl.net.au
|
||||
rhsbl=rhsbl.ahbl.org
|
||||
rhsbl=rhsbl.sorbs.net
|
||||
}
|
||||
|
||||
|
||||
##
|
||||
|
@ -90,49 +87,96 @@
|
|||
##
|
||||
|
||||
# temporary reject and drop connection during maintenance window
|
||||
id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later
|
||||
id=M_001
|
||||
&&MAINTENANCE
|
||||
action=421 maintenance - please try again later
|
||||
|
||||
# stress-friendly behaviour (will not match on postfix version pre 2.5)
|
||||
id=STRESS ; stress==yes ; action=dunno
|
||||
id=STRESS
|
||||
stress==yes
|
||||
action=dunno
|
||||
|
||||
# Whitelists
|
||||
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
|
||||
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
|
||||
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
|
||||
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
|
||||
id=WL_001
|
||||
&&TRUSTED_NETS
|
||||
action=dunno
|
||||
id=WL_002
|
||||
&&TRUSTED_HOSTS
|
||||
action=dunno
|
||||
id=WL_003
|
||||
&&TRUSTED_USERS
|
||||
action=dunno
|
||||
id=WL_004
|
||||
&&TRUSTED_TLS
|
||||
action=dunno
|
||||
|
||||
# DNSWL checks - lookup
|
||||
id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \
|
||||
id=RWL_001
|
||||
&&DNSWLS
|
||||
rhsblcount=all ; rblcount=all
|
||||
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
|
||||
|
||||
# DNSWL - whitelisting
|
||||
id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
|
||||
id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
|
||||
id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
|
||||
id=RWL_002
|
||||
HIT_dnswls>=2
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
|
||||
id=RWL_003
|
||||
HIT_dnswls>=1
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
|
||||
id=RWL_004
|
||||
HIT_dnswls>=1
|
||||
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
|
||||
|
||||
# DNSBL checks - lookup
|
||||
id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \
|
||||
id=RBL_001
|
||||
&&DNSBLS
|
||||
rhsblcount=all ; rblcount=all
|
||||
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
|
||||
|
||||
# DNSBL checks - evaluation
|
||||
id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
|
||||
id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
|
||||
id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
|
||||
id=RBL_002
|
||||
HIT_dnsbls>=2
|
||||
action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
|
||||
id=RBL_003
|
||||
HIT_dnsbls>=1
|
||||
&&DYNAMIC
|
||||
action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
|
||||
id=RBL_004
|
||||
HIT_dnsbls>=1
|
||||
&&BADHELO
|
||||
action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
|
||||
|
||||
# Rate limits
|
||||
id=RATE_001 ; HIT_dnsbls>=1; \
|
||||
id=RATE_001
|
||||
HIT_dnsbls>=1
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
id=RATE_002 ; &&DYNAMIC ; \
|
||||
id=RATE_002
|
||||
&&DYNAMIC
|
||||
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
|
||||
|
||||
# Selective greylisting
|
||||
id=GREY_001 ; action=dunno ; &&STATIC
|
||||
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
|
||||
id=GREY_003 ; action=dunno ; HIT_dnswls>=1
|
||||
id=GREY_004 ; action=&&GREYLIST ; &&DYNAMIC
|
||||
id=GREY_005 ; action=&&GREYLIST ; HIT_dnsbls>=1
|
||||
id=GREY_001
|
||||
action=dunno
|
||||
&&STATIC
|
||||
id=GREY_002
|
||||
action=dunno
|
||||
$$client_name~=$$(sender_domain)$
|
||||
id=GREY_003
|
||||
action=dunno
|
||||
HIT_dnswls>=1
|
||||
id=GREY_004
|
||||
action=greylisting
|
||||
&&DYNAMIC
|
||||
id=GREY_005
|
||||
action=greylisting
|
||||
HIT_dnsbls>=1
|
||||
|
||||
# Greylisting should be safe during out-of-office times
|
||||
id=GREY_006 ; action=&&GREYLIST ; days=Sat-Sun
|
||||
id=GREY_007 ; action=&&GREYLIST ; days=Mon-Fri ; time=!!06:00:00-20:00:00
|
||||
id=GREY_006
|
||||
action=greylisting
|
||||
days=Sat-Sun
|
||||
id=GREY_007
|
||||
action=greylisting
|
||||
days=Mon-Fri
|
||||
time=!!06:00:00-20:00:00
|
||||
|
||||
|
|
|
@ -128,8 +128,8 @@
|
|||
.rm #[ #] #H #V #F C
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "POSTFWD 1"
|
||||
.TH POSTFWD 1 "2010-11-14" "perl v5.8.5" "User Contributed Perl Documentation"
|
||||
.IX Title "POSTFWD1-ALL-IN-ONE 1"
|
||||
.TH POSTFWD1-ALL-IN-ONE 1 "2011-12-18" "perl v5.8.5" "User Contributed Perl Documentation"
|
||||
.SH "NAME"
|
||||
postfwd \- postfix firewall daemon
|
||||
.SH "SYNOPSIS"
|
||||
|
@ -138,62 +138,82 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
|
|||
.PP
|
||||
.Vb 3
|
||||
\& Ruleset: (at least one, multiple use is allowed):
|
||||
\& -f, --file <file> reads rules from <file>
|
||||
\& -r, --rule <rule> adds <rule> to config
|
||||
\& -f, --file <file> reads rules from <file>
|
||||
\& -r, --rule <rule> adds <rule> to config
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Scoring:
|
||||
\& -s, --scores <v>=<r> returns <r> when score exceeds <v>
|
||||
\& -s, --scores <v>=<r> returns <r> when score exceeds <v>
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 12
|
||||
.Vb 8
|
||||
\& Control:
|
||||
\& -d, --daemon run postfwd as daemon
|
||||
\& -k, --kill stops daemon
|
||||
\& --reload reloads configuration
|
||||
\& --dumpstats displays usage statistics
|
||||
\& --dumpcache displays cache contents
|
||||
\& --delcache <item> removes an item from the request cache
|
||||
\& --delrate <item> removes an item from the rate cache
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 13
|
||||
\& Networking:
|
||||
\& -d, --daemon run postfwd as daemon
|
||||
\& -i, --interface <dev> listen on interface <dev>
|
||||
\& -p, --port <port> listen on port <port>
|
||||
\& --proto <proto> socket type (tcp or unix)
|
||||
\& -u, --user <name> set uid to user <name>
|
||||
\& -g, --group <name> set gid to group <name>
|
||||
\& --umask <mask> set umask for file permissions
|
||||
\& -R, --chroot <path> chroot the daemon to <path>
|
||||
\& --pidfile <path> create pidfile under <path>
|
||||
\& -l, --logname <label> label for syslog messages
|
||||
\& --loglen <int> truncates syslogs after <int> chars
|
||||
\& -i, --interface <dev> listen on interface <dev>
|
||||
\& -p, --port <port> listen on port <port>
|
||||
\& --proto <proto> socket type (tcp or unix)
|
||||
\& -u, --user <name> set uid to user <name>
|
||||
\& -g, --group <name> set gid to group <name>
|
||||
\& --umask <mask> set umask for file permissions
|
||||
\& -R, --chroot <path> chroot the daemon to <path>
|
||||
\& --pidfile <path> create pidfile under <path>
|
||||
\& --facility <f> syslog facility
|
||||
\& --socktype <s> syslog socktype
|
||||
\& -l, --logname <label> label for syslog messages
|
||||
\& --loglen <int> truncates syslogs after <int> chars
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 11
|
||||
\& Caching:
|
||||
\& -c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
\& --cache-no-size ignores size attribute for caching
|
||||
\& --cache-no-sender ignores sender address in cache
|
||||
\& --cache-rdomain-only ignores localpart of recipient address in cache
|
||||
\& --cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
\& --cache-rbl-default default rbl response pattern to match (regexp)
|
||||
\& --cacheid <item>, .. list of attributes for request cache identifier
|
||||
\& --cleanup-requests cleanup interval in seconds for request cache
|
||||
\& --cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
\& --cleanup-rates cleanup interval in seconds for rate cache
|
||||
\& -c, --cache <int> sets the request-cache timeout to <int> seconds
|
||||
\& --cache-no-size ignores size attribute for caching
|
||||
\& --cache-no-sender ignores sender address in cache
|
||||
\& --cache-rdomain-only ignores localpart of recipient address in cache
|
||||
\& --cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||||
\& --cache-rbl-default default rbl response pattern to match (regexp)
|
||||
\& --cacheid <item>, .. list of attributes for request cache identifier
|
||||
\& --cleanup-requests cleanup interval in seconds for request cache
|
||||
\& --cleanup-rbls cleanup interval in seconds for rbl cache
|
||||
\& --cleanup-rates cleanup interval in seconds for rate cache
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 17
|
||||
.Vb 20
|
||||
\& Optional:
|
||||
\& -t, --test testing, always returns "dunno"
|
||||
\& -v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
\& -S, --summary <int> show some usage statistics every <int> seconds
|
||||
\& --norulelog disbles rule logging
|
||||
\& --norulestats disables per rule statistics
|
||||
\& --noidlestats disables statistics when idle
|
||||
\& -n, --nodns disable dns
|
||||
\& --nodnslog disable dns logging
|
||||
\& --dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
\& --dns_timeout timeout in seconds for asynchonous dns queries
|
||||
\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
\& --dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
\& --dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
\& --dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
\& -I, --instantcfg re-reads rulefiles for every new request
|
||||
\& --config_timeout <i> parser timeout in seconds
|
||||
\& -t, --test testing, always returns "dunno"
|
||||
\& -v, --verbose verbose logging, use twice (-vv) to increase level
|
||||
\& -S, --summary <int> show some usage statistics every <int> seconds
|
||||
\& --norulelog disbles rule logging
|
||||
\& --norulestats disables per rule statistics
|
||||
\& --noidlestats disables statistics when idle
|
||||
\& -n, --nodns disable dns
|
||||
\& --nodnslog disable dns logging
|
||||
\& --dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||||
\& --dns_timeout timeout in seconds for asynchonous dns queries
|
||||
\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||||
\& --dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||||
\& --dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||||
\& --dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
\& -I, --instantcfg re-reads rulefiles for every new request
|
||||
\& --config_timeout <i> parser timeout in seconds
|
||||
\& --keep_rates do not clear rate limit counters on reload
|
||||
\& --save_rates <file> save and load rate limits on disk
|
||||
\& --fast_limit_evaluation evaluate rate limits before ruleset is parsed
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Plugins:
|
||||
\& --plugins <file> loads postfwd plugins from file
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
|
@ -205,11 +225,6 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
|
|||
\& -h, --help shows usage
|
||||
\& -m, --manual shows program manual
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& Plugins:
|
||||
\& --plugins <file> loads plugins from <file>
|
||||
.Ve
|
||||
.SH "DESCRIPTION"
|
||||
.IX Header "DESCRIPTION"
|
||||
.Sh "\s-1INTRODUCTION\s0"
|
||||
|
@ -245,7 +260,7 @@ A configuration line consists of optional item=value pairs, separated by semicol
|
|||
(`;`) and the appropriate desired action:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& [ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
|
||||
\& [ <item1>=<value>; <item2>=<value>; ... ] action=<result>
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIExample:\fR
|
||||
|
@ -290,11 +305,23 @@ appreciate.
|
|||
A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
|
||||
arguments. Please see the \s-1COMMAND\s0 \s-1LINE\s0 section below for more information on this topic.
|
||||
.PP
|
||||
Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" character:
|
||||
Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
|
||||
lines with one or multiple whitespace characters (or '}' for macros):
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \e
|
||||
\& action=REJECT please use your relay from there
|
||||
.Vb 4
|
||||
\& id=RULE001
|
||||
\& client_address=192.168.1.0/24
|
||||
\& sender==no@bad.local
|
||||
\& action=REJECT no access
|
||||
.Ve
|
||||
.PP
|
||||
postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters:
|
||||
.PP
|
||||
.Vb 4
|
||||
\& id=RULE001; \e
|
||||
\& client_address=192.168.1.0/24; \e
|
||||
\& sender==no@bad.local; \e
|
||||
\& action=REJECT no access
|
||||
.Ve
|
||||
.Sh "\s-1ITEMS\s0"
|
||||
.IX Subsection "ITEMS"
|
||||
|
@ -379,15 +406,23 @@ Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" charac
|
|||
\& (whitelisting), as it might be forged.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 6
|
||||
.Vb 7
|
||||
\& version - postfwd version, contains "postfwd n.nn"
|
||||
\& this enables version based checks in your rulesets
|
||||
\& (e.g. for migration). works with old versions too,
|
||||
\& because a non-existing item always returns false:
|
||||
\& id=R01; version~=1.10; sender_domain==some.org \e
|
||||
\& # version >= 1.10
|
||||
\& id=R01; version~=1\e.[1-9][0-9]; sender_domain==some.org \e
|
||||
\& ; action=REJECT sorry no access
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& ratecount - only available for rate(), size() and rcpt() actions.
|
||||
\& contains the actual limit counter:
|
||||
\& id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
\& id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
|
||||
.Ve
|
||||
.PP
|
||||
Besides these you can specify any attribute of the postfix policy delegation protocol.
|
||||
Feel free to combine them the way you need it (have a look at the \s-1EXAMPLES\s0 section below).
|
||||
.PP
|
||||
|
@ -441,27 +476,26 @@ for details:
|
|||
.Ve
|
||||
.PP
|
||||
the current list can be found at <http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully about which
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at \s-1END_OF_DATA\s0 level).
