debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.10pre8b

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:32:27 +01:00
parent 8b6b3ca881
commit b5012c41b3
9 changed files with 1172 additions and 964 deletions
Download patch file Download diff file Expand all files Collapse all files

49
bin/postfwd-script.sh
View file

@ -10,6 +10,8 @@ PATH=/bin:/usr/bin:/usr/local/bin
PFWCMD=/usr/local/postfwd/sbin/postfwd
# rulesetconfig file
PFWCFG=/etc/postfix/postfwd.cf
# pidfile
PFWPID=/var/tmp/postfwd.pid
# daemon settings
PFWUSER=nobody
@ -23,45 +25,32 @@ PFWARG="--shortlog --summary=600 --cache=600 --cache-rbl-timeout=3600 --cleanup-
## should be no need to change below
P1="`basename ${PFWCMD}`"; P2="`basename $0`";
PIDS="`ps -aef | grep "${P1}" | grep -v "${P2}" | grep -v grep | awk '{print $2}' | sort -nr`"
P1="`basename ${PFWCMD}`"
case "$1" in
start*) if [ -n "${PIDS}" ]; then
echo "Process called \"${P1}\" already found at PID ${PIDS}. Please use \"${P2} restart\" instead." ;
false;
else
echo "Starting ${P1}...";
${PFWCMD} ${PFWARG} --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP};
fi ;
start*) echo "Starting ${P1}...";
${PFWCMD} ${PFWARG} --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP} --pidfile=${PFWPID};
;;
debug*) if [ -n "${PIDS}" ]; then
echo "Process called \"${P1}\" already found at PID ${PIDS}. Please use \"${P2} restart\" instead." ;
false;
else
echo "Starting ${P1} in DEBUG mode...";
${PFWCMD} ${PFWARG} -vv --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP};
fi ;
;;
debug*) echo "Starting ${P1} in debug mode...";
${PFWCMD} ${PFWARG} -vv --daemon --file=${PFWCFG} --interface=${PFWINET} --port=${PFWPORT} --user=${PFWUSER} --group=${PFWGROUP} --pidfile=${PFWPID};
;;
stop*) if [ -z "${PIDS}" ]; then
echo "No process called \"${P1}\" found" ;
false;
else
stop*) if [ -f "${PFWPID}" ]; then
echo "Stopping ${P1}...";
for pid in ${PIDS}; do kill ${pid}; done ;
kill `cat ${PFWPID}`;
else
echo "Pidfile \"${PFWPID}\" not found" ;
false;
fi ;
;;
reload*) if [ -z "${PIDS}" ]; then
echo "No process called \"${P1}\" found" ;
false;
reload*) if [ -f "${PFWPID}" ]; then
echo "Stopping ${P1}...";
kill -HUP `cat ${PFWPID}`;
else
echo "Refreshing ${P1}...";
for pid in ${PIDS}; do kill -HUP ${pid}; done ;
echo "Pidfile \"${PFWPID}\" not found" ;
false;
fi ;
;;
@ -71,7 +60,7 @@ case "$1" in
;;
*) echo "Unknown argument \"$1\"" >&2;
echo "Usage: ${P2} {start|stop|reload|restart}" >&2;
echo "Usage: `basename $0` {start|stop|reload|restart}" >&2;
exit 1;;
esac
exit $?

38
doc/CHANGELOG
View file

@ -1,12 +1,43 @@
**************************************************************************************************
ATTENTION: requirements changed - as dns queries are now performed asynchronously, postfwd from
v1.10pre2 and above needs the perl module Net::DNS::Async! it is available via CPAN
and installed for my tests without any problems on different linux and solaris systems
ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS.
Net::DNS::Async and Net::CIDR::Lite are not required anymore.
NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information
**************************************************************************************************
1.10pre8b
==========
- bugfix: fixed two warnings about logging of undefined values in verbose mode
1.10pre8a
==========
- bugfix: item plugins have been made available as cache-id items. this fixes a minor issue with
--cache-rdomain-only and version 1.10pre8
1.10pre8
=========
- code: Net::DNS::Async is no longer used. The parameters --dns_queuesize and
--dns_retries are still valid but have no function. The option --dns_timeout
now defaults to 14s and applies to all rules containing dns items.
- code: Net::CIDR::Lite is not required any longer.
- feature: the new variable $$request_hits contains a list of all matching ruleids
- feature: the new variable $$dnsbltext allows access to txt records of rbls
- feature: new options --no-rulestats and --nodnslog
- feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means
that you can set the option to 0 if you want to use the ttl of the dns answer.
- feature: new item "rhsbl_helo" allows to check helo against rhsbls
- bugfix: disabled fallback to synchronous dns on timed out rbls, default is now
to disable non responding dnsbls after 11 timeouts for 1200 seconds.
use --dns_timeout_max and --dns_timeout_interval to adjust these settings.
- bugfix: days=Wed now means exactly Wednesday. to use a range you may
still specify days=Wed- days=-Wed and days=Tue-Thu
this applies to all date and time items
- code: --shortlog is now default behaviour (use -v to see more)
- code: changed Net::Server behaviour to ignore syslog errors
1.10pre7c
==========
- note: 1.10pre7c does not contain any code-changes to the postfwd daemon.
@ -177,3 +208,4 @@ NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more inf
=====
- first public beta version

