debian/postfwd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Imported Upstream version 1.10pre8b

Browse source
This commit is contained in:
Jan Wagner 2013-11-05 17:32:27 +01:00
parent 8b6b3ca881
commit b5012c41b3
9 changed files with 1172 additions and 964 deletions
Download patch file Download diff file Expand all files Collapse all files

38
doc/CHANGELOG
View file

@ -1,12 +1,43 @@
**************************************************************************************************
ATTENTION: requirements changed - as dns queries are now performed asynchronously, postfwd from
v1.10pre2 and above needs the perl module Net::DNS::Async! it is available via CPAN
and installed for my tests without any problems on different linux and solaris systems
ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS.
Net::DNS::Async and Net::CIDR::Lite are not required anymore.
NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information
**************************************************************************************************
1.10pre8b
==========
- bugfix: fixed two warnings about logging of undefined values in verbose mode
1.10pre8a
==========
- bugfix: item plugins have been made available as cache-id items. this fixes a minor issue with
--cache-rdomain-only and version 1.10pre8
1.10pre8
=========
- code: Net::DNS::Async is no longer used. The parameters --dns_queuesize and
--dns_retries are still valid but have no function. The option --dns_timeout
now defaults to 14s and applies to all rules containing dns items.
- code: Net::CIDR::Lite is not required any longer.
- feature: the new variable $$request_hits contains a list of all matching ruleids
- feature: the new variable $$dnsbltext allows access to txt records of rbls
- feature: new options --no-rulestats and --nodnslog
- feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means
that you can set the option to 0 if you want to use the ttl of the dns answer.
- feature: new item "rhsbl_helo" allows to check helo against rhsbls
- bugfix: disabled fallback to synchronous dns on timed out rbls, default is now
to disable non responding dnsbls after 11 timeouts for 1200 seconds.
use --dns_timeout_max and --dns_timeout_interval to adjust these settings.
- bugfix: days=Wed now means exactly Wednesday. to use a range you may
still specify days=Wed- days=-Wed and days=Tue-Thu
this applies to all date and time items
- code: --shortlog is now default behaviour (use -v to see more)
- code: changed Net::Server behaviour to ignore syslog errors
1.10pre7c
==========
- note: 1.10pre7c does not contain any code-changes to the postfwd daemon.
@ -177,3 +208,4 @@ NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more inf
=====
- first public beta version