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
|
||||
Pattern matching is performed case insensitive.
|
||||
.PP
|
||||
Multiple use of the same item is allowed and will compared as logical \s-1OR\s0, which means that this will work as expected:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& id=TRUST001; action=OK; encryption_keysize=64; \e
|
||||
\& ccert_fingerprint=11:22:33:44:55:66:77:88:99; \e
|
||||
\& ccert_fingerprint=22:33:44:55:66:77:88:99:00; \e
|
||||
\& ccert_fingerprint=33:44:55:66:77:88:99:00:11; \e
|
||||
\& id=TRUST001; action=OK; encryption_keysize=64
|
||||
\& ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
\& ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
\& ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
\& sender=@domain\e.local$
|
||||
.Ve
|
||||
.PP
|
||||
client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& id=SKIP01; action=dunno; \e
|
||||
.Vb 4
|
||||
\& id=SKIP01; action=dunno
|
||||
\& client_address=192.168.1.0/24, 172.16.254.23
|
||||
\& id=SKIP02; action=dunno; \e
|
||||
\& client_address= 10.10.3.32 \e
|
||||
\& 10.216.222.0/27
|
||||
\& id=SKIP02; action=dunno
|
||||
\& client_address=10.10.3.32 10.216.222.0/27
|
||||
.Ve
|
||||
.PP
|
||||
The following items currently have to be unique:
|
||||
|
@ -473,19 +507,19 @@ The following items currently have to be unique:
|
|||
Any item can be negated by preceeding '!!' to it, e.g.:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please
|
||||
\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
.Ve
|
||||
.PP
|
||||
or using the right compare operator:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
|
||||
\& id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
.Ve
|
||||
.PP
|
||||
To avoid confusion with regexps or simply for better visibility you can use '!!(...)':
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?
|
||||
\& id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?
|
||||
.Ve
|
||||
.PP
|
||||
Request attributes can be compared by preceeding '$$' characters, e.g.:
|
||||
|
@ -498,6 +532,40 @@ Request attributes can be compared by preceeding '$$' characters, e.g.:
|
|||
.PP
|
||||
This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match.
|
||||
Use the '\-vv' option to debug.
|
||||
.PP
|
||||
These special items will be reset for any new rule:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& rblcount - contains the number of RBL answers
|
||||
\& rhsblcount - contains the number of RHSBL answers
|
||||
\& matches - contains the number of matched items
|
||||
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
.Ve
|
||||
.PP
|
||||
These special items will be changed for any matching rule:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& request_hits - contains ids of all matching rules
|
||||
.Ve
|
||||
.PP
|
||||
This means that it might be necessary to save them, if you plan to use these values in later rules:
|
||||
.PP
|
||||
.Vb 6
|
||||
\& # set vals
|
||||
\& id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& # compare
|
||||
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
.Ve
|
||||
.Sh "\s-1FILES\s0"
|
||||
.IX Subsection "FILES"
|
||||
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files:
|
||||
|
@ -526,20 +594,20 @@ To use existing tables in key=value format, you can use:
|
|||
This will ignore the right-hand value. Items can be mixed:
|
||||
.PP
|
||||
.Vb 3
|
||||
\& id=R002 ; action=REJECT \e
|
||||
\& client_name==unknown; \e
|
||||
\& id=R002 ; action=REJECT
|
||||
\& client_name==unknown
|
||||
\& client_name==file:/etc/postfwd/blacklisted
|
||||
.Ve
|
||||
.PP
|
||||
and for non pcre (comma separated) items:
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R003 ; action=REJECT \e
|
||||
\& id=R003 ; action=REJECT
|
||||
\& client_address==10.1.1.1, file:/etc/postfwd/blacklisted
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R004 ; action=REJECT \e
|
||||
\& id=R004 ; action=REJECT
|
||||
\& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
|
||||
.Ve
|
||||
.PP
|
||||
|
@ -675,7 +743,7 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
\& by "," characters.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 9
|
||||
.Vb 18
|
||||
\& rate (<item>/<max>/<time>/<action>)
|
||||
\& this command creates a counter for the given <item>, which will be increased any time a request
|
||||
\& containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
|
||||
|
@ -683,8 +751,17 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
\& please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
\& # no more than 3 requests per 5 minutes
|
||||
\& # from the same "unknown" client
|
||||
\& id=RATE01 ; client_name==unknown ; \e
|
||||
\& action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
\& id=RATE01 ; client_name==unknown
|
||||
\& action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
\& Please note also that the order of rate limits in your ruleset is important, which means
|
||||
\& that this:
|
||||
\& # works as expected
|
||||
\& id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
|
||||
\& id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
\& leads to different results than this:
|
||||
\& # rule R002 never gets executed
|
||||
\& id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
|
||||
\& id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
|
@ -693,8 +770,8 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
\& increased by the request's size attribute. to do this reliably you should call postfwd from
|
||||
\& smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
\& # size limit 1.5mb per hour per client
|
||||
\& id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||||
\& action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
\& id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
\& action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
|
@ -704,8 +781,8 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
\& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
\& check it within the ruleset:
|
||||
\& # recipient count limit 3 per hour per client
|
||||
\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||||
\& action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
\& id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
|
||||
\& action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 9
|
||||
|
@ -715,11 +792,18 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
\& specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
|
||||
\& # example1: query postgrey and return it's answer to postfix
|
||||
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
|
||||
\& # example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
|
||||
\& # example2: query postgrey but ignore the answer, if it matches 'DUNNO'
|
||||
\& # and continue parsing postfwd's ruleset
|
||||
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& mail(server/helo/from/to/subject/body)
|
||||
\& Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
\& This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
\& not track notification state and will notify you any time, the corresponding rule hits.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& wait (<delay>)
|
||||
\& pauses the program execution for <delay> seconds. use this for
|
||||
|
@ -729,7 +813,7 @@ postfwd actions control the behaviour of the program. Currently you can specify
|
|||
.Vb 3
|
||||
\& note (<string>)
|
||||
\& just logs the given string and continues parsing the ruleset.
|
||||
\& if the string is empty, nothing will be logged.
|
||||
\& if the string is empty, nothing will be logged (noop).
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
|
@ -743,40 +827,6 @@ You can reference to request attributes, like
|
|||
.Vb 1
|
||||
\& id=R-HELO ; helo_name=^[^\e.]+$ ; action=REJECT invalid helo '$$helo_name'
|
||||
.Ve
|
||||
.PP
|
||||
These special attributes will be reset for any new rule:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& rblcount - contains the number of RBL answers
|
||||
\& rhsblcount - contains the number of RHSBL answers
|
||||
\& matches - contains the number of matched items
|
||||
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
.Ve
|
||||
.PP
|
||||
These special attributes will be changed for any matching rule:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& request_hits - contains ids of all matching rules
|
||||
.Ve
|
||||
.PP
|
||||
This means that it might be necessary to save them, if you plan to use these values in later rules:
|
||||
.PP
|
||||
.Vb 6
|
||||
\& # set vals
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; \e
|
||||
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e
|
||||
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||||
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||||
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& # compare
|
||||
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
.Ve
|
||||
.Sh "\s-1MACROS/ACLS\s0"
|
||||
.IX Subsection "MACROS/ACLS"
|
||||
Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters).
|
||||
|
@ -808,18 +858,18 @@ Macros can contain actions, too:
|
|||
Macros can contain macros, too:
|
||||
.PP
|
||||
.Vb 16
|
||||
\& # definition (note the trailing "\e" characters)
|
||||
\& &&RBLS { \e
|
||||
\& rbl=zen.spamhaus.org ; \e
|
||||
\& rbl=list.dsbl.org ; \e
|
||||
\& rbl=bl.spamcop.net ; \e
|
||||
\& rbl=dnsbl.sorbs.net ; \e
|
||||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||||
\& # definition
|
||||
\& &&RBLS{
|
||||
\& rbl=zen.spamhaus.org
|
||||
\& rbl=list.dsbl.org
|
||||
\& rbl=bl.spamcop.net
|
||||
\& rbl=dnsbl.sorbs.net
|
||||
\& rbl=ix.dnsbl.manitu.net
|
||||
\& };
|
||||
\& &&DYNAMIC { \e
|
||||
\& client_name=^unknown$ ; \e
|
||||
\& client_name=(\ed+[\e.-_]){4} ; \e
|
||||
\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||||
\& &&DYNAMIC{
|
||||
\& client_name=^unknown$
|
||||
\& client_name=(\ed+[\e.-_]){4}
|
||||
\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||||
\& };
|
||||
\& &&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
\& # rules
|
||||
|
@ -829,7 +879,194 @@ Macros can contain macros, too:
|
|||
Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information.
|
||||
.Sh "\s-1PLUGINS\s0"
|
||||
.IX Subsection "PLUGINS"
|
||||
Please visit <http://www.postfwd.org/postfwd.plugins>
|
||||
\&\fBDescription\fR
|
||||
.PP
|
||||
The plugin interface allow you to define your own checks and enhance postfwd's
|
||||
functionality. Feel free to share useful things!
|
||||
.PP
|
||||
\&\fBWarning\fR
|
||||
.PP
|
||||
Note that the plugin interface is still at devel stage. Please test your plugins
|
||||
carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that you know
|
||||
what you do because some of them are used internally.
|
||||
.PP
|
||||
Please keep security in mind, when you access sensible ressources and never, ever
|
||||
run postfwd as privileged user! Also never trust your input (especially hostnames,
|
||||
and e\-mail addresses).
|
||||
.PP
|
||||
\&\fB\s-1ITEMS\s0\fR
|
||||
.PP
|
||||
Item plugins are perl subroutines which integrate additional attributes to requests
|
||||
before they are evaluated against postfwd's ruleset like any other item of the
|
||||
policy delegation protocol. This allows you to create your own checks.
|
||||
.PP
|
||||
plugin-items can not be used selective. these functions will be executed for every
|
||||
request postfwd receives, so keep performance in mind.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
|
||||
.Ve
|
||||
.PP
|
||||
means that your subroutine, called <name>, has access to a hash called \f(CW%request\fR,
|
||||
which contains all request attributes, like \f(CW$request\fR{client_name} and must
|
||||
return a value in the following form:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& save: $result{<item>} = <value>
|
||||
.Ve
|
||||
.PP
|
||||
this creates the new item <item> containing <value>, which will be integrated in
|
||||
the policy delegation request and therefore may be used in postfwd's ruleset.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_items_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& # EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
\& # allows to check postfwd version in ruleset
|
||||
\& "version" => sub {
|
||||
\& my(%request) = @_;
|
||||
\& my(%result) = (
|
||||
\& "version" => $NAME." ".$VERSION,
|
||||
\& );
|
||||
\& return %result;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
\& # sender_domain and recipient_domain
|
||||
\& "address_parts" => sub {
|
||||
\& my(%request) = @_;
|
||||
\& my(%result) = ();
|
||||
\& $request{sender} =~ /@([^@]*)$/;
|
||||
\& $result{sender_domain} = ($1 || '');
|
||||
\& $request{recipient} =~ /@([^@]*)$/;
|
||||
\& $result{recipient_domain} = ($1 || '');
|
||||
\& return %result;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.PP
|
||||
\&\fB\s-1COMPARE\s0\fR
|
||||
.PP
|
||||
Compare plugins allow you to define how your new items should be compared to the ruleset.
|
||||
These are optional. If you don't specify one, the default (== for exact match, =~ for \s-1PCRE\s0, ...)