142
doc/postfwd.html
View file

@ -1,11 +1,15 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd - postfix firewall daemon</title>
<link rev="made" href="mailto:root@localhost" />
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body style="background-color: white">
<body>
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
@ -22,6 +26,7 @@
<li><a href="#items">ITEMS</a></li>
<li><a href="#actions">ACTIONS</a></li>
<li><a href="#macros_acls">MACROS/ACLS</a></li>
<li><a href="#plugins">PLUGINS</a></li>
<li><a href="#command_line">COMMAND LINE</a></li>
<li><a href="#refresh">REFRESH</a></li>
<li><a href="#examples">EXAMPLES</a></li>
@ -62,8 +67,9 @@
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;
-l, --logname &lt;label&gt; label for syslog messages
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;</pre>
--loglen &lt;int&gt; truncates syslogs after &lt;int&gt; chars</pre>
<pre>
Caching:
-c, --cache &lt;int&gt; sets the request-cache timeout to &lt;int&gt; seconds
@ -80,23 +86,25 @@
Optional:
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
--shortlog disables logging of some postfwd commands
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--no-rulestats disables per rule statistics
-n, --nodns disable dns
--dns_queuesize sets the queue size for asynchonous dns queries
--dns_retries how many retries for a single asynchonous dns query
--nodnslog disable dns logging
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
-I, --instantcfg re-reads rulefiles for every new request</pre>
<pre>
Informational (use only at command-line, not with postfix!):
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
-L, --stdoutlog redirect syslog messages to stdout
-P, --perfmon no syslogging, no stdout
-V, --version shows program version
-h, --help shows usage
-m, --manual shows program manual</pre>
<pre>
Plugins:
--plugins &lt;file&gt; loads plugins from &lt;file&gt;</pre>
<p>
</p>
<hr />
@ -161,7 +169,16 @@ arguments. Please see the COMMAND LINE section below for more information on thi
id - a unique rule id, which can be used for log analysis
ids also serve as targets for the &quot;jump&quot; command.</pre>
<pre>
date, time - a time or date range within the specified rule shall hit</pre>
date, time - a time or date range within the specified rule shall hit
# FORMAT:
# Feb, 29th
date=29.02.2008
# Dec, 24th - 26th
date=24.12.2008-26.12.2008
# from today until Nov, 23rd
date=-23.09.2008
# from April, 1st until today
date=01.04.2008-</pre>
<pre>
days, months - a range of weekdays (Sun-Sat) or months (Jan-Dec)
within the specified rule shall hit</pre>
@ -354,20 +371,25 @@ rule containing only an action statement:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items</pre>
<p>This means that you must save them, if you plan to use these values in later rules:</p>
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special attributes will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)</pre>
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
@ -409,6 +431,10 @@ First the macros have to be defined as follows:</p>
<p>Basically macros are simple text substitutions - see the <a href="#parser">PARSER</a> section for more information.</p>
<p>
</p>
<h2><a name="plugins">PLUGINS</a></h2>
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
<p>
</p>
<h2><a name="command_line">COMMAND LINE</a></h2>
<p><em>Ruleset</em></p>
<p>The following arguments are used to specify the source of the postfwd ruleset. This means
@ -421,13 +447,18 @@ that at least one of the following is required for postfwd to work.</p>
-r, --rule &lt;rule&gt;
Adds &lt;rule&gt; to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.</pre>
<p><em>Scoring</em></p>
<pre>
-s, --scores &lt;val&gt;=&lt;action&gt;
Returns &lt;action&gt; to postfix, when the request's score exceeds &lt;val&gt;</pre>
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
<pre>
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; ...
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; --plugins &lt;file&gt; ...
or
postfwd --scores 4.5=&quot;WARN high score&quot; --scores 5.0=&quot;REJECT postfwd score too high&quot; ...</pre>
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
@ -455,13 +486,16 @@ The following arguments will control it's behaviour in this case.</p>
-R, --chroot &lt;path&gt;
Chroot the process to the specified path.
Test this before using - you might need some libs there.</pre>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
<pre>
-l, --logname &lt;label&gt;
Labels the syslog messages. Useful when running multiple
instances of postfwd.</pre>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
--loglen &lt;int&gt;
Truncates any syslog message after &lt;int&gt; characters.</pre>
