diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b3fa1e0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: daily + time: "04:00" + reviewers: + - "waja" + pull-request-branch-name: + separator: "-" + open-pull-requests-limit: 10 diff --git a/.github/workflows/packaging_test.yml b/.github/workflows/packaging_test.yml new file mode 100644 index 0000000..c478ef5 --- /dev/null +++ b/.github/workflows/packaging_test.yml @@ -0,0 +1,36 @@ +name: Packaging Test + +on: + push: + branches: + - $default-branch + - development + - master + # Run tests for any PRs + pull_request: + +env: + SOURCE_DIR: ./ + ARTIFACTS_DIR: debian/build/release/ + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + env: + DEBIAN_FRONTEND: "noninteractive" + - name: Remove github artefacts + run: | + rm -rf .github* + - name: Adjust distibution in changelog file + run: | + sed -i '0,/restricted/s//stable/' debian/changelog + - name: Build Debian package + uses: dawidd6/action-debian-package@v1.5.0 + with: + artifacts_directory: debian/build/release/ + os_distribution: testing + - name: Debug + run: | + ls -la diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..f384f5e --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,71 @@ +on: + push: + # Sequence of patterns matched against refs/tags + tags: + - 'debian/*' # Push events to matching debian/*, i.e. debian/1.0-2, debian/20.15.10, debian/23.20020326 + +name: Release Process + +env: + SOURCE_DIR: ./ + ARTIFACTS_DIR: debian/build/release/ + +jobs: + create-release: + name: Create Release + runs-on: ubuntu-latest + outputs: + release-id: ${{ steps.create_release.outputs.id }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Install needed packages + run: | + if [ $(dpkg -l | grep -c dpkg-dev) -ne 1 ]; then sudo apt-get update && sudo apt-get install -y dpkg-dev; fi + - name: Gather changelog + run: | + ls -la + dpkg-parsechangelog | tail -n +9 > debian.changelog + - name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref }} + body_path: debian.changelog + draft: false + prerelease: false + + build: + name: Build and upload packages + needs: create-release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + env: + DEBIAN_FRONTEND: "noninteractive" + - name: Remove github artefacts + run: | + rm -rf .github* + - name: Adjust distibution in changelog file + run: | + sed -i '0,/restricted/s//stable/' debian/changelog + - name: Build Debian package + uses: dawidd6/action-debian-package@v1.5.0 + with: + artifacts_directory: debian/build/release/ + os_distribution: testing +# - name: Build Debian package +# uses: pi-top/action-debian-package@v0.2.0 +# with: +# artifacts_directory: debian/build/release/ +# target_architectures: "amd64,i386" + - name: Upload the artifacts + uses: skx/github-action-publish-binaries@release-2.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + releaseId: ${{ needs.create-release.outputs.release-id }} + args: debian/build/release/* diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..fcf0af0 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,32 @@ +dist: xenial +sudo: required + +env: + - TRAVIS_DEBIAN_DISTRIBUTION=unstable TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/" TRAVIS_DEBIAN_SECURITY_UPDATES=false + - TRAVIS_DEBIAN_DISTRIBUTION=testing TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/" + - TRAVIS_DEBIAN_DISTRIBUTION=stable TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/" + +services: + - docker + +before_script: + # fetch all tags (not done due travis cloning with depth=50) + - git fetch --tags + +script: + # build the debian package + - wget -O- http://travis.debian.net/script.sh | sh - + +after_script: + # run lintian after build + - sudo add-apt-repository -y ppa:waja/trusty-backports + - sudo apt-get update -qq + - sudo apt-get install -qq --no-install-recommends lintian + - lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.deb && lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.dsc + +#notifications: +# email: false + +branches: + except: + - /^debian\/\d/ diff --git a/debian/.gitlab-ci.yml b/debian/.gitlab-ci.yml new file mode 100644 index 0000000..0100fa0 --- /dev/null +++ b/debian/.gitlab-ci.yml @@ -0,0 +1,14 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'unstable' + SALSA_CI_DISABLE_APTLY: 0 + SALSA_CI_DISABLE_AUTOPKGTEST: 1 + SALSA_CI_DISABLE_BLHC: 0 + SALSA_CI_DISABLE_LINTIAN: 0 + SALSA_CI_DISABLE_PIUPARTS: 1 + SALSA_CI_DISABLE_REPROTEST: 1 + SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0 + SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0 diff --git a/debian/bin/github-release.sh b/debian/bin/github-release.sh new file mode 100755 index 0000000..79da0c9 --- /dev/null +++ b/debian/bin/github-release.sh @@ -0,0 +1,188 @@ +#!/bin/bash + +# Copyright (c) 2014 Terry Burton +# +# https://github.com/terryburton/travis-github-release +# +# Permission is hereby granted, free of charge, to any +# person obtaining a copy of this software and associated +# documentation files (the "Software"), to deal in the +# Software without restriction, including without +# limitation the rights to use, copy, modify, merge, +# publish, distribute, sublicense, and/or sell copies of +# the Software, and to permit persons to whom the Software +# is furnished to do so, subject to the following +# conditions: +# +# The above copyright notice and this permission notice +# shall be included in all copies or substantial portions +# of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY +# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO +# THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF +# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +# IN THE SOFTWARE. + +# This script provides a simple continuous deployment +# solution that allows Travis CI to publish a new GitHub +# release and upload assets to it whenever a tag is pushed: +# git tag; git push --tags +# +# It is created as a temporary solution whilst we wait for +# Travis DPL to support GitHub: +# +# https://github.com/travis-ci/dpl +# +# Place this script somewhere in your project repository (perhaps by forking +# the