|
||||
will be used.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_compare_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 5
|
||||
\& # Simple example
|
||||
\& # SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
\& "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
\& "size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
\& "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 22
|
||||
\& # Complex example
|
||||
\& # SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
\& "numeric" => sub {
|
||||
\& my($cmp,$val,$myitem,%request) = @_;
|
||||
\& my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
\& if ($cmp eq '==') {
|
||||
\& $myresult = ($myitem == $val);
|
||||
\& } elsif ($cmp eq '=<') {
|
||||
\& $myresult = ($myitem <= $val);
|
||||
\& } elsif ($cmp eq '=>') {
|
||||
\& $myresult = ($myitem >= $val);
|
||||
\& } elsif ($cmp eq '!=') {
|
||||
\& $myresult = not($myitem == $val);
|
||||
\& } elsif ($cmp eq '!<') {
|
||||
\& $myresult = not($myitem <= $val);
|
||||
\& } elsif ($cmp eq '!>') {
|
||||
\& $myresult = not($myitem >= $val);
|
||||
\& } else {
|
||||
\& $myresult = ($myitem >= $val);
|
||||
\& };
|
||||
\& return $myresult;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.PP
|
||||
\&\fB\s-1ACTIONS\s0\fR
|
||||
.PP
|
||||
Action plugins allow to define new postfwd actions. By setting the \f(CW$stop\fR\-flag you can decide to
|
||||
continue or to stop parsing the ruleset.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
\& <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_actions_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& # EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # note(<logstring>) command
|
||||
\& "note" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # skips next <myarg> rules
|
||||
\& "skip" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # dumps current request contents to syslog
|
||||
\& "dumprequest" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.Sh "\s-1COMMAND\s0 \s-1LINE\s0"
|
||||
.IX Subsection "COMMAND LINE"
|
||||
\&\fIRuleset\fR
|
||||
|
@ -849,14 +1086,6 @@ that at least one of the following is required for postfwd to work.
|
|||
\& strings that contain whitespaces or shell characters.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIPlugins\fR
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --plugins
|
||||
\& A file containing plugin routines for postfwd. Please see the
|
||||
\& PLUGINS section for more information.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIScoring\fR
|
||||
.PP
|
||||
.Vb 2
|
||||
|
@ -867,7 +1096,7 @@ that at least one of the following is required for postfwd to work.
|
|||
Multiple usage is allowed. Just chain your arguments, like:
|
||||
.PP
|
||||
.Vb 3
|
||||
\& postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
\& postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
\& or
|
||||
\& postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
|
||||
.Ve
|
||||
|
@ -875,10 +1104,7 @@ Multiple usage is allowed. Just chain your arguments, like:
|
|||
In case of multiple scores, the highest match will count. The order of the arguments will be
|
||||
reflected in the postfwd ruleset.
|
||||
.PP
|
||||
\&\fINetworking\fR
|
||||
.PP
|
||||
postfwd can be run as daemon so that it listens on the network for incoming requests.
|
||||
The following arguments will control it's behaviour in this case.
|
||||
\&\fIControl\fR
|
||||
.PP
|
||||
.Vb 3
|
||||
\& -d, --daemon
|
||||
|
@ -887,6 +1113,49 @@ The following arguments will control it's behaviour in this case.
|
|||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& -k, --kill
|
||||
\& Stops a running postfwd daemon.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --reload
|
||||
\& Reloads configuration.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --dumpstats
|
||||
\& Displays program usage statistics.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --dumpcache
|
||||
\& Displays cache contents.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
\& --delcache <item>
|
||||
\& Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
\& E.g.:
|
||||
\& # postfwd --dumpcache
|
||||
\& ...
|
||||
\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
\& ...
|
||||
\& # postfwd --delrate="sender=gmato@jqvo.org"
|
||||
\& rate cache item 'sender=gmato@jqvo.org' removed
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --delrate <item>
|
||||
\& Removes an item from the rate cache. Use --dumpcache to identify objects.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fINetworking\fR
|
||||
.PP
|
||||
postfwd can be run as daemon so that it listens on the network for incoming requests.
|
||||
The following arguments will control it's behaviour in this case.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& -i, --interface <dev>
|
||||
\& Bind postfwd to the specified interface (default 127.0.0.1).
|
||||
.Ve
|
||||
|
@ -931,6 +1200,17 @@ The following arguments will control it's behaviour in this case.
|
|||
\& The process id will be saved in the specified file.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --facility <f>
|
||||
\& sets the syslog facility, default is 'mail'
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --socktype <s>
|
||||
\& sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
\& Default is to auto-detect this depening on module version and os.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& -l, --logname <label>
|
||||
\& Labels the syslog messages. Useful when running multiple
|
||||
|
@ -942,6 +1222,14 @@ The following arguments will control it's behaviour in this case.
|
|||
\& Truncates any syslog message after <int> characters.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIPlugins\fR
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --plugins <file>
|
||||
\& Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
|
||||
\& or the plugins.postfwd.sample that is available from the tarball for more info.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIOptional arguments\fR
|
||||
.PP
|
||||
These parameters influence the way postfwd is working. Any of them can be combined.
|
||||
|
@ -1121,6 +1409,28 @@ These parameters influence the way postfwd is working. Any of them can be combin
|
|||
\& be skipped. this is used to prevent problems due to large files or loops.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& --keep_rates (default=0)
|
||||
\& With this option set postfwd does not clear the rate limit counters on reload. Please
|
||||
\& note that you have to restart (not reload) postfwd with this option if you change
|
||||
\& any rate limit rules.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& --save_rates (default=none)
|
||||
\& With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
\& on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
\& Please note that postfwd needs read and write access to the specified file.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 5
|
||||
\& --fast_limit_evaluation (default=0)
|
||||
\& Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
\& before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
\& With this mode rate limits will be faster, but also eventually set up
|
||||
\& whitelisting-rules within the ruleset might not work as expected.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIInformational arguments\fR
|
||||
.PP
|
||||
These arguments are for command line usage only. Never ever use them with postfix spawn!
|
||||
|
@ -1193,20 +1503,27 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
\& # 1. 30MB for systems in *.customer1.tld
|
||||
\& # 2. 20MB for SASL user joejob
|
||||
\& # 3. 10MB default
|
||||
\& id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$
|
||||
\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
\& id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
|
||||
\& id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$
|
||||
\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
\& id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
.Vb 14
|
||||
\& ## Selective Greylisting
|
||||
\& ##
|
||||
\& ## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
\& ## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
\& ##
|
||||
\& ## smtpd_restriction_classes = check_postgrey, ...
|
||||
\& ## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
\& #
|
||||
\& # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
\& # 2. Client has no rDNS
|
||||
\& # 3. Client comes from several dialin domains
|
||||
\& id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
\& id=GR002; action=greylisting ; client_name=^unknown$
|
||||
\& id=GR003; action=greylisting ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$
|
||||
\& id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
\& id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
\& id=GR003; action=check_postgrey ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
|
@ -1216,7 +1533,7 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
\& time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
\& time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
\& months=-Apr ; action=450 4.7.1 see you in may
|
||||
\& days=!!Mon-Fri ; action=greylist
|
||||
\& days=!!Mon-Fri ; action=check_postgrey
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
|
@ -1228,8 +1545,8 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
\& id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
\& id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
\& id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
\& id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
\& id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
\& id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
\& id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 14
|
||||
|
@ -1239,7 +1556,7 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
\& # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
\& # - other clients without correct rDNS will be greylist-checked
|
||||
\& # - some whitelists are used to lower the score
|
||||
\& id=S01 ; score=2.6 ; action=greylisting
|
||||
\& id=S01 ; score=2.6 ; action=check_postgrey
|
||||
\& id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
\& id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
\& id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
|
@ -1254,10 +1571,10 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
\& # The following temporary rejects requests from "unknown" clients, if they
|
||||
\& # 1. exceeded 30 requests per hour or
|
||||
\& # 2. tried to send more than 1.5mb within 10 minutes
|
||||
\& id=RATE01 ; client_name==unknown ; state==RCPT ; \e
|
||||
\& action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
\& id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \e
|
||||
\& action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
\& id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
\& action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
\& id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
\& action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
|
@ -1274,34 +1591,34 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
.Vb 34
|
||||
\& ## Groups
|
||||
\& # definition
|
||||
\& &&RBLS { \e
|
||||
\& rbl=zen.spamhaus.org ; \e
|
||||
\& rbl=list.dsbl.org ; \e
|
||||
\& rbl=bl.spamcop.net ; \e
|
||||
\& rbl=dnsbl.sorbs.net ; \e
|
||||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||||
\& &&RBLS{
|
||||
\& rbl=zen.spamhaus.org
|
||||
\& rbl=list.dsbl.org
|
||||
\& rbl=bl.spamcop.net
|
||||
\& rbl=dnsbl.sorbs.net
|
||||
\& rbl=ix.dnsbl.manitu.net
|
||||
\& };
|
||||
\& &&RHSBLS { \e
|
||||
\& &&RHSBLS{
|
||||
\& ...
|
||||
\& };
|
||||
\& &&DYNAMIC { \e
|
||||
\& client_name==unknown ; \e
|
||||
\& client_name~=(\ed+[\e.-_]){4} ; \e
|
||||
\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||||
\& &&DYNAMIC{
|
||||
\& client_name==unknown
|
||||
\& client_name~=(\ed+[\e.-_]){4}
|
||||
\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||||
\& ...
|
||||
\& };
|
||||
\& &&BAD_HELO { \e
|
||||
\& helo_name==my.name.tld; \e
|
||||
\& helo_name~=^([^\e.]+)$; \e
|
||||
\& helo_name~=\e.(local|lan)$; \e
|
||||
\& &&BAD_HELO{
|
||||
\& helo_name==my.name.tld
|
||||
\& helo_name~=^([^\e.]+)$
|
||||
\& helo_name~=\e.(local|lan)$
|
||||
\& ...
|
||||
\& };
|
||||
\& &&MAINTENANCE { \e
|
||||
\& date=15.01.2007 ; \e
|
||||
\& date=15.04.2007 ; \e
|
||||
\& date=15.07.2007 ; \e
|
||||
\& date=15.10.2007 ; \e
|
||||
\& time=03:00:00 - 04:00:00 ; \e
|
||||
\& &&MAINTENANCE{
|
||||
\& date=15.01.2007
|
||||
\& date=15.04.2007
|
||||
\& date=15.07.2007
|
||||
\& date=15.10.2007
|
||||
\& time=03:00:00 - 04:00:00
|
||||
\& };
|
||||
\& # rules
|
||||
\& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -1322,7 +1639,7 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
|
|||
.Vb 5
|
||||
\& ## combined with enhanced rbl features
|
||||
\& #
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
\& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
\& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
|
||||
.Ve
|
||||
|
|
|
@ -128,8 +128,8 @@
|
|||
.rm #[ #] #H #V #F C
|
||||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "POSTFWD2 1"
|
||||
.TH POSTFWD2 1 "2010-11-14" "perl v5.8.5" "User Contributed Perl Documentation"
|
||||
.IX Title "POSTFWD2-ALL-IN-ONE 1"
|
||||
.TH POSTFWD2-ALL-IN-ONE 1 "2011-12-18" "perl v5.8.5" "User Contributed Perl Documentation"
|
||||
.SH "NAME"
|
||||
postfwd2 \- postfix firewall daemon
|
||||
.SH "SYNOPSIS"
|
||||
|
@ -175,7 +175,7 @@ postfwd2 \- postfix firewall daemon
|
|||
\& --cache-no-size skip size for cache-id
|
||||
\& --no_parent_request_cache disable parent request cache
|
||||
\& --no_parent_rate_cache disable parent rate cache
|
||||
\& --no_parent_dns_cache disable parent dns cache
|
||||
\& --no_parent_dns_cache disable parent dns cache (default)
|
||||
\& --no_parent_cache disable all parent caches
|
||||
.Ve
|
||||
.PP
|
||||
|
@ -184,7 +184,7 @@ postfwd2 \- postfix firewall daemon
|
|||
\& --cleanup-rates <int> cleanup interval in seconds for rate cache
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 9
|
||||
.Vb 12
|
||||
\& Control:
|
||||
\& -k, --kill, --stop terminate postfwd2
|
||||
\& --reload, --hup reload postfwd2
|
||||
|
@ -194,6 +194,9 @@ postfwd2 \- postfix firewall daemon
|
|||
\& --daemons <list> list of daemons to start
|
||||
\& --dumpcache show cache contents
|
||||
\& --dumpstats show statistics
|
||||
\& -R, --chroot <path> chroot to <path> before start
|
||||
\& --delcache <item> removes an item from the request cache
|
||||
\& --delrate <item> removes an item from the rate cache
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 11
|
||||
|
@ -210,7 +213,7 @@ postfwd2 \- postfix firewall daemon
|
|||
\& --dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
.Vb 10
|
||||
\& Optional:
|
||||
\& -t, --test testing, always returns "dunno"
|
||||
\& -S, --summary <i> show stats every <i> seconds
|
||||
|
@ -218,12 +221,21 @@ postfwd2 \- postfix firewall daemon
|
|||
\& --norulestats disables per rule statistics
|
||||
\& -I, --instantcfg reloads ruleset on every new request
|
||||
\& --config_timeout <i> parser timeout in seconds
|
||||
\& --keep_rates do not clear rate limit counters on reload
|
||||
\& --save_rates <file> save and load rate limits on disk
|
||||
\& --fast_limit_evaluation evaluate rate limits before ruleset is parsed
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 9
|
||||
.Vb 2
|
||||
\& Plugins:
|
||||
\& --plugins <file> loads postfwd plugins from file
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
\& Logging:
|
||||
\& -l, --logname <label> label for syslog messages
|
||||
\& --facility <s> use syslog facility <s>
|
||||
\& --socktype <s> use syslog socktype <s>
|
||||
\& --nodnslog do not log dns results
|
||||
\& --anydnslog log any dns (even cached) results
|
||||
\& --norulelog do not log rule actions
|
||||
|
@ -282,7 +294,7 @@ A configuration line consists of optional item=value pairs, separated by semicol
|
|||
(`;`) and the appropriate desired action:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& [ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
|
||||
\& [ <item1>=<value>; <item2>=<value>; ... ] action=<result>
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIExample:\fR
|
||||
|
@ -327,11 +339,23 @@ appreciate.