<p><em>Optional arguments</em></p>
<p>These parameters influence the way postfwd is working. Any of them can be combined.</p>
<pre>
@ -535,13 +569,13 @@ The following arguments will control it's behaviour in this case.</p>
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-002 matched: 9351 times
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003 matched: 3116 times
...</pre>
<pre>
--no-rulestats
Disables per rule statistics. Keeps your log clean, if you do not use them.
This option has no effect without --summary or --verbose set.</pre>
<pre>
-L, --stdoutlog
Redirects all syslog messages to stdout for debugging. Never use this with postfix!</pre>
<pre>
--shortlog
As postfwd now logs all hits for a request, you might find it unecessary to log the
postfwd actions jump(), set() and score(). You may disable it with this option.</pre>
<pre>
-t, --test
In test mode postfwd always returns &quot;dunno&quot;, but logs according
@ -551,15 +585,10 @@ The following arguments will control it's behaviour in this case.</p>
Disables all DNS based checks like RBL checks. Rules containing
such elements will be ignored.</pre>
<pre>
--dns_queuesize (default: 100)
Sets the queue size for asynchonous dns queries. If the query exceeds this value,
postfwd waits for answers of timeouts for previous queries.</pre>
-n, --nodnslog
Disables logging of dns events.</pre>
<pre>
--dns_retries (default: 3)
Sets the retry counter for asynchonous dns queries. This value will apply to
every single query.</pre>
<pre>
--dns_timeout (default: 7)
--dns_timeout (default: 14)
Sets the timeout for asynchonous dns queries in seconds. This value will apply to
all dns items in a rule.</pre>
<pre>
@ -723,11 +752,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
...
};
&amp;&amp;MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# rules
id=COMBINED ; &amp;&amp;RBLS ; &amp;&amp;DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -742,14 +771,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
id=REJECT02 ; HIT_rbls==1 ; HIT_dyna==1 ; action=REJECT please see <a href="http://some.org/info?reject=02">http://some.org/info?reject=02</a> for more info
id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see <a href="http://some.org/info?reject=03">http://some.org/info?reject=03</a> for more info</pre>
<pre>
# combined with enhanced rbl features
# set vals
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
<p>
</p>
<h2><a name="parser">PARSER</a></h2>
@ -794,7 +820,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno</pre>
<p>Lists will be evaluated in the specified order. This allows to place faster expressions at first:</p>
<pre>
postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /root/request.sample</pre>
postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /some/where/request.sample</pre>
<p>produces the following</p>
<pre>
[LOGS info]: compare rbl: &quot;remotehost.remote.net[68.10.1.7]&quot; -&gt; &quot;localrbl.local&quot;
@ -810,7 +836,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
[LOGS info]: Action: dunno</pre>
<p>The negation operator !!(&lt;value&gt;) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:</p>
<pre>
postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /root/request.sample</pre>
postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /some/where/request.sample</pre>
<p>will give</p>
<pre>
[LOGS info]: compare client_name: &quot;unknown&quot; -&gt; &quot;!!($$helo_name)&quot;
@ -924,13 +950,14 @@ listening on the specified network settings.</p>
</p>
<h2><a name="performance">PERFORMANCE</a></h2>
<p>Some of these proposals might not match your environment. Please check your requirements and test new options carefully!</p>
<p>- use caching options
- use the correct match operator ==, &lt;=, &gt;=
- use ^ and $ in regular expressions
- use item lists (faster than single rules)
- use <code>set()</code> action on repeated item lists
- use jump action
- use pre-lookup rule for rbl/rhsbls with empty <code>note()</code> action</p>
<pre>
- use caching options
- use the correct match operator ==, &lt;=, &gt;=
- use ^ and/or $ in regular expressions
- use item lists (faster than single rules)
- use set() action on repeated item lists
- use jumps and rate limits
- use a pre-lookup rule for rbl/rhsbls with empty note() action</pre>
<p>
</p>
<h2><a name="see_also">SEE ALSO</a></h2>
@ -969,8 +996,17 @@ POSSIBILITY OF SUCH DAMAGE.</p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info (AT) postfwd (DOT) org&gt;. Let me know, if you have any suggestions.</p>
<p><center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/doc.html</small>
<td width="34%" align="center"><small>2007 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center></p>
</body>
</html>