github-travis-release repo and adding your fork as a git submodule) then +# put something like this to your .travis.yml: +# +# after_success: .travis/github-release.sh "$TRAVIS_REPO_SLUG" "`head -1 src/VERSION`" build/release/* +# +# The first argument is your repository in the format +# "username/repository", which Travis provides in the +# TRAVIS_REPO_SLUG environment variable. +# +# The second argument is the release version which as a +# sanity check should match the tag that you are releasing. +# You could pass "`git describe`" to satisfy this check. +# +# The remaining arguments are a list of asset files that you +# want to publish along with the release. +# +# The script requires that you create a GitHub OAuth access +# token to facilitate the upload: +# +# https://help.github.com/articles/creating-an-access-token-for-command-line-use +# +# You must pass this securely in the GITHUBTOKEN environment +# variable: +# +# http://docs.travis-ci.com/user/encryption-keys/ +# +# For testing purposes you can create a local convenience +# file in the script directory called GITHUBTOKEN that sets +# the GITHUBTOKEN environment variable. If you do so you MUST +# ensure that this doesn't get pushed to your repository, +# perhaps by adding it to a .gitignore file. +# +# Should you get stuck then look at a working example. This +# code is being used by Barcode Writer in Pure PostScript +# for automated deployment: +# +# https://github.com/terryburton/postscriptbarcode + +set -e + +REPO=$1 && shift +RELEASE=$1 && shift +RELEASEFILES=$@ + +if ! TAG=`git describe --exact-match --tags 2>/dev/null`; then + echo "This commit is not a tag so not creating a release" + exit 0 +fi + +if [ "$TRAVIS" = "true" ] && [ -z "$TRAVIS_TAG" ]; then + echo "This build is not for the tag so not creating a release" + exit 0 +fi + +if [ "$TRAVIS" = "true" ] && [ "$TRAVIS_TAG" != "$RELEASE" ]; then + echo "Error: TRAVIS_TAG ($TRAVIS_TAG) does not match the indicated release ($RELEASE)" + exit 1 +fi + +if [ "$TAG" != "$RELEASE" ]; then + echo "Error: The tag ($TAG) does not match the indicated release ($RELEASE)" + exit 1 +fi + +if [[ -z "$RELEASEFILES" ]]; then + echo "Error: No release files provided" + exit 1 +fi + +SCRIPTDIR=`dirname $0` +[ -e "$SCRIPTDIR/GITHUBTOKEN" ] && . "$SCRIPTDIR/GITHUBTOKEN" +if [[ -z "$GITHUBTOKEN" ]]; then + echo "Error: GITHUBTOKEN is not set" + exit 1 +fi + +echo "Creating GitHub release for $RELEASE" + +echo -n "Create draft release... " +JSON=$(cat < Mon, 23 Jan 2023 12:43:03 +0000 + +postfwd (1.35-8) unstable; urgency=medium + + * [d32c972] d/watch: Update to new url scheme + * [47e9ee0] Bump debhelper from old 12 to 13. + * [cac0b96] Bump Standards-Version to 4.6.2 + * [98d8062] Update watch file format version to 4. + * [7ba39f1] Drop lsb-base, sysvinit-utils is essential + * [be975fb] Set Rules-Requires-Root: no. + + -- Jan Wagner Mon, 23 Jan 2023 12:40:57 +0000 + +postfwd (1.35-7) unstable; urgency=medium + + * [f2a169d] Use secure copyright file specification URI. + * [270413d] Use secure URI in Homepage field. + * [1563d38] d/source/options: Adding .github to diff ignore + * [f32e604] Adding d/.gitlab-ci.yml + * [94f95bc] Adding Dependabot config + * [b16de77] Do not remove .git* anymore + * [4926505] ci: pin action versions + * [d0ecd91] d/rules: Calling dh_installsystemd (Closes: #994901) + + -- Jan Wagner Tue, 28 Sep 2021 13:28:53 +0200 + +postfwd (1.35-6) unstable; urgency=medium + + * [1446da0] Fix initscript (Closes: #942414) + * [3abd7a4] Bump Standards-Version to 4.5.1.0, no changes needed + * [27de180] Adding Github CI + * [a282d29] d/control: Raise compat level to 12 + + -- Jan Wagner Wed, 06 Jan 2021 21:49:07 +0100 + +postfwd (1.35-5) unstable; urgency=medium + + * [217213b] Adding systemd unit file + * [8e419b4] Add a bit documentation about systemd (and sysvinit) + * [62139a7] travis-ci: Use xenial image + * [ac0ac42] d/control: Bump Standards-Version to 4.3.0, no changes needed + * [e438455] d/postfwd.postrm: detect existens of command by which and + not 'test -x' + + -- Jan Wagner Thu, 24 Jan 2019 09:37:19 +0100 + +postfwd (1.35-4) unstable; urgency=medium + + * [e8799d3] travis-ci: don't install build-deps manual + * [c86c540] travis-ci: build package with dpkg-buildpackage + * [07e9eeb] travis-ci: Initial support for uploading releases to github + * [231a90f] Merging upstream changes of github-release.sh + * [b832cd0] Updating copyright and author of debian/bin/github-release.sh + * [5e353b5] debian/control: reformating with warp-and-sort + * [3862572] Reformating with warp-and-sort the rest of debian/ + * [d4687ee] travis-ci: grab actual used upstream version + * [4d0d01d] travis-ci: Adding required arguments for trusty + * [11da7ca] travis-ci: automatically install dependencies + * [7ad8c99] d/control: Bump Standards-Version to 3.9.8, no changes needed + * [80b011c] d/control: Depend on lsb-base + * [583a10d] travis-ci: Make use of travis.d.n + + -- Jan Wagner Mon, 05 Dec 2016 11:50:27 +0100 + +postfwd (1.35-3) unstable; urgency=medium + + * [965e0d7] Remove shiped html files from binaries + * [17c1925] Bump Standards-Version to 3.9.6, no changes needed + + -- Jan Wagner Mon, 13 Oct 2014 15:02:11 +0200 + +postfwd (1.35-2) unstable; urgency=low + + * Migrate over example installation to postfwd.examples + * Add plugins/*.sample to examples + * [6f4f77b] Remove generated hapolicy manpage in clean target + * [05ca589] Updating standards version to 3.9.4, no changes needed + * [bb64a82] Source init functions in init script + * [5d8b250] Update Vcs-headers + * [0df5d0a] Updating standards version to 3.9.5, no changes needed + * [86f8f61] Add travis-ci config + * [010082b] Remove unneeded purge from travis config + * [7542e86] Reorder and comment .travis.yml + * [7025f4f] Add lintian checks after build + * [ddbfcc0] Update to recent copyright format + * [b9b503e] Move samples into /usr/share/doc/postfwd/examples + * [1e7c202] Add 10_fix_wording_manpages.patch to fix manpages + * [f7da50f] travis-ci: Remove dpatch from build-deps + * [dd5f01d] Add 20_fix_postfwd1_default_umask.patch to fix postfwd default + umask (Closes: #717607), thanks Jesse Norell + * [172a432] Fix bug report source format move + + -- Jan Wagner Sun, 09 Mar 2014 23:43:28 +0100 + +postfwd (1.35-1) unstable; urgency=low + + * New upstream release + - fixed fixed taint mode logging error + - check_* functions use print/getline instead of send/recv for large + --dumpcache output + - log_* routines added to allow the same plugins for postfwd1 and postfwd2 + - added more information when using --debug=cleanup + - new sendmail(sendmail-path::from::to::subject::body) action + - rate(), size() and rcpt() function index is now case insensitive by + default + - fixed segfault when using new perl versions (Closes: #697653) + + -- Jan Wagner Wed, 22 May 2013 14:49:15 +0200 + +postfwd (1.33-1) UNRELEASED; urgency=low + + * New upstream release + - fixed bug when computing scores with more than 1 digit after the "." + - fixed bug when computing negative values with the set action + - ITEMS plugins returning zero values were handled incorrectly + - max command recursion was not reset for each rule + - fixed warning about use of (uninitialized value) when STORABLE + is available but no cache file was defined (Closes: #697657) + * Fix comment in /etc/default/postfwd (Closes: #679924), thanks Jeroen + Koekkoek + * Fix typo in README.Debian (closes: #691242), thanks Axel Beckert + + -- Jan Wagner Thu, 29 Mar 2012 20:31:17 +0200 + +postfwd (1.32-2) unstable; urgency=low + + * Switch over to packaging format 3.0 (quilt) (Closes: #664368) + * Updating standards version to 3.9.3, no changes needed + * Remove build-dependency of dpatch + * Use dh_prep instead of dh_clean -k + * Add build-arch and build-indep targets to debian/rules + + -- Jan Wagner Thu, 29 Mar 2012 20:22:17 +0200 + +postfwd (1.32-1) unstable; urgency=low + + * New upstream release + - new option --save_rates= is able to load and save rate limit counters + to disk on program start and termination. + - the --debugitem="sender=example\.org$" option allows verbose logging for + particular requests + - the debug() action enables verbose logging for certain rules + - nested commands are possible now + - new mail(server/helo/from/to/subject/body) action. + - single cache items can be wiped + - sasl_username is logged if available + - rate limit action is executed, if the first request exceeds the limit + - exceeded ratecounters will not be kept permanently anymore + - rate limits are evaluated at ruleset stage now + - new parser enhancement is able to omit the trailing "\" for multi-line + rules + - new plugin interface (BETA) + - Time::HiRes is used if available + - multiple rate limits for the same items are supported now + - new $$ratecount variable for rate() actions + - new option --keep_rates + - queueid is logged when available + - rate limits fixed + - new --debug class 'cleanup' + - documentation updates and fixes + * Suppress output on restarting via init script (Closes: #636782), thanks + Martin F. Krafft for reporting + * Add hapolicy and manpage into separate binary package + * Reorganize documentation + - Add new files from upstream to documentation + - Changelogs where renamed by upstream + * Bump Standards-Version to 3.9.2, no changes needed + + -- Jan Wagner Wed, 21 Dec 2011 22:27:27 +0100 + +postfwd (1.20-1) unstable; urgency=low + + * New upstream release + - Release contains postfwd1 and postfwd2 now (Closes: #582969) + - new --umask setting allows to set filepermissions for pidfiles and unix + domain sockets + - Rate limit code rewritten + - rbl checks disabled for ipv6 addresses, cidr compare will switch to + default (regex/string) + - rbl check could fail on multiple dnsbl answers + * Add dpatch infrastructure + * Provide update-alternatives for choosing the postfwd variant + * Install also CHANGELOG2 + * Bump Standards-Version to 3.9.1, no changes needed + + -- Jan Wagner Thu, 10 Feb 2011 08:38:04 +0100 + +postfwd (1.18-1) unstable; urgency=low + + * New upstream release + - Fixed bug when comparing sender and recipient addresses, like + "sender=$$recipient" + + -- Jan Wagner Thu, 29 Apr 2010 08:46:25 +0200 + +postfwd (1.17-1) unstable; urgency=low + + * New upstream release + - Net::DNS internal errors will now be handled gracefully + - default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of + 100 + - Fixed variable substitution when the '=' operator is used + + -- Jan Wagner Mon, 22 Mar 2010 09:02:31 +0100 + +postfwd (1.16-2) unstable; urgency=low + + * Bump Standards-Version to 3.8.4, no changes needed + * Migrate Vcs-Fields over to scm.uncompleted.org + * Add 1.0 to debian/source/format + + -- Jan Wagner Wed, 10 Mar 2010 12:35:57 +0100 + +postfwd (1.16-1) unstable; urgency=low + + * NEW upstream release + - documentation fixed + - configuration parser improvements + - option --reload (HUP signal) now reloads config, if the file is unchanged + - redirect syslog to stdout for --kill, --reload and --showconfig + - new rcpt() command counts recipients for rate limits + - helo_address, and sender_(ns|mx)_addrs can now be csv items + - items may now be retrieved from files using "item=file:/some/where" + * Add "Copyright" to all copyrights in debian/copyright + * Bump standards version to 3.8.3 (no changes needed) + * Fix speeling errors in debian/README.Debian + + -- Jan Wagner Thu, 14 Jan 2010 19:32:26 +0100 + +postfwd (1.14-1) unstable; urgency=low + + * new upstream release + - new compare operators + - added --nodaemon option + - perform non dns items first + - enabled dns cache for sender(ns|mx) and helo address + - new options --dns_max_ns_lookups and --dns_max_mx_lookups + - new items sender_ns_names and sender_ns_addrs + - new items sender_mx_names and sender_mx_addrs + - new item helo_address, please see docs for more + - added --proto switch, to enable the use of unix domain sockets + - added command-line options --kill and --reload + - dnsbl txt lookups only for dnsbls with at least one a record + - small performance improvement + - ask() action allows to use another policy service + - new options --noidlestats and --norulelog + * install postfwd.cf.sample, was renamed upstream + * leave hints about documentation and config verification in README.Debian + * Bump standards version to 3.8.2 (no changes needed) + + -- Jan Wagner Mon, 06 Jul 2009 21:15:35 +0200 + +postfwd (1.10pre8b-1) unstable; urgency=low + + * new upstream release + - Net::CIDR::Lite is not required any longer + - Net::DNS::Async is no longer used + - changed Net::Server behaviour to ignore syslog errors + - --shortlog is now default behaviour (use -v to see more) + - days=Wed now means exactly Wednesday + - disabled fallback to synchronous dns on timed out rbls + - new item "rhsbl_helo" allows to check helo against rhsbls + - the new variable $$request_hits contains a list of all matching ruleids + - the new variable $$dnsbltext allows access to txt records of rbls + - new options --no-rulestats and --nodnslog + - ttls of the dns responses override --cache-rbl-timeout when bigger + * drop dependency of libnet-cidr-lite-perl and libnet-dns-async-perl + * add dependency of libnet-dns-perl + + -- Jan Wagner Thu, 19 Feb 2009 22:39:09 +0100 + +postfwd (1.10pre7c-3) unstable; urgency=low + + * implement machine-interpretable copyright file + * fix init script (Closes: #503597). + - let daemon write pid file for his own + - point start-stop daemon to pidfile when stoping + - fix reload by fixing the way how to get the pid + * fix example-cfg2.txt to work with 1.10pre7 (Closes: #503596). + + -- Jan Wagner Fri, 31 Oct 2008 09:55:52 +0100 + +postfwd (1.10pre7c-2) unstable; urgency=low + + * Uploading to unstable. + * Updating standards version to 3.8.0, no changes needed + + -- Jan Wagner Tue, 15 Jul 2008 22:43:08 +0200 + +postfwd (1.10pre7c-1) experimental; urgency=low + + * Initial release (Closes: #470356). + + -- Jan Wagner Sat, 31 May 2008 22:07:08 +0200 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..995c952 --- /dev/null +++ b/debian/control @@ -0,0 +1,36 @@ +Source: postfwd +Section: mail +Priority: optional +Maintainer: Jan Wagner +Build-Depends: debhelper-compat (= 13), html2text +Homepage: https://www.postfwd.org/ +Vcs-Browser: https://gitlab.uncompleted.org/debian/postfwd +Vcs-Git: https://gitlab.uncompleted.org/debian/postfwd.git +Standards-Version: 4.6.2 +Rules-Requires-Root: no + +Package: postfwd +Architecture: all +Depends: adduser, + libnet-dns-perl, + libnet-server-perl, + ${misc:Depends}, + ${perl:Depends} +Conflicts: postfwd2 +Description: Postfix policyd to combine complex restrictions in a ruleset + Postfwd is written in perl to combine complex postfix restrictions in a + ruleset similar to those of the most firewalls. The program uses the postfix + policy delegation protocol to control access to the mail system before a + message has been accepted. It allows you to choose an action (e.g. reject, + dunno) for a combination of several smtp parameters (like sender and recipient + address, size or the client's TLS fingerprint). + +Package: hapolicy +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends} +Description: Balancing and fallback postfix policy delegation service + Hapolicy enables high availability, weighted loadbalancing and a fallback + action for postfix policy delegation services. Invoked via postfix spawn + it acts as a wrapper that queries other policy servers via tcp connection. + The order of the service queries can be influenced by assigning a specific + priority and weight to each service. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..ba7f2f8 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,82 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: postfwd +Upstream-Contact: Jan Peter Kessler +Source: http://www.postfwd.org + +Files: * +Copyright: Copyright (c) 2007, Jan Peter Kessler, All rights reserved. +License: BSD-3 + +Files: debian/* +Copyright: Copyright (C) 2006, 2008 Jan Wagner +License: GPL-2+ + +Files: debian/example-cfg2.txt +Copyright: Copyright (c) 2008, Henrik Krohns +License: BSD-3 + +Files: debian/bin/github-release.sh +Copyright: Copyright (c) 2014 Terry Burton +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +License: BSD-3 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + * Neither the name of the authors nor the names of his contributors may be + used to endorse or promote products derived from this software without + specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO + EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: GPL-2+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian systems, the complete text of the GNU General Public License can be + found in /usr/share/common-licenses/GPL-2 file. diff --git a/debian/example-cfg2.txt b/debian/example-cfg2.txt new file mode 100644 index 0000000..e8ef10a --- /dev/null +++ b/debian/example-cfg2.txt @@ -0,0 +1,146 @@ +# downloaded from http://hege.li/howto/spam/etc/postfwd/postfwd.conf +# check for more recent versions! + +### +### Example config for postfwd 1.10pre7+ +### + +## Check DNS whitelists, maybe we don't need more checks + +id=OK_DNSWL; \ + rbl=list.dnswl.org/^127/43200; \ + action=DUNNO + +## Check (non-fqdn/ip/dynamic) HELO and (missing) reverse DNS + +id=SET_HELO; \ + helo_name=!!\.; \ + helo_name=[0-9.-]{7}; \ + action=set(HIT_helo=1) + +id=SET_NODNS; \ + client_name=^unknown$; \ + action=set(HIT_nodns=1) + +id=REJECT_HELO_NODNS; \ + HIT_helo==1; HIT_nodns==1; \ + action=REJECT Blocked - contact postmaster@example.net for help - Suspicious HELO [$$helo_name] and missing reverse DNS [$$client_address] + +## Check ZEN first for immediate blocking - less queries for other lists +## See usage policy: http://www.spamhaus.org/organization/dnsblusage.html + +id=REJECT_RBL_ZEN; \ + rbl=zen.spamhaus.org; \ + action=REJECT Blocked - contact postmaster@example.net for help - zen.spamhaus.org RBL + +## Check other DNSBLs in parallel + +&&DNSBLS { \ + rbl=bl.spamcop.net; \ + rbl=dnsbl-1.uceprotect.net; \ + rbl=dnsbl-2.uceprotect.net; \ + rbl=dnsbl-3.uceprotect.net; \ + rbl=psbl.surriel.com; \ + rbl=combined.njabl.org; \ + rbl=dnsbl.ahbl.org; \ + rbl=dnsbl.sorbs.net; \ + rbl=ix.dnsbl.manitu.net; \ + rbl=dyna.spamrats.com; \ +}; + +id=EVAL_DNSBLS; \ + &&DNSBLS; rblcount=all; \ + action=set(HIT_rbls=$$rblcount) + +id=REJECT_RBL_MULTI; \ + HIT_rbls>=2; \ + action=REJECT Blocked - contact postmaster@example.net for help - Multiple DNSBLs + +## Check RHSBLs if there wasn't enough DNSBLs hit + +&&RHSBLS_REVERSE { \ + rhsbl_reverse_client=dynamic.rhs.mailpolice.com; \ +}; + +&&RHSBLS_SENDER { \ + rhsbl_sender=multi.uribl.com; \ + rhsbl_sender=multi.surbl.org; \ + rhsbl_sender=bulk.rhs.mailpolice.com; \ + rhsbl_sender=rhsbl.ahbl.org; \ + rhsbl_sender=rhsbl.sorbs.net; \ + rhsbl_sender=dsn.rfc-ignorant.org; \ +}; + +id=EVAL_RHSBLS; \ + &&RHSBLS_REVERSE; &&RHSBLS_SENDER; rhsblcount=all; \ + action=set(HIT_rhsbls=$$rhsblcount) + +id=REJECT_RHSBL_MULTI; \ + HIT_rhsbls>=2; \ + action=REJECT Blocked - contact postmaster@example.net for help - Multiple RHSBLs + +## See if we get any combined hits from rules before + +id=REJECT_RBL_RHSBL; \ + HIT_rbls>=1; HIT_rhsbls>=1; \ + action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and DNSBL + +id=REJECT_RBL_HELO; \ + HIT_rbls>=1; HIT_helo==1; \ + action=REJECT Blocked - contact postmaster@example.net for help - DNSBL and suspicious HELO [$$helo_name] + +id=REJECT_RBL_NODNS; \ + HIT_rbls>=1; HIT_nodns==1; \ + action=REJECT Blocked - contact postmaster@example.net for help - DNSBL and missing reverse DNS [$$client_address] + +id=REJECT_RHSBL_HELO; \ + HIT_rhsbls>=1; HIT_helo==1; \ + action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and suspicious HELO [$$helo_name] + +id=REJECT_RHSBL_NODNS; \ + HIT_rhsbls>=1; HIT_nodns==1; \ + action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and missing reverse DNS [$$client_address] + +## Finally greylist all lesser hits. +## +## A more DNSBL friendly way would be to greylist everything suspicious +## before DNS checks. Currently this requires you to setup some postfix +## tables before postfwd is called, since greylisting can be only done last +## in postfwd (action always exits processing). + +id=GREY_HELO; HIT_helo==1; action=check_postgrey +id=GREY_NODNS; HIT_nodns==1; action=check_postgrey +id=GREY_RBL; HIT_rbls>=1; action=check_postgrey +id=GREY_RHSBL; HIT_rhsbls>=1; action=check_postgrey + + +## +## This example is free to use as per BSD license: +## +## Copyright (c) 2008, Henrik Krohns +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without modification, +## are permitted provided that the following conditions are met: +## +## * Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## * Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in +## the documentation and/or other materials provided with the +## distribution. +## * Neither the name of the authors nor the names of his contributors +## may be used to endorse or promote products derived from this +## software without specific prior written permission. +## +## THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, +## INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +## NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +## PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +## POSSIBILITY OF SUCH DAMAGE. +## + diff --git a/debian/hapolicy.docs b/debian/hapolicy.docs new file mode 100644 index 0000000..8216e68 --- /dev/null +++ b/debian/hapolicy.docs @@ -0,0 +1,3 @@ +doc/hapolicy.txt +tools/hapolicy/hapolicy.* +tools/hapolicy/hapolicy[0-9a-zA-Z.]* diff --git a/debian/hapolicy.manpages b/debian/hapolicy.manpages new file mode 100644 index 0000000..e093172 --- /dev/null +++ b/debian/hapolicy.manpages @@ -0,0 +1 @@ +man/man8/hapolicy.1 diff --git a/debian/patches/10_fix_wording_manpages.patch b/debian/patches/10_fix_wording_manpages.patch new file mode 100644 index 0000000..156253c --- /dev/null +++ b/debian/patches/10_fix_wording_manpages.patch @@ -0,0 +1,172 @@ +From: Jan Wagner +Subject: Fixing cosmetical issues +diff --git a/man/man8/postfwd.8 b/man/man8/postfwd.8 +index 3e4354b..49deff1 100644 +--- a/man/man8/postfwd.8 ++++ b/man/man8/postfwd.8 +@@ -335,7 +335,7 @@ postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters: + \& the specified action will be returned to postfix + \& scores are set global until redefined! + \& +-\& request_score \- this value allows to access a request\*(Aqs score. it ++\& request_score \- this value allows one to access a request\*(Aqs score. it + \& may be used as variable ($$request_score). + \& + \& rbl, rhsbl, \- query the specified RBLs/RHSBLs, possible values are: +@@ -466,7 +466,7 @@ The following items currently have to be unique: + \& id, minimum and maximum values, rblcount and rhsblcount + .Ve + .PP +-Any item can be negated by preceeding '!!' to it, e.g.: ++Any item can be negated by preceding '!!' to it, e.g.: + .PP + .Vb 1 + \& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please +@@ -484,7 +484,7 @@ To avoid confusion with regexps or simply for better visibility you can use '!!( + \& id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that? + .Ve + .PP +-Request attributes can be compared by preceeding '$$' characters, e.g.: ++Request attributes can be compared by preceding '$$' characters, e.g.: + .PP + .Vb 3 + \& id=R\-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS +@@ -637,7 +637,7 @@ with postfwd1 v1.15 and postfwd2 v0.18 and higher. + \&\fIGeneral\fR + .PP + Actions will be executed, when all rule items have matched a request (or at least one of any item list). You can refer to +-request attributes by preceeding $$ characters, like: ++request attributes by preceding $$ characters, like: + .PP + .Vb 3 + \& id=R\-003; client_name = !!