|
|||
A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
|
||||
arguments. Please see the \s-1COMMAND\s0 \s-1LINE\s0 section below for more information on this topic.
|
||||
.PP
|
||||
Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" character:
|
||||
Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
|
||||
lines with one or multiple whitespace characters (or '}' for macros):
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \e
|
||||
\& action=REJECT please use your relay from there
|
||||
.Vb 4
|
||||
\& id=RULE001
|
||||
\& client_address=192.168.1.0/24
|
||||
\& sender==no@bad.local
|
||||
\& action=REJECT no access
|
||||
.Ve
|
||||
.PP
|
||||
postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters:
|
||||
.PP
|
||||
.Vb 4
|
||||
\& id=RULE001; \e
|
||||
\& client_address=192.168.1.0/24; \e
|
||||
\& sender==no@bad.local; \e
|
||||
\& action=REJECT no access
|
||||
.Ve
|
||||
.Sh "\s-1ITEMS\s0"
|
||||
.IX Subsection "ITEMS"
|
||||
|
@ -416,15 +440,23 @@ Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" charac
|
|||
\& (whitelisting), as it might be forged.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 6
|
||||
.Vb 7
|
||||
\& version - postfwd2 version, contains "postfwd2 n.nn"
|
||||
\& this enables version based checks in your rulesets
|
||||
\& (e.g. for migration). works with old versions too,
|
||||
\& because a non-existing item always returns false:
|
||||
\& id=R01; version~=1.10; sender_domain==some.org \e
|
||||
\& # version >= 1.10
|
||||
\& id=R01; version~=1\e.[1-9][0-9]; sender_domain==some.org \e
|
||||
\& ; action=REJECT sorry no access
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& ratecount - only available for rate(), size() and rcpt() actions.
|
||||
\& contains the actual limit counter:
|
||||
\& id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
|
||||
\& id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
|
||||
.Ve
|
||||
.PP
|
||||
Besides these you can specify any attribute of the postfix policy delegation protocol.
|
||||
Feel free to combine them the way you need it (have a look at the \s-1EXAMPLES\s0 section below).
|
||||
.PP
|
||||
|
@ -478,27 +510,26 @@ for details:
|
|||
.Ve
|
||||
.PP
|
||||
the current list can be found at <http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully about which
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at \s-1END_OF_DATA\s0 level).
|
||||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
|
||||
Pattern matching is performed case insensitive.
|
||||
.PP
|
||||
Multiple use of the same item is allowed and will compared as logical \s-1OR\s0, which means that this will work as expected:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& id=TRUST001; action=OK; encryption_keysize=64; \e
|
||||
\& ccert_fingerprint=11:22:33:44:55:66:77:88:99; \e
|
||||
\& ccert_fingerprint=22:33:44:55:66:77:88:99:00; \e
|
||||
\& ccert_fingerprint=33:44:55:66:77:88:99:00:11; \e
|
||||
\& id=TRUST001; action=OK; encryption_keysize=64
|
||||
\& ccert_fingerprint=11:22:33:44:55:66:77:88:99
|
||||
\& ccert_fingerprint=22:33:44:55:66:77:88:99:00
|
||||
\& ccert_fingerprint=33:44:55:66:77:88:99:00:11
|
||||
\& sender=@domain\e.local$
|
||||
.Ve
|
||||
.PP
|
||||
client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& id=SKIP01; action=dunno; \e
|
||||
.Vb 4
|
||||
\& id=SKIP01; action=dunno
|
||||
\& client_address=192.168.1.0/24, 172.16.254.23
|
||||
\& id=SKIP02; action=dunno; \e
|
||||
\& client_address= 10.10.3.32 \e
|
||||
\& 10.216.222.0/27
|
||||
\& id=SKIP02; action=dunno
|
||||
\& client_address= 10.10.3.32 10.216.222.0/27
|
||||
.Ve
|
||||
.PP
|
||||
The following items must be unique:
|
||||
|
@ -510,19 +541,19 @@ The following items must be unique:
|
|||
Any item can be negated by preceeding '!!' to it, e.g.:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please
|
||||
\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
.Ve
|
||||
.PP
|
||||
or using the right compare operator:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
|
||||
\& id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
|
||||
.Ve
|
||||
.PP
|
||||
To avoid confusion with regexps or simply for better visibility you can use '!!(...)':
|
||||
.PP
|
||||
.Vb 1
|
||||
\& id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that?
|
||||
\& id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?
|
||||
.Ve
|
||||
.PP
|
||||
Request attributes can be compared by preceeding '$$' characters, e.g.:
|
||||
|
@ -535,6 +566,40 @@ Request attributes can be compared by preceeding '$$' characters, e.g.:
|
|||
.PP
|
||||
This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match.
|
||||
Use the '\-vv' option to debug.
|
||||
.PP
|
||||
These special items will be reset for any new rule:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& rblcount - contains the number of RBL answers
|
||||
\& rhsblcount - contains the number of RHSBL answers
|
||||
\& matches - contains the number of matched items
|
||||
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
.Ve
|
||||
.PP
|
||||
These special items will be changed for any matching rule:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& request_hits - contains ids of all matching rules
|
||||
.Ve
|
||||
.PP
|
||||
This means that it might be necessary to save them, if you plan to use these values in later rules:
|
||||
.PP
|
||||
.Vb 6
|
||||
\& # set vals
|
||||
\& id=RBL01 ; rhsblcount=all; rblcount=all
|
||||
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
|
||||
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& # compare
|
||||
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
.Ve
|
||||
.Sh "\s-1FILES\s0"
|
||||
.IX Subsection "FILES"
|
||||
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files:
|
||||
|
@ -563,20 +628,20 @@ To use existing tables in key=value format, you can use:
|
|||
This will ignore the right-hand value. Items can be mixed:
|
||||
.PP
|
||||
.Vb 3
|
||||
\& id=R002 ; action=REJECT \e
|
||||
\& client_name==unknown; \e
|
||||
\& id=R002 ; action=REJECT
|
||||
\& client_name==unknown
|
||||
\& client_name==file:/etc/postfwd/blacklisted
|
||||
.Ve
|
||||
.PP
|
||||
and for non pcre (comma separated) items:
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R003 ; action=REJECT \e
|
||||
\& id=R003 ; action=REJECT
|
||||
\& client_address==10.1.1.1, file:/etc/postfwd/blacklisted
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& id=R004 ; action=REJECT \e
|
||||
\& id=R004 ; action=REJECT
|
||||
\& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
|
||||
.Ve
|
||||
.PP
|
||||
|
@ -720,8 +785,8 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
|
|||
\& please note that <action> is currently limited to postfix actions (no postfwd actions)!
|
||||
\& # no more than 3 requests per 5 minutes
|
||||
\& # from the same "unknown" client
|
||||
\& id=RATE01 ; client_name==unknown ; \e
|
||||
\& action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
\& id=RATE01 ; client_name==unknown
|
||||
\& action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
|
@ -730,8 +795,8 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
|
|||
\& increased by the request's size attribute. to do this reliably you should call postfwd2 from
|
||||
\& smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||||
\& # size limit 1.5mb per hour per client
|
||||
\& id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||||
\& action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
\& id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
\& action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
|
@ -741,8 +806,8 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
|
|||
\& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||||
\& check it within the ruleset:
|
||||
\& # recipient count limit 3 per hour per client
|
||||
\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||||
\& action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
\& id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
|
||||
\& action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 9
|
||||
|
@ -757,6 +822,13 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
|
|||
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& mail(server/helo/from/to/subject/body)
|
||||
\& Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
|
||||
\& This basically performs a telnet. No authentication or TLS are available. Additionally it does
|
||||
\& not track notification state and will notify you any time, the corresponding rule hits.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& wait (<delay>)
|
||||
\& pauses the program execution for <delay> seconds. use this for
|
||||
|
@ -766,7 +838,7 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
|
|||
.Vb 3
|
||||
\& note (<string>)
|
||||
\& just logs the given string and continues parsing the ruleset.
|
||||
\& if the string is empty, nothing will be logged.
|
||||
\& if the string is empty, nothing will be logged (noop).
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
|
@ -780,40 +852,6 @@ You can reference to request attributes, like
|
|||
.Vb 1
|
||||
\& id=R-HELO ; helo_name=^[^\e.]+$ ; action=REJECT invalid helo '$$helo_name'
|
||||
.Ve
|
||||
.PP
|
||||
These special attributes will be reset for any new rule:
|
||||
.PP
|
||||
.Vb 5
|
||||
\& rblcount - contains the number of RBL answers
|
||||
\& rhsblcount - contains the number of RHSBL answers
|
||||
\& matches - contains the number of matched items
|
||||
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||||
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||||
.Ve
|
||||
.PP
|
||||
These special attributes will be changed for any matching rule:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& request_hits - contains ids of all matching rules
|
||||
.Ve
|
||||
.PP
|
||||
This means that it might be necessary to save them, if you plan to use these values in later rules:
|
||||
.PP
|
||||
.Vb 6
|
||||
\& # set vals
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; \e
|
||||
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e
|
||||
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||||
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||||
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& # compare
|
||||
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||||
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||||
.Ve
|
||||
.Sh "\s-1MACROS/ACLS\s0"
|
||||
.IX Subsection "MACROS/ACLS"
|
||||
Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters).
|
||||
|
@ -845,18 +883,18 @@ Macros can contain actions, too:
|
|||
Macros can contain macros, too:
|
||||
.PP
|
||||
.Vb 16
|
||||
\& # definition (note the trailing "\e" characters)
|
||||
\& &&RBLS { \e
|
||||
\& rbl=zen.spamhaus.org ; \e
|
||||
\& rbl=list.dsbl.org ; \e
|
||||
\& rbl=bl.spamcop.net ; \e
|
||||
\& rbl=dnsbl.sorbs.net ; \e
|
||||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||||
\& # definition
|
||||
\& &&RBLS{
|
||||
\& rbl=zen.spamhaus.org
|
||||
\& rbl=list.dsbl.org
|
||||
\& rbl=bl.spamcop.net
|
||||
\& rbl=dnsbl.sorbs.net
|
||||
\& rbl=ix.dnsbl.manitu.net
|
||||
\& };
|
||||
\& &&DYNAMIC { \e
|
||||
\& client_name=^unknown$ ; \e
|
||||
\& client_name=(\ed+[\e.-_]){4} ; \e
|
||||
\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||||
\& &&DYNAMIC{
|
||||
\& client_name=^unknown$
|
||||
\& client_name=(\ed+[\e.-_]){4}
|
||||
\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||||
\& };
|
||||
\& &&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||||
\& # rules
|
||||
|
@ -866,7 +904,194 @@ Macros can contain macros, too:
|
|||
Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information.
|
||||
.Sh "\s-1PLUGINS\s0"
|
||||
.IX Subsection "PLUGINS"
|
||||
Please visit <http://www.postfwd.org/postfwd.plugins>
|
||||
\&\fBDescription\fR
|
||||
.PP
|
||||
The plugin interface allow you to define your own checks and enhance postfwd's
|
||||
functionality. Feel free to share useful things!
|
||||
.PP
|
||||
\&\fBWarning\fR
|
||||
.PP
|
||||
Note that the plugin interface is still at devel stage. Please test your plugins
|
||||
carefully, because errors may cause postfwd to break! It is also
|
||||
allowed to override attributes or built-in functions, but be sure that you know
|
||||
what you do because some of them are used internally.
|
||||
.PP
|
||||
Please keep security in mind, when you access sensible ressources and never, ever
|
||||
run postfwd as privileged user! Also never trust your input (especially hostnames,
|
||||
and e\-mail addresses).
|
||||
.PP
|
||||
\&\fB\s-1ITEMS\s0\fR
|
||||
.PP
|
||||
Item plugins are perl subroutines which integrate additional attributes to requests
|
||||
before they are evaluated against postfwd's ruleset like any other item of the
|
||||
policy delegation protocol. This allows you to create your own checks.