142
doc/postfwd.html
View file

@ -1,11 +1,15 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd - postfix firewall daemon</title>
<link rev="made" href="mailto:root@localhost" />
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body style="background-color: white">
<body>
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
@ -22,6 +26,7 @@
<li><a href="#items">ITEMS</a></li>
<li><a href="#actions">ACTIONS</a></li>
<li><a href="#macros_acls">MACROS/ACLS</a></li>
<li><a href="#plugins">PLUGINS</a></li>
<li><a href="#command_line">COMMAND LINE</a></li>
<li><a href="#refresh">REFRESH</a></li>
<li><a href="#examples">EXAMPLES</a></li>
@ -62,8 +67,9 @@
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;
-l, --logname &lt;label&gt; label for syslog messages
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;</pre>
--loglen &lt;int&gt; truncates syslogs after &lt;int&gt; chars</pre>
<pre>
Caching:
-c, --cache &lt;int&gt; sets the request-cache timeout to &lt;int&gt; seconds
@ -80,23 +86,25 @@
Optional:
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
--shortlog disables logging of some postfwd commands
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--no-rulestats disables per rule statistics
-n, --nodns disable dns
--dns_queuesize sets the queue size for asynchonous dns queries
--dns_retries how many retries for a single asynchonous dns query
--nodnslog disable dns logging
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
-I, --instantcfg re-reads rulefiles for every new request</pre>
<pre>
Informational (use only at command-line, not with postfix!):
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
-L, --stdoutlog redirect syslog messages to stdout
-P, --perfmon no syslogging, no stdout
-V, --version shows program version
-h, --help shows usage
-m, --manual shows program manual</pre>
<pre>
Plugins:
--plugins &lt;file&gt; loads plugins from &lt;file&gt;</pre>
<p>
</p>
<hr />
@ -161,7 +169,16 @@ arguments. Please see the COMMAND LINE section below for more information on thi
id - a unique rule id, which can be used for log analysis
ids also serve as targets for the &quot;jump&quot; command.</pre>
<pre>
date, time - a time or date range within the specified rule shall hit</pre>
date, time - a time or date range within the specified rule shall hit
# FORMAT:
# Feb, 29th
date=29.02.2008
# Dec, 24th - 26th
date=24.12.2008-26.12.2008
# from today until Nov, 23rd
date=-23.09.2008
# from April, 1st until today
date=01.04.2008-</pre>
<pre>
days, months - a range of weekdays (Sun-Sat) or months (Jan-Dec)
within the specified rule shall hit</pre>
@ -354,20 +371,25 @@ rule containing only an action statement:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items</pre>
<p>This means that you must save them, if you plan to use these values in later rules:</p>
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special attributes will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)</pre>
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
@ -409,6 +431,10 @@ First the macros have to be defined as follows:</p>
<p>Basically macros are simple text substitutions - see the <a href="#parser">PARSER</a> section for more information.</p>
<p>
</p>
<h2><a name="plugins">PLUGINS</a></h2>
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
<p>
</p>
<h2><a name="command_line">COMMAND LINE</a></h2>
<p><em>Ruleset</em></p>
<p>The following arguments are used to specify the source of the postfwd ruleset. This means
@ -421,13 +447,18 @@ that at least one of the following is required for postfwd to work.</p>
-r, --rule &lt;rule&gt;
Adds &lt;rule&gt; to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.</pre>
<p><em>Scoring</em></p>
<pre>
-s, --scores &lt;val&gt;=&lt;action&gt;
Returns &lt;action&gt; to postfix, when the request's score exceeds &lt;val&gt;</pre>
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
<pre>
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; ...
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; --plugins &lt;file&gt; ...
or
postfwd --scores 4.5=&quot;WARN high score&quot; --scores 5.0=&quot;REJECT postfwd score too high&quot; ...</pre>
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
@ -455,13 +486,16 @@ The following arguments will control it's behaviour in this case.</p>
-R, --chroot &lt;path&gt;
Chroot the process to the specified path.
Test this before using - you might need some libs there.</pre>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
<pre>
-l, --logname &lt;label&gt;
Labels the syslog messages. Useful when running multiple
instances of postfwd.</pre>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
--loglen &lt;int&gt;
Truncates any syslog message after &lt;int&gt; characters.</pre>
<p><em>Optional arguments</em></p>