$$helo_name; action=WARN helo \*(Aq$$helo_name\*(Aq does not match DNS \*(Aq$$client_name\*(Aq +@@ -730,7 +730,7 @@ postfwd actions control the behaviour of the program. Currently you can specify + \& means that requests from bob@example.local and BoB@example.local will be treated differently + \& + \& ask (:[:]) +-\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first ++\& allows one to delegate the policy decision to another policy service (e.g. postgrey). the first + \& and the second argument (address and port) are mandatory. a third optional argument may be + \& specified to tell postfwd to ignore certain answers and go on parsing the ruleset: + \& # example1: query postgrey and return it\*(Aqs answer to postfix +@@ -832,7 +832,7 @@ carefully, because errors may cause postfwd to break! It is also + allowed to override attributes or built-in functions, but be sure that you know + what you do because some of them are used internally. + .PP +-Please keep security in mind, when you access sensible ressources and never, ever ++Please keep security in mind, when you access sensible resources and never, ever + run postfwd as privileged user! Also never trust your input (especially hostnames, + and e\-mail addresses). + .PP +@@ -866,7 +866,7 @@ the policy delegation request and therefore may be used in postfwd's ruleset. + \& + \& # EXAMPLES \- integrated in postfwd. no need to activate them here. + \& +-\& # allows to check postfwd version in ruleset ++\& # allows one to check postfwd version in ruleset + \& "version" => sub { + \& my(%request) = @_; + \& my(%result) = ( +@@ -1505,7 +1505,7 @@ equals to + \& id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno + .Ve + .PP +-Lists will be evaluated in the specified order. This allows to place faster expressions at first: ++Lists will be evaluated in the specified order. This allows one to place faster expressions at first: + .PP + .Vb 1 + \& postfwd \-vv \-L \-r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample +diff --git a/man/man8/postfwd2.8 b/man/man8/postfwd2.8 +index 11319fd..fdb3a6f 100644 +--- a/man/man8/postfwd2.8 ++++ b/man/man8/postfwd2.8 +@@ -193,7 +193,7 @@ postfwd2 \- postfix firewall daemon + \& \-n, \-\-nodns skip any dns based test + \& \-\-dns_timeout dns query timeout in seconds + \& \-\-dns_timeout_max disable dnsbl after timeouts +-\& \-\-dns_timeout_interval reenable dnsbl after seconds ++\& \-\-dns_timeout_interval re-enable dnsbl after seconds + \& \-\-cache\-rbl\-timeout default dns ttl if not specified in ruleset + \& \-\-cache\-rbl\-default default dns pattern if not specified in ruleset + \& \-\-cleanup\-rbls cleanup old dns cache items every seconds +@@ -364,7 +364,7 @@ postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters: + \& the specified action will be returned to postfix + \& scores are set global until redefined! + \& +-\& request_score \- this value allows to access a request\*(Aqs score. it ++\& request_score \- this value allows one to access a request\*(Aqs score. it + \& may be used as variable ($$request_score). + \& + \& rbl, rhsbl, \- query the specified RBLs/RHSBLs, possible values are: +@@ -495,7 +495,7 @@ The following items must be unique: + \& id, minimum and maximum values, rblcount and rhsblcount + .Ve + .PP +-Any item can be negated by preceeding '!!' to it, e.g.: ++Any item can be negated by preceding '!!' to it, e.g.: + .PP + .Vb 1 + \& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please +@@ -513,7 +513,7 @@ To avoid confusion with regexps or simply for better visibility you can use '!!( + \& id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that? + .Ve + .PP +-Request attributes can be compared by preceeding '$$' characters, e.g.: ++Request attributes can be compared by preceding '$$' characters, e.g.: + .PP + .Vb 3 + \& id=R\-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS +@@ -666,7 +666,7 @@ with postfwd1 v1.15 and postfwd2 v0.18 and higher. + \&\fIGeneral\fR + .PP + Actions will be executed, when all rule items have matched a request (or at least one of any item list). You can refer to +-request attributes by preceeding $$ characters, like: ++request attributes by preceding $$ characters, like: + .PP + .Vb 3 + \& id=R\-003; client_name = !!$$helo_name; action=WARN helo \*(Aq$$helo_name\*(Aq does not match DNS \*(Aq$$client_name\*(Aq +@@ -750,7 +750,7 @@ postfwd2 actions control the behaviour of the program. Currently you can specify + \& means that requests from bob@example.local and BoB@example.local will be treated differently + \& + \& ask (:[:]) +-\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first ++\& allows one to delegate the policy decision to another policy service (e.g. postgrey). the first + \& and the second argument (address and port) are mandatory. a third optional argument may be + \& specified to tell postfwd2 to ignore certain answers and go on parsing the ruleset: + \& # example1: query postgrey and return it\*(Aqs answer to postfix +@@ -852,7 +852,7 @@ carefully, because errors may cause postfwd to break! It is also + allowed to override attributes or built-in functions, but be sure that you know + what you do because some of them are used internally. + .PP +-Please keep security in mind, when you access sensible ressources and never, ever ++Please keep security in mind, when you access sensible resources and never, ever + run postfwd as privileged user! Also never trust your input (especially hostnames, + and e\-mail addresses). + .PP +@@ -886,7 +886,7 @@ the policy delegation request and therefore may be used in postfwd's ruleset. + \& + \& # EXAMPLES \- integrated in postfwd. no need to activate them here. + \& +-\& # allows to check postfwd version in ruleset ++\& # allows one to check postfwd version in ruleset + \& "version" => sub { + \& my(%request) = @_; + \& my(%result) = ( +@@ -1524,7 +1524,7 @@ equals to + \& id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno + .Ve + .PP +-Lists will be evaluated in the specified order. This allows to place faster expressions at first: ++Lists will be evaluated in the specified order. This allows one to place faster expressions at first: + .PP + .Vb 1 + \& postfwd2 \-\-nodaemon \-vv \-L \-r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample +@@ -1601,7 +1601,7 @@ To debug special steps of the parser the '\-\-debug' switch takes a list of debu + .PP + The common way to use postfwd2 is to start it as daemon, listening at a specified tcp port. + postfwd2 will spawn multiple child processes which communicate with a parent cache. This is +-the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters: ++the preferred way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters: + .PP + .Vb 1 + \& postfwd2 \-d \-f /etc/postfwd.cf \-i 127.0.0.1 \-p 10045 \-u nobody \-g nobody \-S diff --git a/debian/patches/20_fix_postfwd1_default_umask.patch b/debian/patches/20_fix_postfwd1_default_umask.patch new file mode 100644 index 0000000..8bf3c99 --- /dev/null +++ b/debian/patches/20_fix_postfwd1_default_umask.patch @@ -0,0 +1,15 @@ +From: Jan Wagner +Subject: Fixing default umask of postfwd +diff --git a/sbin/postfwd b/sbin/postfwd +index e17a729..62f90bb 100755 +--- a/sbin/postfwd ++++ b/sbin/postfwd +@@ -49,7 +49,7 @@ our($def_net_chroot) = ""; + our($def_net_interface) = "127.0.0.1"; + our($def_net_port) = "10040"; + our($def_net_proto) = "tcp"; +-our($def_net_umask) = "0111"; ++our($def_net_umask) = "0177"; + our($def_net_user) = "nobody"; + our($def_net_group) = "nobody"; + our($def_dns_queuesize) = "300"; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..c5ee770 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +10_fix_wording_manpages.patch +20_fix_postfwd1_default_umask.patch diff --git a/debian/postfwd.README.Debian b/debian/postfwd.README.Debian new file mode 100644 index 0000000..3786797 --- /dev/null +++ b/debian/postfwd.README.Debian @@ -0,0 +1,68 @@ +postfwd for Debian +------------------ + +1. PROVIDE A CONFIGFILE +----------------------- + +Please provide a config file, usually /etc/postfix/postfwd.cf. Examples are +located in /usr/share/doc/postfwd/examples/. +Another can be found at http://hege.li/howto/spam/etc/postfwd/postfwd.conf +and is provided as example-cfg2.txt. + +A quickstart guide is available at http://www.postfwd.org/quick.html and the +online documentation at http://www.postfwd.org/doc.html, the offline version +can be viewed with 'postfwd -m'. + +2. VERIFY CONFIG +---------------- + +How interpret the parser your rules, you can check with: + +# postfwd -f /etc/postfix/postfwd.cf -C -v + +Check your rules against sample request: + +# cat request.sample | postfwd -f /etc/postfix/postfwd.cf -L + +# cat request.sample + +------ snip ------- +ccert_fingerprint= +size=64063 +helo_name=english-breakfast.cloud9.net +reverse_client_name=english-breakfast.cloud9.net +queue_id= +encryption_cipher= +encryption_protocol= +etrn_domain= +ccert_subject= +request=smtpd_access_policy +protocol_state=RCPT +recipient=someone@domain.local +instance=6748.46adf3f8.62156.0 +protocol_name=ESMTP +encryption_keysize=0 +recipient_count=0 +ccert_issuer= +sender=owner-postfix-users@postfix.org +client_name=english-breakfast.cloud9.net +client_address=168.100.1.7 +------ snip ------- + +Samples can be taken into the logfile when starting the daemon with "-vv" + +3. AUTOMATIC STARTUP +-------------------- + +In order to avoid the startup of the daemon on an unconfigured machine, +automatic startup, on boot, is disabled by default. To enable it just run +'systemctl enable postfwd.service', when still using SysVinit edit the +file /etc/default/postfwd and set the "startup" variable to 1. + +4. CHOOSING WHICH POSTFWD VERSION TO USE +---------------------------------------- + +Since some time, there is also a prefork version available, called postfwd2. +You can use update-alternatives to choose between 'postfwd1' and 'postfwd2'. + + -- Jan Wagner Mon, 10 Mar 2008 22:37:44 +0100 diff --git a/debian/postfwd.default b/debian/postfwd.default new file mode 100644 index 0000000..619f4ea --- /dev/null +++ b/debian/postfwd.default @@ -0,0 +1,15 @@ +# Global options for postfwd(8). + +# Set to '1' to enable startup (daemon mode), doesn't affect systemd +STARTUP=0 + +# Config file +CONF=/etc/postfix/postfwd.cf +# IP where listen to +INET=127.0.0.1 +# Port where listen to +PORT=10040 +# run as user postfw +RUNAS="postfw" +# Arguments passed on start (--daemon implied) +ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size" diff --git a/debian/postfwd.docs b/debian/postfwd.docs new file mode 100644 index 0000000..d4b6199 --- /dev/null +++ b/debian/postfwd.docs @@ -0,0 +1,5 @@ +debian/tmp/*.txt +doc/*.txt +doc/postfwd-ARCH.png +doc/postfwd2.CHANGELOG +tools/*.pl diff --git a/debian/postfwd.examples b/debian/postfwd.examples new file mode 100644 index 0000000..26c37f7 --- /dev/null +++ b/debian/postfwd.examples @@ -0,0 +1,4 @@ +debian/example-cfg* +etc/postfwd.cf.sample +plugins/*.sample +tools/*.sample diff --git a/debian/postfwd.init b/debian/postfwd.init new file mode 100644 index 0000000..0394b06 --- /dev/null +++ b/debian/postfwd.init @@ -0,0 +1,103 @@ +#! /bin/sh +# Written by Miquel van Smoorenburg . +# Modified for Debian +# by Ian Murdock . +# +# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl +# /etc/init.d/postfwd: v1 2008/03/12 Jan Wagner + +### BEGIN INIT INFO +# Provides: postfwd +# Required-Start: $local_fs $network $remote_fs $syslog +# Required-Stop: $local_fs $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop the postfw daemon +# Description: a Perl policy daemon for the Postfix MTA +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=postfwd +DAEMON=/usr/sbin/${NAME} +PIDFILE=/var/run/$NAME.pid +DESC=postfwd + +. /lib/lsb/init-functions + +test -x $DAEMON || exit 0 + +not_configured () { + echo "#### WARNING ####" + echo "${NAME} won't be started/stopped unless it is configured." + echo "If you want to start ${NAME} as daemon, see /etc/default/${NAME}." + echo "#################" + exit 0 +} + +no_configfile () { + echo "#### WARNING ####" + echo "${NAME} won't be started/stopped unless a rules file is provided at $CONF." + echo "#################" + exit 0 +} + +# check if postfwd is configured or not +if [ -f "/etc/default/$NAME" ] +then + . /etc/default/$NAME + if [ "$STARTUP" != "1" ] + then + not_configured + fi +else + not_configured +fi + +# check if rules file is there +if [ ! -f $CONF ] +then + no_configfile +fi + +# Check whether we have to drop privileges. +if [ -n "$RUNAS" ] +then + if ! getent passwd "$RUNAS" >/dev/null; then + RUNAS="" + fi +fi + +set -e + +case "$1" in + start) + echo -n "Starting $DESC: " + start-stop-daemon --start --quiet \ + --name ${NAME} \ + --exec $DAEMON -- ${ARGS} --daemon --file=${CONF} --interface=${INET} --port=${PORT} --user=${RUNAS} --group=${RUNAS} --pidfile=$PIDFILE + echo "$NAME." + ;; + stop) + echo -n "Stopping $DESC: " + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE && rm -rf $PIDFILE + echo "$NAME." + ;; + reload) + echo "Reloading $DESC configuration files." + kill -HUP $(cat $PIDFILE) + ;; + restart|force-reload) + echo -n "Restarting $DESC (incl. cache): " + $0 stop > /dev/null + sleep 1 + $0 start > /dev/null + echo "$NAME." + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/postfwd.manpages b/debian/postfwd.manpages new file mode 100644 index 0000000..638a3b9 --- /dev/null +++ b/debian/postfwd.manpages @@ -0,0 +1,2 @@ +debian/tmp/postfwd1.8 +man/man8/postfwd2.8 diff --git a/debian/postfwd.postinst b/debian/postfwd.postinst new file mode 100644 index 0000000..fed6a61 --- /dev/null +++ b/debian/postfwd.postinst @@ -0,0 +1,63 @@ +#!