|
||||
.PP
|
||||
plugin-items can not be used selective. these functions will be executed for every
|
||||
request postfwd receives, so keep performance in mind.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
|
||||
.Ve
|
||||
.PP
|
||||
means that your subroutine, called <name>, has access to a hash called \f(CW%request\fR,
|
||||
which contains all request attributes, like \f(CW$request\fR{client_name} and must
|
||||
return a value in the following form:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& save: $result{<item>} = <value>
|
||||
.Ve
|
||||
.PP
|
||||
this creates the new item <item> containing <value>, which will be integrated in
|
||||
the policy delegation request and therefore may be used in postfwd's ruleset.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_items_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& # EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
\& # allows to check postfwd version in ruleset
|
||||
\& "version" => sub {
|
||||
\& my(%request) = @_;
|
||||
\& my(%result) = (
|
||||
\& "version" => $NAME." ".$VERSION,
|
||||
\& );
|
||||
\& return %result;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
\& # sender_domain and recipient_domain
|
||||
\& "address_parts" => sub {
|
||||
\& my(%request) = @_;
|
||||
\& my(%result) = ();
|
||||
\& $request{sender} =~ /@([^@]*)$/;
|
||||
\& $result{sender_domain} = ($1 || '');
|
||||
\& $request{recipient} =~ /@([^@]*)$/;
|
||||
\& $result{recipient_domain} = ($1 || '');
|
||||
\& return %result;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.PP
|
||||
\&\fB\s-1COMPARE\s0\fR
|
||||
.PP
|
||||
Compare plugins allow you to define how your new items should be compared to the ruleset.
|
||||
These are optional. If you don't specify one, the default (== for exact match, =~ for \s-1PCRE\s0, ...)
|
||||
will be used.
|
||||
.PP
|
||||
.Vb 1
|
||||
\& SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_compare_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 5
|
||||
\& # Simple example
|
||||
\& # SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
|
||||
\& "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
\& "size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
\& "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 22
|
||||
\& # Complex example
|
||||
\& # SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
\& "numeric" => sub {
|
||||
\& my($cmp,$val,$myitem,%request) = @_;
|
||||
\& my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
\& if ($cmp eq '==') {
|
||||
\& $myresult = ($myitem == $val);
|
||||
\& } elsif ($cmp eq '=<') {
|
||||
\& $myresult = ($myitem <= $val);
|
||||
\& } elsif ($cmp eq '=>') {
|
||||
\& $myresult = ($myitem >= $val);
|
||||
\& } elsif ($cmp eq '!=') {
|
||||
\& $myresult = not($myitem == $val);
|
||||
\& } elsif ($cmp eq '!<') {
|
||||
\& $myresult = not($myitem <= $val);
|
||||
\& } elsif ($cmp eq '!>') {
|
||||
\& $myresult = not($myitem >= $val);
|
||||
\& } else {
|
||||
\& $myresult = ($myitem >= $val);
|
||||
\& };
|
||||
\& return $myresult;
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.PP
|
||||
\&\fB\s-1ACTIONS\s0\fR
|
||||
.PP
|
||||
Action plugins allow to define new postfwd actions. By setting the \f(CW$stop\fR\-flag you can decide to
|
||||
continue or to stop parsing the ruleset.
|
||||
.PP
|
||||
.Vb 2
|
||||
\& SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
\& <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& %postfwd_actions_plugin = (
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 1
|
||||
\& # EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # note(<logstring>) command
|
||||
\& "note" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # skips next <myarg> rules
|
||||
\& "skip" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
\& # dumps current request contents to syslog
|
||||
\& "dumprequest" => sub {
|
||||
\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
\& my($myaction) = $default_action; my($stop) = 0;
|
||||
\& map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
\& return ($stop,$index,$myaction,$myline,%request);
|
||||
\& },
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& # do NOT remove the next line
|
||||
\& );
|
||||
.Ve
|
||||
.Sh "\s-1COMMAND\s0 \s-1LINE\s0"
|
||||
.IX Subsection "COMMAND LINE"
|
||||
\&\fIRuleset\fR
|
||||
|
@ -886,14 +1111,6 @@ that at least one of the following is required for postfwd2 to work.
|
|||
\& strings that contain whitespaces or shell characters.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIPlugins\fR
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --plugins
|
||||
\& A file containing plugin routines for postfwd. Please see the
|
||||
\& PLUGINS section for more information.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIScoring\fR
|
||||
.PP
|
||||
.Vb 2
|
||||
|
@ -904,7 +1121,7 @@ that at least one of the following is required for postfwd2 to work.
|
|||
Multiple usage is allowed. Just chain your arguments, like:
|
||||
.PP
|
||||
.Vb 3
|
||||
\& postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||||
\& postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
|
||||
\& or
|
||||
\& postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ...
|
||||
.Ve
|
||||
|
@ -920,7 +1137,7 @@ The following arguments will control it's behaviour in this case.
|
|||
.Vb 3
|
||||
\& -d, --daemon
|
||||
\& postfwd2 will run as daemon and listen on the network for incoming
|
||||
\& queries (default 127.0.0.1:10040).
|
||||
\& queries (default 127.0.0.1:10045).
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
|
@ -930,7 +1147,7 @@ The following arguments will control it's behaviour in this case.
|
|||
.PP
|
||||
.Vb 2
|
||||
\& -p, --port <port>
|
||||
\& postfwd2 listens on the specified port (default tcp/10040).
|
||||
\& postfwd2 listens on the specified port (default tcp/10045).
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
|
@ -970,7 +1187,7 @@ The following arguments will control it's behaviour in this case.
|
|||
.Vb 3
|
||||
\& -R, --chroot <path>
|
||||
\& Chroot the process to the specified path.
|
||||
\& Test this before using - you might need some libs there.
|
||||
\& Please look at http://postfwd.org/postfwd2-chroot.html before use!
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
|
@ -978,6 +1195,17 @@ The following arguments will control it's behaviour in this case.
|
|||
\& The process id will be saved in the specified file.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --facility <f>
|
||||
\& sets the syslog facility, default is 'mail'
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --socktype <s>
|
||||
\& sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
|
||||
\& Default is to auto-detect this depening on module version and os.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 3
|
||||
\& -l, --logname <label>
|
||||
\& Labels the syslog messages. Useful when running multiple
|
||||
|
@ -989,6 +1217,14 @@ The following arguments will control it's behaviour in this case.
|
|||
\& Truncates any syslog message after <int> characters.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIPlugins\fR
|
||||
.PP
|
||||
.Vb 3
|
||||
\& --plugins <file>
|
||||
\& Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
|
||||
\& or the plugins.postfwd.sample that is available from the tarball for more info.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIOptional arguments\fR
|
||||
.PP
|
||||
These parameters influence the way postfwd2 is working. Any of them can be combined.
|
||||
|
@ -1168,6 +1404,28 @@ These parameters influence the way postfwd2 is working. Any of them can be combi
|
|||
\& be skipped. this is used to prevent problems due to large files or loops.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& --keep_rates (default=0)
|
||||
\& With this option set postfwd2 does not clear the rate limit counters on reload. Please
|
||||
\& note that you have to restart (not reload) postfwd with this option if you change
|
||||
\& any rate limit rules.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 4
|
||||
\& --save_rates (default=none)
|
||||
\& With this option postfwd saves existing rate limit counters to disk and reloads them
|
||||
\& on program start. This allows persistent rate limits across program restarts or reboots.
|
||||
\& Please note that postfwd needs read and write access to the specified file.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 5
|
||||
\& --fast_limit_evaluation (default=0)
|
||||
\& Once a ratelimit was set by the ruleset, future requests will be evaluated against it
|
||||
\& before consulting the ruleset. This mode was the default behaviour until v1.30.
|
||||
\& With this mode rate limits will be faster, but also eventually set up
|
||||
\& whitelisting-rules within the ruleset might not work as expected.
|
||||
.Ve
|
||||
.PP
|
||||
\&\fIInformational arguments\fR
|
||||
.PP
|
||||
These arguments are for command line usage only. Never ever use them with postfix!
|
||||
|
@ -1202,6 +1460,34 @@ These arguments are for command line usage only. Never ever use them with postfi
|
|||
\& This option turns of any syslogging and output. It is included
|
||||
\& for performance testing.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --dumpstats
|
||||
\& Displays program usage statistics.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --dumpcache
|
||||
\& Displays cache contents.
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
\& --delcache <item>
|
||||
\& Removes an item from the request cache. Use --dumpcache to identify objects.
|
||||
\& E.g.:
|
||||
\& # postfwd --dumpcache
|
||||
\& ...
|
||||
\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
|
||||
\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
|
||||
\& ...
|
||||
\& # postfwd --delrate="sender=gmato@jqvo.org"
|
||||
\& rate cache item 'sender=gmato@jqvo.org' removed
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 2
|
||||
\& --delrate <item>
|
||||
\& Removes an item from the rate cache. Use --dumpcache to identify objects.
|
||||
.Ve
|
||||
.Sh "\s-1REFRESH\s0"
|
||||
.IX Subsection "REFRESH"
|
||||
In daemon mode postfwd2 reloads it's ruleset after receiving a \s-1HUP\s0 signal. Please see the description of
|
||||
|
@ -1245,20 +1531,27 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
\& # 1. 30MB for systems in *.customer1.tld
|
||||
\& # 2. 20MB for SASL user joejob
|
||||
\& # 3. 10MB default
|
||||
\& id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$
|
||||
\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
\& id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
|
||||
\& id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$
|
||||
\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
|
||||
\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
|
||||
\& id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
.Vb 14
|
||||
\& ## Selective Greylisting
|
||||
\& ##
|
||||
\& ## Note that postfwd does not include greylisting. This setup requires a running postgrey service
|
||||
\& ## at port 10031 and the following postfix restriction class in your main.cf:
|
||||
\& ##
|
||||
\& ## smtpd_restriction_classes = check_postgrey, ...
|
||||
\& ## check_postgrey = check_policy_service inet:127.0.0.1:10031
|
||||
\& #
|
||||
\& # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||||
\& # 2. Client has no rDNS
|
||||
\& # 3. Client comes from several dialin domains
|
||||
\& id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
\& id=GR002; action=greylisting ; client_name=^unknown$
|
||||
\& id=GR003; action=greylisting ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$
|
||||
\& id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||||
\& id=GR002; action=check_postgrey ; client_name=^unknown$
|
||||
\& id=GR003; action=check_postgrey ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 7
|
||||
|
@ -1268,7 +1561,7 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
\& time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||||
\& time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||||
\& months=-Apr ; action=450 4.7.1 see you in may
|
||||
\& days=!!Mon-Fri ; action=greylist
|
||||
\& days=!!Mon-Fri ; action=check_postgrey
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 10
|
||||
|
@ -1280,8 +1573,8 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
\& id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||||
\& id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||||
\& id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||||
\& id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
\& id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
\& id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||||
\& id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 14
|
||||
|
@ -1291,8 +1584,8 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
\& # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||||
\& # - other clients without correct rDNS will be greylist-checked
|
||||
\& # - some whitelists are used to lower the score
|
||||
\& id=S01 ; score=2.6 ; action=greylisting
|
||||
\& id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high
|
||||
\& id=S01 ; score=2.6 ; action=check_postgrey
|
||||
\& id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||||
\& id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||||
\& id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||||
\& id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
|
||||
|
@ -1306,10 +1599,10 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
\& # The following temporary rejects requests from "unknown" clients, if they
|
||||
\& # 1. exceeded 30 requests per hour or
|
||||
\& # 2. tried to send more than 1.5mb within 10 minutes
|
||||
\& id=RATE01 ; client_name==unknown ; state==RCPT ; \e
|
||||
\& action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
\& id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \e
|
||||
\& action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
\& id=RATE01 ; client_name==unknown ; protocol_state==RCPT
|
||||
\& action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||||
\& id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
|
||||
\& action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 8
|
||||
|
@ -1326,34 +1619,34 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
.Vb 34
|
||||
\& ## Groups
|
||||
\& # definition
|
||||
\& &&RBLS { \e
|
||||
\& rbl=zen.spamhaus.org ; \e
|
||||
\& rbl=list.dsbl.org ; \e
|
||||
\& rbl=bl.spamcop.net ; \e
|
||||
\& rbl=dnsbl.sorbs.net ; \e
|
||||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||||
\& &&RBLS{
|
||||
\& rbl=zen.spamhaus.org
|
||||
\& rbl=list.dsbl.org
|
||||
\& rbl=bl.spamcop.net
|
||||
\& rbl=dnsbl.sorbs.net
|
||||
\& rbl=ix.dnsbl.manitu.net
|
||||
\& };
|
||||
\& &&RHSBLS { \e
|
||||
\& &&RHSBLS{
|
||||
\& ...
|
||||
\& };
|
||||
\& &&DYNAMIC { \e
|
||||
\& client_name==unknown ; \e
|
||||
\& client_name~=(\ed+[\e.-_]){4} ; \e
|
||||
\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||||
\& &&DYNAMIC{
|
||||
\& client_name==unknown
|
||||
\& client_name~=(\ed+[\e.-_]){4}
|
||||
\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||||
\& ...