<p>These parameters influence the way postfwd is working. Any of them can be combined.</p>
<pre>
@ -535,13 +569,13 @@ The following arguments will control it's behaviour in this case.</p>
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-002 matched: 9351 times
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003 matched: 3116 times
...</pre>
<pre>
--no-rulestats
Disables per rule statistics. Keeps your log clean, if you do not use them.
This option has no effect without --summary or --verbose set.</pre>
<pre>
-L, --stdoutlog
Redirects all syslog messages to stdout for debugging. Never use this with postfix!</pre>
<pre>
--shortlog
As postfwd now logs all hits for a request, you might find it unecessary to log the
postfwd actions jump(), set() and score(). You may disable it with this option.</pre>
<pre>
-t, --test
In test mode postfwd always returns &quot;dunno&quot;, but logs according
@ -551,15 +585,10 @@ The following arguments will control it's behaviour in this case.</p>
Disables all DNS based checks like RBL checks. Rules containing
such elements will be ignored.</pre>
<pre>
--dns_queuesize (default: 100)
Sets the queue size for asynchonous dns queries. If the query exceeds this value,
postfwd waits for answers of timeouts for previous queries.</pre>
-n, --nodnslog
Disables logging of dns events.</pre>
<pre>
--dns_retries (default: 3)
Sets the retry counter for asynchonous dns queries. This value will apply to
every single query.</pre>
<pre>
--dns_timeout (default: 7)
--dns_timeout (default: 14)
Sets the timeout for asynchonous dns queries in seconds. This value will apply to
all dns items in a rule.</pre>
<pre>
@ -723,11 +752,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
...
};
&amp;&amp;MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# rules
id=COMBINED ; &amp;&amp;RBLS ; &amp;&amp;DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -742,14 +771,11 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
id=REJECT02 ; HIT_rbls==1 ; HIT_dyna==1 ; action=REJECT please see <a href="http://some.org/info?reject=02">http://some.org/info?reject=02</a> for more info
id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see <a href="http://some.org/info?reject=03">http://some.org/info?reject=03</a> for more info</pre>
<pre>
# combined with enhanced rbl features
# set vals
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs</pre>
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
<p>
</p>
<h2><a name="parser">PARSER</a></h2>
@ -794,7 +820,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno</pre>
<p>Lists will be evaluated in the specified order. This allows to place faster expressions at first:</p>
<pre>
postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /root/request.sample</pre>
postfwd -vv -L -r &quot;id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT&quot; /some/where/request.sample</pre>
<p>produces the following</p>
<pre>
[LOGS info]: compare rbl: &quot;remotehost.remote.net[68.10.1.7]&quot; -&gt; &quot;localrbl.local&quot;
@ -810,7 +836,7 @@ verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages
[LOGS info]: Action: dunno</pre>
<p>The negation operator !!(&lt;value&gt;) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:</p>
<pre>
postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /root/request.sample</pre>
postfwd -vv -L -r &quot;id=TEST; action=REJECT; client_name=!!($$heloname)&quot; /some/where/request.sample</pre>
<p>will give</p>
<pre>
[LOGS info]: compare client_name: &quot;unknown&quot; -&gt; &quot;!!($$helo_name)&quot;
@ -924,13 +950,14 @@ listening on the specified network settings.</p>
</p>
<h2><a name="performance">PERFORMANCE</a></h2>
<p>Some of these proposals might not match your environment. Please check your requirements and test new options carefully!</p>
<p>- use caching options
- use the correct match operator ==, &lt;=, &gt;=
- use ^ and $ in regular expressions
- use item lists (faster than single rules)
- use <code>set()</code> action on repeated item lists
- use jump action
- use pre-lookup rule for rbl/rhsbls with empty <code>note()</code> action</p>
<pre>
- use caching options
- use the correct match operator ==, &lt;=, &gt;=
- use ^ and/or $ in regular expressions
- use item lists (faster than single rules)
- use set() action on repeated item lists
- use jumps and rate limits
- use a pre-lookup rule for rbl/rhsbls with empty note() action</pre>
<p>
</p>
<h2><a name="see_also">SEE ALSO</a></h2>
@ -969,8 +996,17 @@ POSSIBILITY OF SUCH DAMAGE.</p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info (AT) postfwd (DOT) org&gt;. Let me know, if you have any suggestions.</p>
<p><center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/doc.html</small>
<td width="34%" align="center"><small>2007 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center></p>
</body>
</html>