113
doc/postfwd.txt
View file

@ -18,8 +18,9 @@ SYNOPSIS
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
-R, --chroot <path> chroot the daemon to <path>
-l, --logname <label> label for syslog messages
--pidfile <path> create pidfile under <path>
-l, --logname <label> label for syslog messages
--loglen <int> truncates syslogs after <int> chars
Caching:
-c, --cache <int> sets the request-cache timeout to <int> seconds
@ -36,17 +37,16 @@ SYNOPSIS
Optional:
-t, --test testing, always returns "dunno"
-v, --verbose verbose logging, use twice (-vv) to increase level
--shortlog disables logging of some postfwd commands
-S, --summary <int> show some usage statistics every <int> seconds
--no-rulestats disables per rule statistics
-n, --nodns disable dns
--dns_queuesize sets the queue size for asynchonous dns queries
--dns_retries how many retries for a single asynchonous dns query
--nodnslog disable dns logging
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
-I, --instantcfg re-reads rulefiles for every new request
Informational (use only at command-line, not with postfix!):
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
-L, --stdoutlog redirect syslog messages to stdout
-P, --perfmon no syslogging, no stdout
@ -54,6 +54,9 @@ SYNOPSIS
-h, --help shows usage
-m, --manual shows program manual
Plugins:
--plugins <file> loads plugins from <file>
DESCRIPTION
INTRODUCTION
postfwd is written to combine complex postfix restrictions in a ruleset
@ -138,6 +141,15 @@ DESCRIPTION
ids also serve as targets for the "jump" command.
date, time - a time or date range within the specified rule shall hit
# FORMAT:
# Feb, 29th
date=29.02.2008
# Dec, 24th - 26th
date=24.12.2008-26.12.2008
# from today until Nov, 23rd
date=-23.09.2008
# from April, 1st until today
date=01.04.2008-
days, months - a range of weekdays (Sun-Sat) or months (Jan-Dec)
within the specified rule shall hit
@ -360,21 +372,27 @@ DESCRIPTION
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
This means that you must save them, if you plan to use these values in
later rules:
These special attributes will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
MACROS/ACLS
Multiple use of long items or combinations of them may be abbreviated by
@ -420,6 +438,9 @@ DESCRIPTION
Basically macros are simple text substitutions - see the "PARSER"
section for more information.
PLUGINS
Please visit <http://www.postfwd.org/postfwd.plugins>
COMMAND LINE
*Ruleset*
@ -435,6 +456,12 @@ DESCRIPTION
Adds <rule> to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.
*Plugins*
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.
*Scoring*
-s, --scores <val>=<action>
@ -442,7 +469,7 @@ DESCRIPTION
Multiple usage is allowed. Just chain your arguments, like:
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
or
postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
@ -475,12 +502,15 @@ DESCRIPTION
Chroot the process to the specified path.
Test this before using - you might need some libs there.
--pidfile <path>
The process id will be saved in the specified file.
-l, --logname <label>
Labels the syslog messages. Useful when running multiple
instances of postfwd.
--pidfile <path>
The process id will be saved in the specified file.
--loglen <int>
Truncates any syslog message after <int> characters.
*Optional arguments*
@ -558,13 +588,13 @@ DESCRIPTION
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003 matched: 3116 times
...
--no-rulestats
Disables per rule statistics. Keeps your log clean, if you do not use them.
This option has no effect without --summary or --verbose set.
-L, --stdoutlog
Redirects all syslog messages to stdout for debugging. Never use this with postfix!
--shortlog
As postfwd now logs all hits for a request, you might find it unecessary to log the
postfwd actions jump(), set() and score(). You may disable it with this option.
-t, --test
In test mode postfwd always returns "dunno", but logs according
to it`s ruleset. -v will be set automatically with this option.
@ -573,15 +603,10 @@ DESCRIPTION
Disables all DNS based checks like RBL checks. Rules containing
such elements will be ignored.
--dns_queuesize (default: 100)
Sets the queue size for asynchonous dns queries. If the query exceeds this value,
postfwd waits for answers of timeouts for previous queries.
-n, --nodnslog
Disables logging of dns events.
--dns_retries (default: 3)
Sets the retry counter for asynchonous dns queries. This value will apply to
every single query.
--dns_timeout (default: 7)
--dns_timeout (default: 14)
Sets the timeout for asynchonous dns queries in seconds. This value will apply to
all dns items in a rule.
@ -746,11 +771,11 @@ DESCRIPTION
...
};
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# rules
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -765,14 +790,11 @@ DESCRIPTION
id=REJECT02 ; HIT_rbls==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=02 for more info
id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=03 for more info
# combined with enhanced rbl features
# set vals
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
PARSER
*Configuration*
@ -834,7 +856,7 @@ DESCRIPTION
Lists will be evaluated in the specified order. This allows to place
faster expressions at first:
postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /root/request.sample
postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
produces the following
@ -853,7 +875,7 @@ DESCRIPTION
The negation operator !!(<value>) has the highest priority and therefore
will be evaluated first. Then variable substitutions are performed:
postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /root/request.sample
postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
will give
@ -1006,10 +1028,13 @@ DESCRIPTION
Some of these proposals might not match your environment. Please check
your requirements and test new options carefully!
- use caching options - use the correct match operator ==, <=, >= - use
^ and $ in regular expressions - use item lists (faster than single
rules) - use set() action on repeated item lists - use jump action - use
pre-lookup rule for rbl/rhsbls with empty note() action
- use caching options
- use the correct match operator ==, <=, >=
- use ^ and/or $ in regular expressions
- use item lists (faster than single rules)
- use set() action on repeated item lists
- use jumps and rate limits
- use a pre-lookup rule for rbl/rhsbls with empty note() action
SEE ALSO
See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description