|
||||
\& };
|
||||
\& &&BAD_HELO { \e
|
||||
\& helo_name==my.name.tld; \e
|
||||
\& helo_name~=^([^\e.]+)$; \e
|
||||
\& helo_name~=\e.(local|lan)$; \e
|
||||
\& &&BAD_HELO{
|
||||
\& helo_name==my.name.tld
|
||||
\& helo_name~=^([^\e.]+)$
|
||||
\& helo_name~=\e.(local|lan)$
|
||||
\& ...
|
||||
\& };
|
||||
\& &&MAINTENANCE { \e
|
||||
\& date=15.01.2007 ; \e
|
||||
\& date=15.04.2007 ; \e
|
||||
\& date=15.07.2007 ; \e
|
||||
\& date=15.10.2007 ; \e
|
||||
\& time=03:00:00 - 04:00:00 ; \e
|
||||
\& &&MAINTENANCE{
|
||||
\& date=15.01.2007
|
||||
\& date=15.04.2007
|
||||
\& date=15.07.2007
|
||||
\& date=15.10.2007
|
||||
\& time=03:00:00 - 04:00:00
|
||||
\& };
|
||||
\& # rules
|
||||
\& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||||
|
@ -1374,7 +1667,7 @@ the '\-I' switch to have your configuration refreshed for every request postfwd2
|
|||
.Vb 5
|
||||
\& ## combined with enhanced rbl features
|
||||
\& #
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e
|
||||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
|
||||
\& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||||
\& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
|
||||
.Ve
|
||||
|
@ -1526,7 +1819,7 @@ postfwd2 will spawn multiple child processes which communicate with a parent cac
|
|||
the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S
|
||||
\& postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S
|
||||
.Ve
|
||||
.PP
|
||||
For efficient caching you should check if you can use the options \-\-cacheid, \-\-cache\-rdomain\-only,
|
||||
|
@ -1538,19 +1831,19 @@ Now check your syslogs (default facility \*(L"mail\*(R") for a line like:
|
|||
\& Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input
|
||||
.Ve
|
||||
.PP
|
||||
and use `netstat \-an|grep 10040` to check for something like
|
||||
and use `netstat \-an|grep 10045` to check for something like
|
||||
.PP
|
||||
.Vb 1
|
||||
\& tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN
|
||||
\& tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN
|
||||
.Ve
|
||||
.PP
|
||||
If everything works, open your postfix main.cf and insert the following
|
||||
.PP
|
||||
.Vb 4
|
||||
\& 127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
\& 127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
\& smtpd_recipient_restrictions = permit_mynetworks <--- recommended
|
||||
\& reject_unauth_destination <--- recommended
|
||||
\& check_policy_service inet:127.0.0.1:10040 <--- integration
|
||||
\& check_policy_service inet:127.0.0.1:10045 <--- integration
|
||||
.Ve
|
||||
.PP
|
||||
Reload your configuration with `postfix reload` and watch your logs. In it works you should see
|
||||
|
@ -1575,11 +1868,11 @@ Then postmap that file (`postmap hash:/etc/postfix/policy`), open your main.cf a
|
|||
.Vb 3
|
||||
\& # Restriction Classes
|
||||
\& smtpd_restriction_classes = postfwdcheck, <some more>... <--- integration
|
||||
\& postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration
|
||||
\& postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration
|
||||
.Ve
|
||||
.PP
|
||||
.Vb 6
|
||||
\& 127.0.0.1:10040_time_limit = 3600 <--- integration
|
||||
\& 127.0.0.1:10045_time_limit = 3600 <--- integration
|
||||
\& smtpd_recipient_restrictions = permit_mynetworks, <--- recommended
|
||||
\& reject_unauth_destination, <--- recommended
|
||||
\& ... <--- optional
|
||||
|
@ -1612,7 +1905,7 @@ You should get an answer like
|
|||
For network tests I use netcat:
|
||||
.PP
|
||||
.Vb 1
|
||||
\& nc 127.0.0.1 10040 <request.sample
|
||||
\& nc 127.0.0.1 10045 <request.sample
|
||||
.Ve
|
||||
.PP
|
||||
to send a request to postfwd. If you receive nothing, make sure that postfwd2 is running and
|
||||
|
|
167
plugins/postfwd.plugins.sample
Normal file
167
plugins/postfwd.plugins.sample
Normal file
|
@ -0,0 +1,167 @@
|
|||
#
|
||||
#
|
||||
# Example plugin file for postfwd - see http://postfwd.org
|
||||
#
|
||||
#
|
||||
# Description:
|
||||
#
|
||||
# The plugin interface allow you to define your own checks and enhance postfwd's
|
||||
# functionality. Feel free to share useful things!
|
||||
#
|
||||
#
|
||||
# Warning:
|
||||
#
|
||||
# Check changes carefully, because errors may cause postfwd to break! It is also
|
||||
# allowed to override attributes or built-in functions, but be sure that you know
|
||||
# what you do because some of them are used internally.
|
||||
# Please keep security in mind, when you access sensible ressources and never, ever
|
||||
# run postfwd as privileged user! Also never trust your input (especially hostnames,
|
||||
# and e-mail addresses).
|
||||
|
||||
|
||||
#
|
||||
# ITEMS
|
||||
# =====
|
||||
#
|
||||
# Item plugins are perl subroutines which integrate additional attributes to requests
|
||||
# before they are evaluated against postfwd's ruleset like any other item of the
|
||||
# policy delegation protocol. This allows you to create your own checks.
|
||||
#
|
||||
# plugin-items can not be used selective. these functions will be executed for every
|
||||
# request postfwd receives, so keep performance in mind.
|
||||
#
|
||||
# SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
|
||||
#
|
||||
# means that your subroutine, called <name>, has access to a hash called %request,
|
||||
# which contains all request attributes, like $request{client_name} and must
|
||||
# return a value in the following form:
|
||||
#
|
||||
# save: $result{<item>} = <value>
|
||||
#
|
||||
# this creates the new item <item> containing <value>, which will be integrated in
|
||||
# the policy delegation request and therefore may be used in postfwd's ruleset.
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_items_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
#
|
||||
# # allows to check postfwd version in ruleset
|
||||
# "version" => sub {
|
||||
# my(%request) = @_;
|
||||
# my(%result) = (
|
||||
# "version" => $NAME." ".$VERSION,
|
||||
# );
|
||||
# return %result;
|
||||
# },
|
||||
#
|
||||
# # sender_domain and recipient_domain
|
||||
# "address_parts" => sub {
|
||||
# my(%request) = @_;
|
||||
# my(%result) = ();
|
||||
# $request{sender} =~ /@([^@]*)$/;
|
||||
# $result{sender_domain} = ($1 || '');
|
||||
# $request{recipient} =~ /@([^@]*)$/;
|
||||
# $result{recipient_domain} = ($1 || '');
|
||||
# return %result;
|
||||
# },
|
||||
# },
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
|
||||
#
|
||||
# COMPARE
|
||||
# =======
|
||||
#
|
||||
# Compare plugins allow you to define how your new items should be compared to the ruleset.
|
||||
# These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
|
||||
# will be used.
|
||||
#
|
||||
# SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_compare_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
#
|
||||
# # CIDR compare
|
||||
# "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
|
||||
#
|
||||
# # Numeric compare
|
||||
# "size" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
# "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
|
||||
#
|
||||
# # Complex example
|
||||
# # SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
|
||||
# "numeric" => sub {
|
||||
# my($cmp,$val,$myitem,%request) = @_;
|
||||
# my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
|
||||
# if ($cmp eq '==') {
|
||||
# $myresult = ($myitem == $val);
|
||||
# } elsif ($cmp eq '=<') {
|
||||
# $myresult = ($myitem <= $val);
|
||||
# } elsif ($cmp eq '=>') {
|
||||
# $myresult = ($myitem >= $val);
|
||||
# } elsif ($cmp eq '!=') {
|
||||
# $myresult = not($myitem == $val);
|
||||
# } elsif ($cmp eq '!<') {
|
||||
# $myresult = not($myitem <= $val);
|
||||
# } elsif ($cmp eq '!>') {
|
||||
# $myresult = not($myitem >= $val);
|
||||
# } else {
|
||||
# $myresult = ($myitem >= $val);
|
||||
# };
|
||||
# return $myresult;
|
||||
# },
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
|
||||
#
|
||||
# ACTIONS
|
||||
# =======
|
||||
#
|
||||
# Action plugins allow to define new postfwd actions.
|
||||
#
|
||||
# SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
|
||||
# <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
|
||||
|
||||
# do NOT remove the next line
|
||||
%postfwd_actions_plugin = (
|
||||
|
||||
# EXAMPLES - integrated in postfwd. no need to activate them here.
|
||||
#
|
||||
# # note(<logstring>) command
|
||||
# "note" => sub {
|
||||
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
# my($myaction) = $default_action; my($stop) = 0;
|
||||
# mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
|
||||
# return ($stop,$index,$myaction,$myline,%request);
|
||||
# },
|
||||
#
|
||||
# # skips next <myarg> rules
|
||||
# "skip" => sub {
|
||||
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
# my($myaction) = $default_action; my($stop) = 0;
|
||||
# $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
|
||||
# return ($stop,$index,$myaction,$myline,%request);
|
||||
# },
|
||||
#
|
||||
# # dumps current request contents to syslog
|
||||
# "dumprequest" => sub {
|
||||
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
|
||||
# my($myaction) = $default_action; my($stop) = 0;
|
||||
# map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
|
||||
# return ($stop,$index,$myaction,$myline,%request);
|
||||
# },
|
||||
|
||||
# do NOT remove the next line
|
||||
);
|
||||
|
||||
# do NOT remove the next line
|
||||
1;
|
||||
|
||||
## EOF postfwd.plugins
|
1396
sbin/postfwd
1396
sbin/postfwd
File diff suppressed because it is too large
Load diff
1372
sbin/postfwd2
1372
sbin/postfwd2
File diff suppressed because it is too large
Load diff
|
@ -1,10 +0,0 @@
|
|||
Directory contents:
|
||||
|
||||
- lograte.sh [OPTIONS] <logfile>
|
||||
generates per minute stats for generic syslog files
|
||||
|
||||
- request.sample
|
||||
a sample policy delegation request. you may test your postfwd config with
|
||||
postfwd -f <configfile> request.sample
|
||||
|
||||
by JPK
|
342
tools/hapolicy/hapolicy
Executable file
342
tools/hapolicy/hapolicy
Executable file
|
@ -0,0 +1,342 @@
|
|||
#!/usr/bin/perl -T -w
|
||||
|
||||
package hapolicy;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use IO::Socket;
|
||||
use Pod::Usage;
|
||||
use Sys::Syslog qw(:DEFAULT setlogsock);
|
||||
use Getopt::Long 2.25 qw(:config no_ignore_case bundling);
|
||||
|
||||
|
||||
|
||||
### PARAMETERS ###
|
||||
|
||||
# Program settings
|
||||
our($NAME) = 'hapolicy';
|
||||
our($VERSION) = '1.00';
|
||||
our($DEFAULT) = 'dunno'; # default action if no service available
|
||||
our($TIMEOUT) = '30'; # default service timeout
|
||||
|
||||
# remote server settings
|
||||
# command-line: -s <name>=<ip>:<port>:<prio>:<weight>:<timeout>
|
||||
our(%Servers) = (
|
||||
# "GREY1" => {
|
||||
# ip => '10.0.0.1', # ip address
|