113
doc/postfwd.txt
View file

@ -18,8 +18,9 @@ SYNOPSIS
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
-R, --chroot <path> chroot the daemon to <path>
-l, --logname <label> label for syslog messages
--pidfile <path> create pidfile under <path>
-l, --logname <label> label for syslog messages
--loglen <int> truncates syslogs after <int> chars
Caching:
-c, --cache <int> sets the request-cache timeout to <int> seconds
@ -36,17 +37,16 @@ SYNOPSIS
Optional:
-t, --test testing, always returns "dunno"
-v, --verbose verbose logging, use twice (-vv) to increase level
--shortlog disables logging of some postfwd commands
-S, --summary <int> show some usage statistics every <int> seconds
--no-rulestats disables per rule statistics
-n, --nodns disable dns
--dns_queuesize sets the queue size for asynchonous dns queries
--dns_retries how many retries for a single asynchonous dns query
--nodnslog disable dns logging
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
-I, --instantcfg re-reads rulefiles for every new request
Informational (use only at command-line, not with postfix!):
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
-L, --stdoutlog redirect syslog messages to stdout
-P, --perfmon no syslogging, no stdout
@ -54,6 +54,9 @@ SYNOPSIS
-h, --help shows usage
-m, --manual shows program manual
Plugins:
--plugins <file> loads plugins from <file>
DESCRIPTION
INTRODUCTION
postfwd is written to combine complex postfix restrictions in a ruleset
@ -138,6 +141,15 @@ DESCRIPTION
ids also serve as targets for the "jump" command.
date, time - a time or date range within the specified rule shall hit
# FORMAT:
# Feb, 29th
date=29.02.2008
# Dec, 24th - 26th
date=24.12.2008-26.12.2008
# from today until Nov, 23rd
date=-23.09.2008
# from April, 1st until today
date=01.04.2008-
days, months - a range of weekdays (Sun-Sat) or months (Jan-Dec)
within the specified rule shall hit
@ -360,21 +372,27 @@ DESCRIPTION
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
This means that you must save them, if you plan to use these values in
later rules:
These special attributes will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
MACROS/ACLS
Multiple use of long items or combinations of them may be abbreviated by
@ -420,6 +438,9 @@ DESCRIPTION
Basically macros are simple text substitutions - see the "PARSER"
section for more information.
PLUGINS
Please visit <http://www.postfwd.org/postfwd.plugins>
COMMAND LINE
*Ruleset*
@ -435,6 +456,12 @@ DESCRIPTION
Adds <rule> to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.
*Plugins*
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.
*Scoring*
-s, --scores <val>=<action>
@ -442,7 +469,7 @@ DESCRIPTION
Multiple usage is allowed. Just chain your arguments, like:
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
or
postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
@ -475,12 +502,15 @@ DESCRIPTION
Chroot the process to the specified path.
Test this before using - you might need some libs there.
--pidfile <path>
The process id will be saved in the specified file.
-l, --logname <label>
Labels the syslog messages. Useful when running multiple
instances of postfwd.
--pidfile <path>
The process id will be saved in the specified file.
--loglen <int>
Truncates any syslog message after <int> characters.
*Optional arguments*
@ -558,13 +588,13 @@ DESCRIPTION
Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003 matched: 3116 times
...
--no-rulestats
Disables per rule statistics. Keeps your log clean, if you do not use them.
This option has no effect without --summary or --verbose set.
-L, --stdoutlog
Redirects all syslog messages to stdout for debugging. Never use this with postfix!
--shortlog
As postfwd now logs all hits for a request, you might find it unecessary to log the
postfwd actions jump(), set() and score(). You may disable it with this option.
-t, --test
In test mode postfwd always returns "dunno", but logs according
to it`s ruleset. -v will be set automatically with this option.
@ -573,15 +603,10 @@ DESCRIPTION
Disables all DNS based checks like RBL checks. Rules containing
such elements will be ignored.
--dns_queuesize (default: 100)
Sets the queue size for asynchonous dns queries. If the query exceeds this value,
postfwd waits for answers of timeouts for previous queries.
-n, --nodnslog
Disables logging of dns events.
--dns_retries (default: 3)
Sets the retry counter for asynchonous dns queries. This value will apply to
every single query.
--dns_timeout (default: 7)
--dns_timeout (default: 14)
Sets the timeout for asynchonous dns queries in seconds. This value will apply to
all dns items in a rule.
@ -746,11 +771,11 @@ DESCRIPTION
...
};
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00-04:00:00 ; \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# rules
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -765,14 +790,11 @@ DESCRIPTION
id=REJECT02 ; HIT_rbls==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=02 for more info
id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=03 for more info
# combined with enhanced rbl features
# set vals
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
PARSER
*Configuration*
@ -834,7 +856,7 @@ DESCRIPTION
Lists will be evaluated in the specified order. This allows to place
faster expressions at first:
postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /root/request.sample
postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
produces the following
@ -853,7 +875,7 @@ DESCRIPTION
The negation operator !!(<value>) has the highest priority and therefore
will be evaluated first. Then variable substitutions are performed:
postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /root/request.sample
postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
will give
@ -1006,10 +1028,13 @@ DESCRIPTION
Some of these proposals might not match your environment. Please check
your requirements and test new options carefully!
- use caching options - use the correct match operator ==, <=, >= - use
^ and $ in regular expressions - use item lists (faster than single
rules) - use set() action on repeated item lists - use jump action - use
pre-lookup rule for rbl/rhsbls with empty note() action
- use caching options
- use the correct match operator ==, <=, >=
- use ^ and/or $ in regular expressions
- use item lists (faster than single rules)
- use set() action on repeated item lists
- use jumps and rate limits
- use a pre-lookup rule for rbl/rhsbls with empty note() action
SEE ALSO
See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description