89
etc/postfwd.cf
View file

@ -1,9 +1,11 @@
#################################################################################################
###################################################################################################
##
## ATTENTION: This example configuration uses features which require postfwd 1.10pre6!
## ATTENTION: This example configuration uses features which require at least postfwd 1.10pre6!
## Please see the manual ('postfwd -m') for example syntax for prior versions.
##
#################################################################################################
###################################################################################################
##
@ -12,11 +14,11 @@
# Maintenance times
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
date=15.01.2007 - 15.01.2007 ; \
date=15.04.2007 - 15.04.2007 ; \
date=15.07.2007 - 15.07.2007 ; \
date=15.10.2007 - 15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# Whitelists
@ -48,6 +50,13 @@
client_name~=[\.\-]static[[\.\-] ; \
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};
&&DNSWLS { \
rbl=list.dnswl.org ; \
rbl=exemptions.ahbl.org ; \
rbl=query.bondedsender.org ; \
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
};
# Spamchecks
&&BADHELO { \
@ -59,17 +68,15 @@
client_name~=\d{5} ; \
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&RBLS { \
&&DNSBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
};
&&RHSBLS { \
rhsbl=rddn.dnsbl.net.au ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
rhsbl=rddn.dnsbl.net.au ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
};
@ -89,32 +96,38 @@ id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
# DNSBL checks
id=RBL_001 ; &&RHSBLS ; &&RBLS ; \
rhsblcount=all ; rblcount=all ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
id=RBL_002 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL_003 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL_004 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
id=RBL_005 ; HIT_rbls>=1 ; &&DYNAMIC ; action=REJECT listed on RBL and $$client_name looks like dynip
id=RBL_006 ; HIT_rhls>=1 ; &&DYNAMIC ; action=REJECT listed on RHSBL and $$client_name looks like dynip
id=RBL_007 ; HIT_rbls>=1 ; &&BADHELO ; action=REJECT listed on RBL and $$helo_name does not match $$client_name
id=RBL_008 ; HIT_rhls>=1 ; &&BADHELO ; action=REJECT listed on RHSBL and $$helo_name does not match $$client_name
# DNSWL checks - lookup
id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
# DNSWL - whitelisting
id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
# DNSBL checks - lookup
id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
# DNSBL checks - evaluation
id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
# Rate limits
id=RATE_001 ; &&DYNAMIC ; action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
id=RATE_002 ; HIT_rhls>=1 ; action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
id=RATE_003 ; HIT_rbls>=1 ; action=rate($$client_address/1/300/450 4.7.1 please do not send more than once per 5 minutes)
id=RATE_004 ; sasl_username==boss ; action=size($$sasl_username/30000000/300/450 4.7.1 please do not send more than 30mb within 5 minutes)
id=RATE_005 ; sasl_username~=\w ; action=size($$sasl_username/10000000/300/450 4.7.1 please do not send more than 10mb within 5 minutes)
id=RATE_001 ; HIT_dnsbls>=1; \
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
id=RATE_002 ; &&DYNAMIC ; \
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
# Selective greylisting
id=GREY_001 ; action=dunno ; &&STATIC
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_003 ; action=greylisting ; &&DYNAMIC
id=GREY_004 ; action=greylisting ; HIT_rhls>=1
id=GREY_005 ; action=greylisting ; HIT_rbls>=1
# greylisting should be safe during out-of-office times
id=GREY_006 ; action=greylisting ; days=Sat-Sun
id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00
id=GREY_001 ; action=dunno ; &&STATIC
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_003 ; action=dunno ; HIT_dnswls>=1
id=GREY_004 ; action=greylisting ; &&DYNAMIC
id=GREY_005 ; action=greylisting ; HIT_dnsbls>=1
# Greylisting should be safe during out-of-office times
id=GREY_006 ; action=greylisting ; days=Sat-Sun
id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00