/bin/sh +# based on arpwatch.postinst: v11 2004/09/15 KELEMEN Peter +# postinst: v1 2006/01/12 Jan Wagner + +set -e + +NUSER="postfw" +NGROUP="postfw" +NHOME="/var/lib/$NUSER" +NGECOS="postfwd user" + +case "$1" in + configure) + # Take care of group. + if NGROUP_ENTRY=`getent group $NGROUP`; then + # group exists + : + else + # group does not exist yet + addgroup --quiet --system $NGROUP + fi + + # Take care of user. + if NUSER_ENTRY=`getent passwd $NUSER`; then + # user exists + adduser --quiet $NUSER $NGROUP + # + else + # user does not exist yet + adduser --quiet --system \ + --ingroup $NGROUP \ + --gecos "$NGECOS" \ + --home $NHOME \ + --no-create-home \ + --shell /bin/sh \ + --disabled-login \ + --disabled-password \ + --shell /bin/false \ + $NUSER + fi + + # Set up home directory. + if [ -d $NHOME ]; then + chown -R ${NUSER}:${NGROUP} $NHOME + chmod -R o-rwX $NHOME + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +update-alternatives --install /usr/sbin/postfwd postfwd /usr/sbin/postfwd1 100 \ + --slave /usr/share/man/man1/postfwd.1.gz postfwd.1.gz \ + /usr/share/man/man1/postfwd1.1.gz +update-alternatives --install /usr/sbin/postfwd postfwd /usr/sbin/postfwd2 120 \ + --slave /usr/share/man/man1/postfwd.2.gz postfwd.2.gz \ + /usr/share/man/man1/postfwd2.1.gz +#DEBHELPER# diff --git a/debian/postfwd.postrm b/debian/postfwd.postrm new file mode 100644 index 0000000..5c1cb0e --- /dev/null +++ b/debian/postfwd.postrm @@ -0,0 +1,56 @@ +#!/bin/sh +# based on arpwatch.postrm: v2 2004/09/15 KELEMEN Peter +# postrm: v1 2006/10/12 Jan Wagner + +NUSER="postfw" +NGROUP="postfw" + +set -e + +case "$1" in + purge) + # find first and last SYSTEM_UID numbers + for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do + case $LINE in + FIRST_SYSTEM_UID*) + FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + LAST_SYSTEM_UID*) + LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + *) + ;; + esac + done + # remove system account if necessary + if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then + if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then + if [ -n "$USERID" ]; then + if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ + [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then + if which deluser > /dev/null; then + deluser --quiet $NUSER || true + # And then remove the group + GROUPID=`getent group $NGROUP | cut -f 3 -d ':'` + if [ -n "$GROUPID" ]; then + if which delgroup > /dev/null; then + delgroup --quiet $NGROUP || true + fi + fi + fi + fi + fi + fi + fi + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# diff --git a/debian/postfwd.prerm b/debian/postfwd.prerm new file mode 100644 index 0000000..66018fb --- /dev/null +++ b/debian/postfwd.prerm @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ "$1" = remove ] || [ "$1" = deconfigure ]; then + update-alternatives --remove postfwd /usr/sbin/postfwd1 + update-alternatives --remove postfwd /usr/sbin/postfwd2 +fi + +#DEBHELPER# diff --git a/debian/postfwd.service b/debian/postfwd.service new file mode 100644 index 0000000..2ca97aa --- /dev/null +++ b/debian/postfwd.service @@ -0,0 +1,15 @@ +[Unit] +Description=Postfix firewall daemon +After=network.target +Before=postfix.service + +[Service] +Environment=PIDFILE=/var/run/postfwd.pid +EnvironmentFile=-/etc/default/postfwd +ExecStart=/usr/sbin/postfwd $ARGS --daemon --file $CONF --interface $INET --port $PORT --user $RUNAS --group $RUNAS --pidfile $PIDFILE +ExecStop=/usr/sbin/postfwd --file $CONF --pidfile $PIDFILE --kill +ExecReload=/usr/sbin/postfwd --file $CONF --pidfile $PIDFILE --reload +Type=forking + +[Install] +WantedBy=multi-user.target diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..f27e5e3 --- /dev/null +++ b/debian/rules @@ -0,0 +1,57 @@ +#!/usr/bin/make -f +# written by Jan Wagner +# +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +build: build-arch build-indep +build-arch: +build-indep: + +clean: + # removing generated manpage (not initial shipped) + rm -rf man/man8/hapolicy.1 + dh_testdir + dh_testroot + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep + + # install binaries + install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd1 + install -D -m 644 sbin/postfwd2 debian/postfwd/usr/sbin/postfwd2 + install -D -m 644 tools/hapolicy/hapolicy debian/hapolicy/usr/sbin/hapolicy + # install man page + mkdir -p debian/tmp/ + cp man/man8/postfwd.8 debian/tmp/postfwd1.8 + html2text doc/quick.html > debian/tmp/quick.txt + html2text doc/versions.html > debian/tmp/versions.txt + pod2man debian/hapolicy/usr/sbin/hapolicy man/man8/hapolicy.1 + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs doc/postfwd.CHANGELOG + dh_installdocs -ppostfwd -Xhapolicy + dh_installdocs -phapolicy tools/hapolicy/hapolicy[0-9a-zA-Z.]* + dh_installexamples + dh_installinit -- defaults 19 21 + dh_installsystemd --no-enable + dh_installman + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: build install + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..b746363 --- /dev/null +++ b/debian/source/options @@ -0,0 +1 @@ +extend-diff-ignore = '(^|/)(\.travis\.yml|\.git|\.github|\.gitgnore|config\.sub|config\.guess)' diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..191f206 --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=4 +https://postfwd.org postfwd-(.*)\.tar\.gz