||||
# port => '10031', # tcp port
|
||||
# prio => '10', # optional, lower wins
|
||||
# weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
# timeout => '30', # optional, query timeout in seconds
|
||||
# },
|
||||
);
|
||||
|
||||
# Environment
|
||||
$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
|
||||
$ENV{ENV} = '';
|
||||
# Syslog options
|
||||
our($syslog_name) = $NAME;
|
||||
our($syslog_facility) = 'mail';
|
||||
our($syslog_options) = 'pid';
|
||||
our($syslog_socktype) = ( (defined $sys::Syslog::VERSION) and ($Sys::Syslog::VERSION ge '0.15') )
|
||||
? 'native'
|
||||
: (($^O eq 'solaris') ? 'inet' : 'unix');
|
||||
use vars qw(%opt);
|
||||
|
||||
### MAIN ###
|
||||
|
||||
# get command-line
|
||||
GetOptions (
|
||||
\%opt, 'service|s=s@', 'verbose|v', 'stdout|L', 'logging|l', 'default|d=s'
|
||||
) or pod2usage (-msg => "\nPlease see \"pod2text ".$NAME."\" for detailed instructions.\n", -verbose => 1);
|
||||
setlogsock $syslog_socktype;
|
||||
openlog $syslog_name, $syslog_options, $syslog_facility;
|
||||
|
||||
# check command-line
|
||||
$DEFAULT = $opt{default} if defined $opt{default};
|
||||
foreach (@{$opt{service}}) {
|
||||
if (/^([^=]+)=([^:]+):([^:]+):(.*)$/) {
|
||||
$Servers{$1}{ip} = $2; $Servers{$1}{port} = $3;
|
||||
($Servers{$1}{prio},$Servers{$1}{weight},$Servers{$1}{timeout}) = split ':', $4 if $4;
|
||||
} else {
|
||||
mylogs ('warning', "ignoring invalid service '$_'");
|
||||
};
|
||||
};
|
||||
|
||||
# sort servers by prio
|
||||
my %ServerPrioHash = ();
|
||||
foreach (keys %Servers) {
|
||||
unless ($Servers{$_}{ip} and $Servers{$_}{port}) {
|
||||
mylogs ('warning', "No address or port for '$_'");
|
||||
next;
|
||||
};
|
||||
$Servers{$_}{prio} ||= 10; $Servers{$_}{timeout} ||= $TIMEOUT;
|
||||
$Servers{$_}{weight} = ($Servers{$_}{weight}) ? (1/$Servers{$_}{weight}) : 1;
|
||||
$Servers{$_}{questions} = $Servers{$_}{answers} = $Servers{$_}{failed} = 0;
|
||||
push @{$ServerPrioHash{$Servers{$_}{prio}}}, $_;
|
||||
};
|
||||
|
||||
# run main loop
|
||||
select((select(STDOUT), $| = 1)[0]);
|
||||
hapolicy::main();
|
||||
|
||||
# end program
|
||||
exit;
|
||||
|
||||
|
||||
|
||||
### FUNCTIONS ###
|
||||
|
||||
# send log message
|
||||
sub mylogs {
|
||||
my($prio,$msg) = @_;
|
||||
|
||||
unless ($opt{stdout}) {
|
||||
# escape '%' characters
|
||||
$msg =~ s/\%/%%/g;
|
||||
# Sys::Syslog < 0.15 dies when syslog daemon is temporarily not
|
||||
# present (for example on syslog rotation)
|
||||
if ( (defined $Sys::Syslog::VERSION) or ($Sys::Syslog::VERSION lt '0.15') ) {
|
||||
eval {
|
||||
local $SIG{__DIE__} = sub { };
|
||||
syslog ($prio,$msg);
|
||||
};
|
||||
} else { syslog ($prio,$msg); };
|
||||
} else { printf "[LOG $prio]: $msg\n"; };
|
||||
};
|
||||
|
||||
# ask remote server
|
||||
sub ask {
|
||||
my($srv,$sendstr) = @_;
|
||||
my($action) = '';
|
||||
|
||||
eval {
|
||||
# handle timeout
|
||||
local $SIG{__DIE__} = sub { };
|
||||
local $SIG{'ALRM'} = sub { mylogs ('warning',"Timeout for '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})"); die };
|
||||
my $prevaltert = alarm($Servers{$srv}{timeout});
|
||||
|
||||
# increase server request-counter and try to open socket
|
||||
$Servers{$srv}{questions}+=$Servers{$srv}{weight};
|
||||
mylogs ('info', "Opening socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose};
|
||||
unless ( my $socket = new IO::Socket::INET (
|
||||
PeerAddr => $Servers{$srv}{ip},
|
||||
PeerPort => $Servers{$srv}{port},
|
||||
Proto => 'tcp',
|
||||
Type => SOCK_STREAM ) ) {
|
||||
mylogs ('warning', "Could not open socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})");
|
||||
|
||||
} else {
|
||||
# print request and get answer
|
||||
mylogs ('info', "Connection established to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose};
|
||||
print $socket "$sendstr";
|
||||
$sendstr = <$socket>;
|
||||
chomp($sendstr);
|
||||
|
||||
# check answer
|
||||
$sendstr =~ s/^(action=)//;
|
||||
if ($1 and $sendstr) {
|
||||
$Servers{$srv}{answers}++;
|
||||
mylogs ('info', "Answer from '$srv' -> '$sendstr'") if $opt{verbose};
|
||||
$action = $sendstr;
|
||||
} else {
|
||||
mylogs ('warning', "Invalid answer from '$srv' -> '$sendstr'");
|
||||
};
|
||||
};
|
||||
# restore old sig
|
||||
alarm ($prevaltert);
|
||||
};
|
||||
$Servers{$srv}{failed}++ unless ($Servers{$srv}{last} = $action);
|
||||
# return action
|
||||
return $action;
|
||||
};
|
||||
|
||||
# process policy delegation request
|
||||
sub smtpd_access_policy {
|
||||
my(%attr) = @_;
|
||||
my($sendstr,$action,$srv) = '';
|
||||
|
||||
my $t1 = time();
|
||||
|
||||
# request to str
|
||||
map { $sendstr .= $_."=".$attr{$_}."\n" } (keys %attr); $sendstr .= "\n";
|
||||
|
||||
# loop serverlist until someone answers
|
||||
PRIO: foreach my $prio (sort keys %ServerPrioHash) {
|
||||
foreach my $srv ( sort { $Servers{$a}{questions}<=>$Servers{$b}{questions} } @{$ServerPrioHash{$prio}} ) {
|
||||
$action = ask ($srv, $sendstr) || '';
|
||||
mylogs ('info', "[$srv]"
|
||||
." (".$Servers{$srv}{ip}.":".$Servers{$srv}{port}.")"
|
||||
.", prio: $prio, weight: ".(1/$Servers{$srv}{weight})
|
||||
.", queries: ".($Servers{$srv}{questions} * (1/$Servers{$srv}{weight}))
|
||||
.", answers: ".$Servers{$srv}{answers}
|
||||
.", failed: ".$Servers{$srv}{failed}
|
||||
.", delay: ".(time() - $t1)."s"
|
||||
.", client: ".$attr{client_name}."[".$attr{client_address}."]"
|
||||
.", helo: <".$attr{helo_name}.">"
|
||||
.", from: <".$attr{sender}.">"
|
||||
.", to: <".$attr{recipient}.">"
|
||||
.", action: '".$action."'"
|
||||
) if ($opt{verbose} or $opt{logging});
|
||||
last PRIO if $action;
|
||||
};
|
||||
};
|
||||
|
||||
# return action
|
||||
return $action;
|
||||
};
|
||||
|
||||
# main loop
|
||||
sub main {
|
||||
my($request,$action) = undef;
|
||||
my (%attr) = ();
|
||||
|
||||
while (<>) {
|
||||
next unless /^([^\r\n]*)\r?\n/;
|
||||
$request = $1;
|
||||
if ($request =~ /([^=]+)=(.*)/) {
|
||||
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
|
||||
} elsif ($request eq '') {
|
||||
map { mylogs ('info', "Attribute: $_=$attr{$_}") } (keys %attr) if $opt{verbose};
|
||||
unless ((defined $attr{request}) and ($attr{request} eq 'smtpd_access_policy')) {
|
||||
$attr{request} ||='<undef>';
|
||||
mylogs ('notice', "ignoring unrecognized request type: '$attr{request}'");
|
||||
} else {
|
||||
my($action) = smtpd_access_policy(%attr);
|
||||
$action ||= $DEFAULT; %attr = ();
|
||||
mylogs('info', "Action: $action") if $opt{verbose};
|
||||
print "action=$action\n\n";
|
||||
};
|
||||
} else {
|
||||
chop;
|
||||
mylogs ('notice', "error: ignoring garbage \"".$request."\"");
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
__END__
|
||||
|
||||
=head1 NAME
|
||||
|
||||
hapolicy - policy delegation high availability script
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<hapolicy> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
|
||||
|
||||
Services:
|
||||
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
|
||||
|
||||
Options:
|
||||
-d, --default <action> returns <action> if no service was available (default: 'dunno')
|
||||
-l, --logging log requests
|
||||
-v, --verbose increase logging verbosity
|
||||
-L, --stdout log to stdout, for debugging, do NOT use with postfix
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
=head2 INTRODUCTION
|
||||
|
||||
B<hapolicy> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
|
||||
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
|
||||
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, B<hapolicy> returns a default action (e.g. dunno) to postfix.
|
||||
|
||||
With version 1.00 B<hapolicy> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
|
||||
user account. This should allow fast and reliable operation.
|
||||
|
||||
=head2 CONFIGURATION
|
||||
|
||||
A service has the following attributes
|
||||
|
||||
"servicename" => {
|
||||
ip => '127.0.0.1', # ip address
|
||||
port => '10040', # tcp port
|
||||
prio => '10', # optional, lower wins
|
||||
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
timeout => '30', # optional, query timeout in seconds
|
||||
},
|
||||
|
||||
You may define multiple services at the command line. Which means that
|
||||
|
||||
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
|
||||
|
||||
will always try first service I<grey1> at ip 10.0.0.1 port 10031 and if that service is not available or
|
||||
does not answer within the default of 30 seconds the next service I<grey2> at ip 10.0.0.2 port 10031 will
|
||||
be queried.
|
||||
|
||||
If you want to load balance connections you may define
|
||||
|
||||
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
|
||||
|
||||
which queries service I<polw1> at ip 10.0.0.1 twice as much as service I<polw2> at ip 10.0.0.2. Note that this
|
||||
setup also ensures high availability for both services. If I<polw1> is not available or does not answer
|
||||
within the default of 30 seconds I<polw2> will be queried and vice versa. There is no reason to define a service twice.
|
||||
|
||||
=head2 INTEGRATION
|
||||
|
||||
Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):
|
||||
|
||||
# service description, note the leading blanks at the second line
|
||||
127.0.0.1:10060 inet n n n - 0 spawn
|
||||
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
|
||||
|
||||
save the file and open postfix main.cf. Modify it as follows:
|
||||
|
||||
127.0.0.1:10060_time_limit = 3600
|
||||
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
... other authed permits ...
|
||||
reject_unauth_destination,
|
||||
... other restrictions ...
|
||||
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
|
||||
|
||||
Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
|
||||
using postfix restriction classes. Please see L</LINKS> for further options.
|
||||
|
||||
=head1 LINKS
|
||||
|
||||
[1] Postfix SMTP Access Policy Delegation
|
||||
L<http://www.postfix.org/SMTPD_POLICY_README.html>
|
||||
|
||||
[2] Postfix Per-Client/User/etc. Access Control
|
||||
L<http://www.postfix.org/RESTRICTION_CLASS_README.html>
|
||||
|
||||
=head1 LICENSE
|
||||
|
||||
hapolicy is free software and released under BSD license, which basically means
|
||||
that you can do what you want as long as you keep the copyright notice:
|
||||
|
||||
Copyright (c) 2008, Jan Peter Kessler
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in
|
||||
the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of the authors nor the names of his contributors
|
||||
may be used to endorse or promote products derived from this
|
||||
software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
S<Jan Peter Kessler E<lt>info (AT) postfwd (DOT) orgE<gt>>. Let me know, if you have any suggestions.