144
man/man8/postfwd.8
View file

@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "POSTFWD 8"
.TH POSTFWD 8 "2008-05-12" "perl v5.8.5" "User Contributed Perl Documentation"
.TH POSTFWD 8 "2008-09-14" "perl v5.8.5" "User Contributed Perl Documentation"
.SH "NAME"
postfwd \- postfix firewall daemon
.SH "SYNOPSIS"
@ -147,7 +147,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& -s, --scores <v>=<r> returns <r> when score exceeds <v>
.Ve
.PP
.Vb 9
.Vb 10
\& Networking:
\& -d, --daemon run postfwd as daemon
\& -i, --interface <dev> listen on interface <dev>
@ -155,8 +155,9 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& -u, --user <name> set uid to user <name>
\& -g, --group <name> set gid to group <name>
\& -R, --chroot <path> chroot the daemon to <path>
\& -l, --logname <label> label for syslog messages
\& --pidfile <path> create pidfile under <path>
\& -l, --logname <label> label for syslog messages
\& --loglen <int> truncates syslogs after <int> chars
.Ve
.PP
.Vb 11
@ -173,15 +174,14 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& --cleanup-rates cleanup interval in seconds for rate cache
.Ve
.PP
.Vb 12
.Vb 11
\& Optional:
\& -t, --test testing, always returns "dunno"
\& -v, --verbose verbose logging, use twice (-vv) to increase level
\& --shortlog disables logging of some postfwd commands
\& -S, --summary <int> show some usage statistics every <int> seconds
\& --no-rulestats disables per rule statistics
\& -n, --nodns disable dns
\& --dns_queuesize sets the queue size for asynchonous dns queries
\& --dns_retries how many retries for a single asynchonous dns query
\& --nodnslog disable dns logging
\& --dns_timeout timeout in seconds for asynchonous dns queries
\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
\& --dns_timeout_interval interval in seconds for dns timeout maximum counter
@ -189,7 +189,7 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
.Ve
.PP
.Vb 7
\& Informational (use only at command-line, not with postfix!):
\& Informational (use only at command-line!):
\& -C, --showconfig shows ruleset summary, -v for verbose
\& -L, --stdoutlog redirect syslog messages to stdout
\& -P, --perfmon no syslogging, no stdout
@ -197,6 +197,11 @@ postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
\& -h, --help shows usage
\& -m, --manual shows program manual
.Ve
.PP
.Vb 2
\& Plugins:
\& --plugins <file> loads plugins from <file>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.Sh "\s-1INTRODUCTION\s0"
@ -286,8 +291,17 @@ Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" charac
\& ids also serve as targets for the "jump" command.
.Ve
.PP
.Vb 1
.Vb 10
\& date, time - a time or date range within the specified rule shall hit
\& # FORMAT:
\& # Feb, 29th
\& date=29.02.2008
\& # Dec, 24th - 26th
\& date=24.12.2008-26.12.2008
\& # from today until Nov, 23rd
\& date=-23.09.2008
\& # from April, 1st until today
\& date=01.04.2008-
.Ve
.PP
.Vb 2
@ -548,13 +562,21 @@ You can reference to request attributes, like
.PP
These special attributes will be reset for any new rule:
.PP
.Vb 3
.Vb 5
\& rblcount - contains the number of RBL answers
\& rhsblcount - contains the number of RHSBL answers
\& matches - contains the number of matched items
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
.Ve
.PP
This means that you must save them, if you plan to use these values in later rules:
These special attributes will be changed for any matching rule:
.PP
.Vb 1
\& request_hits - contains ids of all matching rules
.Ve
.PP
This means that it might be necessary to save them, if you plan to use these values in later rules:
.PP
.Vb 6
\& # set vals
@ -562,14 +584,14 @@ This means that you must save them, if you plan to use these values in later rul
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
.Ve
.PP
.Vb 4
\& # compare
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
.Ve
.Sh "\s-1MACROS/ACLS\s0"
.IX Subsection "MACROS/ACLS"
@ -621,6 +643,9 @@ Macros can contain macros, too:
.Ve
.PP
Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information.
.Sh "\s-1PLUGINS\s0"
.IX Subsection "PLUGINS"
Please visit <http://www.postfwd.org/postfwd.plugins>
.Sh "\s-1COMMAND\s0 \s-1LINE\s0"
.IX Subsection "COMMAND LINE"
\&\fIRuleset\fR
@ -640,6 +665,14 @@ that at least one of the following is required for postfwd to work.
\& strings that contain whitespaces or shell characters.
.Ve
.PP
\&\fIPlugins\fR
.PP
.Vb 3
\& --plugins
\& A file containing plugin routines for postfwd. Please see the
\& PLUGINS section for more information.
.Ve
.PP
\&\fIScoring\fR
.PP
.Vb 2
@ -650,7 +683,7 @@ that at least one of the following is required for postfwd to work.
Multiple usage is allowed. Just chain your arguments, like:
.PP
.Vb 3
\& postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
\& postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
\& or
\& postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
.Ve
@ -695,6 +728,11 @@ The following arguments will control it's behaviour in this case.
\& Test this before using - you might need some libs there.
.Ve
.PP
.Vb 2
\& --pidfile <path>
\& The process id will be saved in the specified file.
.Ve
.PP
.Vb 3
\& -l, --logname <label>
\& Labels the syslog messages. Useful when running multiple
@ -702,8 +740,8 @@ The following arguments will control it's behaviour in this case.
.Ve
.PP
.Vb 2
\& --pidfile <path>
\& The process id will be saved in the specified file.
\& --loglen <int>
\& Truncates any syslog message after <int> characters.
.Ve
.PP
\&\fIOptional arguments\fR
@ -807,18 +845,18 @@ These parameters influence the way postfwd is working. Any of them can be combin
\& ...
.Ve
.PP
.Vb 3
\& --no-rulestats
\& Disables per rule statistics. Keeps your log clean, if you do not use them.
\& This option has no effect without --summary or --verbose set.
.Ve
.PP
.Vb 2
\& -L, --stdoutlog
\& Redirects all syslog messages to stdout for debugging. Never use this with postfix!
.Ve
.PP
.Vb 3
\& --shortlog
\& As postfwd now logs all hits for a request, you might find it unecessary to log the
\& postfwd actions jump(), set() and score(). You may disable it with this option.
.Ve
.PP
.Vb 3
\& -t, --test
\& In test mode postfwd always returns "dunno", but logs according
\& to it`s ruleset. -v will be set automatically with this option.
@ -830,20 +868,13 @@ These parameters influence the way postfwd is working. Any of them can be combin
\& such elements will be ignored.
.Ve
.PP
.Vb 3
\& --dns_queuesize (default: 100)
\& Sets the queue size for asynchonous dns queries. If the query exceeds this value,
\& postfwd waits for answers of timeouts for previous queries.
.Vb 2
\& -n, --nodnslog
\& Disables logging of dns events.
.Ve
.PP
.Vb 3
\& --dns_retries (default: 3)
\& Sets the retry counter for asynchonous dns queries. This value will apply to
\& every single query.
.Ve
.PP
.Vb 3
\& --dns_timeout (default: 7)
\& --dns_timeout (default: 14)
\& Sets the timeout for asynchonous dns queries in seconds. This value will apply to
\& all dns items in a rule.
.Ve
@ -1044,11 +1075,11 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
\& ...
\& };
\& &&MAINTENANCE { \e
\& date=15.01.2007 ; \e
\& date=15.04.2007 ; \e
\& date=15.07.2007 ; \e
\& date=15.10.2007 ; \e
\& time=03:00:00-04:00:00 ; \e
\& date=15.01.2007 ; \e
\& date=15.04.2007 ; \e
\& date=15.07.2007 ; \e
\& date=15.10.2007 ; \e
\& time=03:00:00 - 04:00:00 ; \e
\& };
\& # rules
\& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -1066,15 +1097,12 @@ the '\-I' switch to have your configuration refreshed for every request postfwd
\& id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=03 for more info
.Ve
.PP
.Vb 8
\& # combined with enhanced rbl features
\& # set vals
.Vb 5
\& ## combined with enhanced rbl features
\& #
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
\& # compare
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
\& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
\& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
.Ve
.Sh "\s-1PARSER\s0"
.IX Subsection "PARSER"
@ -1147,7 +1175,7 @@ equals to
Lists will be evaluated in the specified order. This allows to place faster expressions at first:
.PP
.Vb 1
\& postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /root/request.sample
\& postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
.Ve
.PP
produces the following
@ -1169,7 +1197,7 @@ produces the following
The negation operator !!(<value>) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:
.PP
.Vb 1
\& postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /root/request.sample
\& postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
.Ve
.PP
will give
@ -1340,13 +1368,15 @@ listening on the specified network settings.
.IX Subsection "PERFORMANCE"
Some of these proposals might not match your environment. Please check your requirements and test new options carefully!
.PP
\&\- use caching options
\&\- use the correct match operator ==, <=, >=
\&\- use ^ and $ in regular expressions
\&\- use item lists (faster than single rules)
\&\- use \fIset()\fR action on repeated item lists
\&\- use jump action
\&\- use pre-lookup rule for rbl/rhsbls with empty \fInote()\fR action
.Vb 7
\& - use caching options
\& - use the correct match operator ==, <=, >=
\& - use ^ and/or $ in regular expressions
\& - use item lists (faster than single rules)
\& - use set() action on repeated item lists
\& - use jumps and rate limits
\& - use a pre-lookup rule for rbl/rhsbls with empty note() action
.Ve
.Sh "\s-1SEE\s0 \s-1ALSO\s0"
.IX Subsection "SEE ALSO"
See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description