|
||||
|
||||
=cut
|
||||
|
162
tools/hapolicy/hapolicy.html
Normal file
162
tools/hapolicy/hapolicy.html
Normal file
|
@ -0,0 +1,162 @@
|
|||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html>
|
||||
<head>
|
||||
<title>hapoliy - HA and LB for policy servers</title>
|
||||
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
|
||||
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
|
||||
<meta name="description" content="hapolicy loadbalancing and high availability for postfix policy servers">
|
||||
<meta name="author" content="jpk">
|
||||
<meta name="keywords" content="hapolicy, policy server loadbalancing, policy server high availability, policy server failure, policy delegation, postfix, Jan, Peter, Kessler">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<p><a name="__index__"></a></p>
|
||||
<!-- INDEX BEGIN -->
|
||||
|
||||
<ul>
|
||||
|
||||
<li><a href="#name">NAME</a></li>
|
||||
<li><a href="#synopsis">SYNOPSIS</a></li>
|
||||
<li><a href="#description">DESCRIPTION</a></li>
|
||||
<ul>
|
||||
|
||||
<li><a href="#introduction">INTRODUCTION</a></li>
|
||||
<li><a href="#configuration">CONFIGURATION</a></li>
|
||||
<li><a href="#integration">INTEGRATION</a></li>
|
||||
</ul>
|
||||
|
||||
<li><a href="#links">LINKS</a></li>
|
||||
<li><a href="#license">LICENSE</a></li>
|
||||
<li><a href="#author">AUTHOR</a></li>
|
||||
</ul>
|
||||
<!-- INDEX END -->
|
||||
|
||||
<hr />
|
||||
<p>
|
||||
</p>
|
||||
<h1><a name="name">NAME</a></h1>
|
||||
<p>hapolicy - policy delegation high availability script</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="synopsis">SYNOPSIS</a></h1>
|
||||
<p><strong>hapolicy</strong> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]</p>
|
||||
<pre>
|
||||
Services:
|
||||
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]</pre>
|
||||
<pre>
|
||||
Options:
|
||||
-d, --default <action> returns <action> if no service was available (default: 'dunno')
|
||||
-l, --logging log requests
|
||||
-v, --verbose increase logging verbosity
|
||||
-L, --stdout log to stdout, for debugging, do NOT use with postfix</pre>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="description">DESCRIPTION</a></h1>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="introduction">INTRODUCTION</a></h2>
|
||||
<p><strong>hapolicy</strong> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
|
||||
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
|
||||
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, <strong>hapolicy</strong> returns a default action (e.g. dunno) to postfix.</p>
|
||||
<p>With version 1.00 <strong>hapolicy</strong> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
|
||||
user account. This should allow fast and reliable operation.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="configuration">CONFIGURATION</a></h2>
|
||||
<p>A service has the following attributes</p>
|
||||
<pre>
|
||||
"servicename" => {
|
||||
ip => '127.0.0.1', # ip address
|
||||
port => '10040', # tcp port
|
||||
prio => '10', # optional, lower wins
|
||||
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
timeout => '30', # optional, query timeout in seconds
|
||||
},</pre>
|
||||
<p>You may define multiple services at the command line. Which means that</p>
|
||||
<pre>
|
||||
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"</pre>
|
||||
<p>will always try first service <em>grey1</em> at ip 10.0.0.1 port 10031 and if that service is not available or
|
||||
does not answer within the default of 30 seconds the next service <em>grey2</em> at ip 10.0.0.2 port 10031 will
|
||||
be queried.<br><br>
|
||||
<img src="hapolicy01.png"><br>
|
||||
</p>
|
||||
<p>If you want to load balance connections you may define</p>
|
||||
<pre>
|
||||
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"</pre>
|
||||
<p>which queries service <em>polw1</em> at ip 10.0.0.1 twice as much as service <em>polw2</em> at ip 10.0.0.2.<br><br>
|
||||
<img src="hapolicy02.png">
|
||||
<br><br>
|
||||
Note that this
|
||||
setup also ensures high availability for both services. If <em>polw1</em> is not available or does not answer
|
||||
within the default of 30 seconds <em>polw2</em> will be queried and vice versa. There is no reason to define a service twice.</p>
|
||||
<p>
|
||||
</p>
|
||||
<h2><a name="integration">INTEGRATION</a></h2>
|
||||
<p>Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):</p>
|
||||
<pre>
|
||||
# service description, note the leading blanks at the second line
|
||||
127.0.0.1:10061 inet n n n - 0 spawn
|
||||
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10</pre>
|
||||
<p>save the file and open postfix main.cf. Modify it as follows:</p>
|
||||
<pre>
|
||||
127.0.0.1:10061_time_limit = 3600</pre>
|
||||
<pre>
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
... other authed permits ...
|
||||
reject_unauth_destination,
|
||||
... other restrictions ...
|
||||
check_policy_service inet:127.0.0.1:10061 # <- hapolicy query</pre>
|
||||
<p>Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
|
||||
using postfix restriction classes. Please see <a href="#links">LINKS</a> for further options.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="links">LINKS</a></h1>
|
||||
<p>[1] Get hapolicy<br>
|
||||
<a href="http://www.postfwd.org/hapolicy/hapolicy">http://www.postfwd.org/hapolicy/hapolicy</a></p>
|
||||
<p>[2] Postfix SMTP Access Policy Delegation<br>
|
||||
<a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a></p>
|
||||
<p>[3] Postfix Per-Client/User/etc. Access Control<br>
|
||||
<a href="http://www.postfix.org/RESTRICTION_CLASS_README.html">http://www.postfix.org/RESTRICTION_CLASS_README.html</a></p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="license">LICENSE</a></h1>
|
||||
<p>hapolicy is free software and released under BSD license, which basically means
|
||||
that you can do what you want as long as you keep the copyright notice:</p>
|
||||
<p>Copyright (c) 2008, Jan Peter Kessler
|
||||
All rights reserved.</p>
|
||||
<p>Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:</p>
|
||||
<pre>
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in
|
||||
the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of the authors nor the names of his contributors
|
||||
may be used to endorse or promote products derived from this
|
||||
software without specific prior written permission.</pre>
|
||||
<p>THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
||||
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.</p>
|
||||
<p>
|
||||
</p>
|
||||
<hr />
|
||||
<h1><a name="author">AUTHOR</a></h1>
|
||||
<p>Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you have any suggestions.</p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
127
tools/hapolicy/hapolicy.txt
Normal file
127
tools/hapolicy/hapolicy.txt
Normal file
|
@ -0,0 +1,127 @@
|
|||
NAME
|
||||
hapolicy - policy delegation high availability script
|
||||
|
||||
SYNOPSIS
|
||||
hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
|
||||
|
||||
Services:
|
||||
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
|
||||
|
||||
Options:
|
||||
-d, --default <action> returns <action> if no service was available (default: 'dunno')
|
||||
-l, --logging log requests
|
||||
-v, --verbose increase logging verbosity
|
||||
-L, --stdout log to stdout, for debugging, do NOT use with postfix
|
||||
|
||||
DESCRIPTION
|
||||
INTRODUCTION
|
||||
hapolicy enables high availability, weighted loadbalancing and a
|
||||
fallback action for postfix policy delegation services. Invoked via
|
||||
postfix spawn it acts as a wrapper that queries other policy servers via
|
||||
tcp connection. The order of the service queries can be influenced by
|
||||
assigning a specific priority and weight to each service. A service is
|
||||
considered 'failing', if the connection is refused or the specified
|
||||
service timeout is reached. If all of the configured policy services
|
||||
were failing, hapolicy returns a default action (e.g. dunno) to postfix.
|
||||
|
||||
With version 1.00 hapolicy has less than 200 lines of perl code using
|
||||
only standard perl modules. It does not require any disk access nor
|
||||
configuration files and runs under an unpriviledged user account. This
|
||||
should allow fast and reliable operation.
|
||||
|
||||
CONFIGURATION
|
||||
A service has the following attributes
|
||||
|
||||
"servicename" => {
|
||||
ip => '127.0.0.1', # ip address
|
||||
port => '10040', # tcp port
|
||||
prio => '10', # optional, lower wins
|
||||
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
|
||||
timeout => '30', # optional, query timeout in seconds
|
||||
},
|
||||
|
||||
You may define multiple services at the command line. Which means that
|
||||
|
||||
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
|
||||
|
||||
will always try first service *grey1* at ip 10.0.0.1 port 10031 and if
|
||||
that service is not available or does not answer within the default of
|
||||
30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be
|
||||
queried.
|
||||
|
||||
If you want to load balance connections you may define
|
||||
|
||||
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
|
||||
|
||||
which queries service *polw1* at ip 10.0.0.1 twice as much as service
|
||||
*polw2* at ip 10.0.0.2. Note that this setup also ensures high
|
||||
availability for both services. If *polw1* is not available or does not
|
||||
answer within the default of 30 seconds *polw2* will be queried and vice
|
||||
versa. There is no reason to define a service twice.
|
||||
|
||||
INTEGRATION
|
||||
Enter the following at the bottom of your postfix master.cf (usually
|
||||
located at /etc/postfix):
|
||||
|
||||
# service description, note the leading blanks at the second line
|
||||
127.0.0.1:10060 inet n n n - 0 spawn
|
||||
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
|
||||
|
||||
save the file and open postfix main.cf. Modify it as follows:
|
||||
|
||||
127.0.0.1:10060_time_limit = 3600
|
||||
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
... other authed permits ...
|
||||
reject_unauth_destination,
|
||||
... other restrictions ...
|
||||
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
|
||||
|
||||
Now issue 'postfix reload' at the command line. Of course you can have
|
||||
more enhanced setups using postfix restriction classes. Please see
|
||||
"LINKS" for further options.
|
||||
|
||||
LINKS
|
||||
[1] Postfix SMTP Access Policy Delegation
|
||||
<http://www.postfix.org/SMTPD_POLICY_README.html>
|
||||
|
||||
[2] Postfix Per-Client/User/etc. Access Control
|
||||
<http://www.postfix.org/RESTRICTION_CLASS_README.html>
|
||||
|
||||
LICENSE
|
||||
hapolicy is free software and released under BSD license, which
|
||||
basically means that you can do what you want as long as you keep the
|
||||
copyright notice:
|
||||
|
||||
Copyright (c) 2008, Jan Peter Kessler All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in
|
||||
the documentation and/or other materials provided with the
|
||||
distribution.
|
||||
* Neither the name of the authors nor the names of his contributors
|
||||
may be used to endorse or promote products derived from this
|
||||
software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
|
||||
NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
||||
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
||||
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
AUTHOR
|
||||
Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you
|
||||
have any suggestions.
|
||||
|
BIN
tools/hapolicy/hapolicy01.png
Normal file
BIN
tools/hapolicy/hapolicy01.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
BIN
tools/hapolicy/hapolicy02.png
Normal file
BIN
tools/hapolicy/hapolicy02.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
|
@ -1,90 +0,0 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# generates per minute stats for generic syslog files
|
||||
# call it:
|
||||
#
|
||||
# lograte.sh [OPTIONS] <logfile>
|
||||
#
|
||||
# or for online monitoring
|
||||
#
|
||||
# tail -f <logfile> | lograte.sh [OPTIONS]
|
||||
#
|
||||
# by JPK
|
||||
|
||||
PATH=/usr/local/bin:/bin:/usr/bin
|
||||
|
||||
# default values
|
||||
PATTERN=".*"
|
||||
MINIMUM=1
|
||||
TOPLIST=10
|
||||
|
||||
# show usage
|
||||
Usage () {
|
||||
{
|
||||
echo "Usage: `basename $0` -m <mincount> -t <topcount> -s <filter> <file> <file> ...";
|
||||
echo " -m minimum events to display"
|
||||
echo " -t how many rankings?"
|
||||
echo " -T print rankings only"
|
||||
echo " -s filter input through this regexp"
|
||||
echo "Example: `basename $0` -m 10 -t 5 -s \"(panic|error)\" /var/log/messages"
|
||||
} >&2
|
||||
}
|
||||
|
||||
# parse arguments
|
||||
while getopts Tt:m:s: o
|
||||
do case "$o" in
|
||||
s) PATTERN="$OPTARG";;
|
||||
m) MINIMUM="$OPTARG";;
|
||||
t) TOPLIST="$OPTARG";;
|
||||
T) TOPONLY=1;;
|
||||
*) Usage;
|
||||
exit 1;;
|
||||
esac
|
||||
done
|
||||
shift `expr $OPTIND - 1`
|
||||
|
||||
# a single awk
|
||||
awk ' ($0 ~ PATTERN) {
|
||||
split($3,TIME,":");
|
||||
CURRTIME=$1 " " $2 " " TIME[1] ":" TIME[2];
|
||||
if (LASTTIME != CURRTIME) {
|
||||
if (COUNT >= MINIMUM) {
|
||||
if (!(TOPONLY == 1)) {
|
||||
printf ( "%s %7d events, %8.2f per sec\n", LASTTIME, COUNT, ( COUNT / 60 ) );
|
||||
};
|
||||
for (i=1;i<=TOPLIST;i++) {
|
||||
if (COUNT > MAXCOUNT[i]) {
|
||||
MAXCOUNT[i+1]=MAXCOUNT[i];
|
||||
MAXCOUNT[i]=COUNT;
|
||||
MAXTIME[i+1]=MAXTIME[i];
|
||||
MAXTIME[i]=LASTTIME;
|
||||
break;
|
||||
};
|
||||
};
|
||||
};
|
||||
COUNT=1;
|
||||
} else {
|
||||
COUNT++;
|
||||
};
|
||||
LASTTIME=CURRTIME;
|
||||
}
|
||||
|
||||
END {
|
||||
if (CURRTIME != "") {
|
||||
if ( (COUNT >= MINIMUM) && (!(TOPONLY == 1)) ) {
|
||||
printf ( "%s %7d events, %8.2f per sec\n\n", LASTTIME, COUNT, ( COUNT / 60 ) );
|
||||
};
|
||||
print "###########";
|
||||
printf ("# TOP %3d #\n",TOPLIST);
|
||||
print "###########";
|
||||
for (i=1;i<=TOPLIST;i++) {
|
||||
printf ( "# TOP %3d:\t%s %7d events, %8.2f per sec\n", i, MAXTIME[i], MAXCOUNT[i], ( MAXCOUNT[i] / 60 ) );;
|
||||
};
|
||||
exit 0;
|
||||
} else {
|
||||
exit 1;
|
||||
};
|
||||
}' PATTERN="${PATTERN}" MINIMUM="${MINIMUM}" TOPLIST="${TOPLIST}" TOPONLY="${TOPONLY}" $*
|
||||
|
||||
# set exitcode=1 if no matching lines found
|
||||
exit $?
|
Loading…
Reference in a new issue