1384
sbin/postfwd
View file

File diff suppressed because it is too large Load diff

3
tools/README.txt
View file

@ -3,9 +3,6 @@ Directory contents:
- lograte.sh [OPTIONS] <logfile>
generates per minute stats for generic syslog files
- postfwd-rblcheck.pl <hostname or ip> [<hostname or ip> ...]
queries a bunch of dnsbls for the given host(s)
- request.sample
a sample policy delegation request. you may test your postfwd config with
postfwd -f <configfile> request.sample

174
tools/postfwd-rblcheck.pl
View file

@ -1,174 +0,0 @@
#!/usr/bin/perl -T -w
#
# Tool to query a bunch of dnsbls. Usage:
#
# postfwd-rblcheck.pl <hostname or ip> [<hostname or ip> ...]
#
# by JPK
use Net::DNS::Async;
use strict;
# length of screen
my $mylen = 79;
# RBLs (ip based)
my @rbls = qw(
query.bondedsender.org
exemptions.ahbl.org
spf.trusted-forwarder.org
list.dnswl.org
zz.countries.nerd.dk
zen.spamhaus.org
bl.spamcop.net
list.dsbl.org
multihop.dsbl.org
unconfirmed.dsbl.org
combined.njabl.org
dnsbl.sorbs.net
dnsbl.ahbl.org
ix.dnsbl.manitu.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
dnsbl-3.uceprotect.net
ips.backscatterer.org
sorbs.dnsbl.net.au
korea.services.net
blackholes.five-ten-sg.com
cbl.anti-spam.org.cn
cblplus.anti-spam.org.cn
cblless.anti-spam.org.cn
bogons.cymru.com
dynamic.tqmrbl.com
relays.tqmrbl.com
clients.tqmrbl.com
hostkarma.junkemailfilter.com
);
# RHSBLs (domain based)
my @rhsbls = qw(
rhsbl.sorbs.net
rhsbl.ahbl.org
multi.surbl.org
dsn.rfc-ignorant.org
abuse.rfc-ignorant.org
whois.rfc-ignorant.org
bogusmx.rfc-ignorant.org
blackhole.securitysage.com
ex.dnsbl.org
rddn.dnsbl.net.au
block.rhs.mailpolice.com
dynamic.rhs.mailpolice.com
dnsbl.cyberlogic.net
hostkarma.junkemailfilter.com
);
# async dns object
my $DNS = new Net::DNS::Async ( QueueSize => 100, Retries => 3, Timeout => 20 );
our %RBLres = ();
# async dns callback method
sub callback {
my $myresponse = shift;
my $query = ''; my $result = '';
# get query
if ( defined $myresponse ) {
foreach ($myresponse->question) {
next unless (($_->qtype eq 'A') or ($_->qtype eq 'TXT'));
$query = $_->qname;
};
# get answer and fill result hash
if ( defined $query ) {
foreach ($myresponse->answer) {
if ($_->type eq 'A') {
$result = $_->address;
$query ||= ''; $result ||= '';
$RBLres{$query}{result} = $result;
$RBLres{$query}{end} = time;
} elsif ($_->type eq 'TXT') {
$RBLres{$query}{text} = join(" ", $_->char_str_list());
$RBLres{$query}{end} = time;
};
};
};
};
};
# main, parse argument list
foreach (@ARGV) {
my $query = $_;
my $now = time;
my @lookups = ();
my $name = my $addr = my $res = 'unknown';
my $rblcount = my $rhlcount = 0;
# clear result hash
%RBLres = ();
# lookup hostname or ip address, remove localpart if email address
if ($query =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/) {
$addr = $query;
$name = $res
if ( defined($res = gethostbyaddr (pack ('C4', (split /\./, $addr)), 2)) );
} else {
$name = ($query =~ /@([^@]+)$/) ? $1 : $query;
$addr = ( join ".", (unpack ('C4', $res)) )
if ( defined ($res = gethostbyname ($name.".")) );
};
# header
print "\n", "=" x $mylen, "\n";
print "QUERY: ", $query, " NAME: ", $name, " ADDR: ", $addr, "\n";
# prepare rbl lookups
unless ($addr eq 'unknown') {
$addr = join ".", reverse split /\./, $addr;
foreach my $rbl (@rbls) {
$RBLres{$addr.".".$rbl}{query} = $rbl;
$RBLres{$addr.".".$rbl}{type} = 'RBL';
$RBLres{$addr.".".$rbl}{start} = time;
push @lookups, $addr.".".$rbl;
#print "query ", $RBLres{$addr.".".$rbl}{query}, " for ", $addr.".".$rbl, "\n";
};
};
# prepare rhsbl lookups
unless ($name eq 'unknown') {
foreach my $rhsbl (@rhsbls) {
$RBLres{$name.".".$rhsbl}{query} = $rhsbl;
$RBLres{$name.".".$rhsbl}{type} = 'RHSBL';
$RBLres{$name.".".$rhsbl}{start} = time;
push @lookups, $name.".".$rhsbl;
#print "name ", $RBLres{$name.".".$rhsbl}{query}, " for ", $name.".".$rhsbl, "\n";
};
};
# perform lookups
map { $DNS->add (\&callback, $_) } @lookups;
map { $DNS->add (\&callback, $_, 'TXT') } @lookups;
$DNS->await();
# evaluate results
foreach $query (sort keys %RBLres) {
if ($query and (defined $RBLres{$query}{result})) {
print " ", "-" x ($mylen - 4), "\n";
printf " listed on %s:%s, result: %s, time: %ds\n %s\n",
$RBLres{$query}{type},
$RBLres{$query}{query}, $RBLres{$query}{result},
($RBLres{$query}{end} - $RBLres{$query}{start}),
((defined $RBLres{$query}{text}) ? "\"".$RBLres{$query}{text}."\"" : '<undef>');
$rblcount++ if $RBLres{$query}{type} eq 'RBL';
$rhlcount++ if $RBLres{$query}{type} eq 'RHSBL';
};
};
# footer
print " ", "-" x ($mylen - 4), "\n";
printf "%d of %d RBLs, ", $rblcount, $#rbls if ($rblcount > 0);
printf "%d of %d RHSBLs, ", $rhlcount, $#rhsbls if ($rhlcount > 0);
printf "Finished after %d seconds\n", (time - $now);
print "=" x $mylen, "\n\n";
};