debian/postfwd
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Compare commits

base: debian:upstream/1.20
Branches Tags
debian:master
debian:development
debian:bullseye
debian:upstream
debian:debian/1.35-8
debian:debian/1.35-7
debian:debian/1.35-6
debian:debian/1.35-5
debian:debian/1.35-4
debian:debian/1.35-3
debian:debian/1.35-2
debian:upstream/1.35
debian:upstream/1.32
debian:upstream/1.20
debian:upstream/1.18
debian:upstream/1.17
debian:upstream/1.16
debian:upstream/1.14
debian:upstream/1.10pre8b
debian:upstream/1.10pre7c
debian:debian/1.35-1
debian:debian/1.32-2
debian:debian/1.32-1
debian:debian/1.20-1
debian:debian/1.17-1
debian:debian/1.16-2
debian:debian/1.18-1
debian:debian/1.16-1
debian:debian/1.14-1
debian:debian/1.10pre8b-1
debian:debian/1.10pre7c-3
debian:debian/1.10pre7c-2
debian:debian/1.10pre7c-1
...
compare: debian:master
Branches Tags
debian:development
debian:master
debian:bullseye
debian:upstream
debian:debian/1.35-8
debian:debian/1.35-7
debian:debian/1.35-6
debian:debian/1.35-5
debian:debian/1.35-4
debian:debian/1.35-3
debian:debian/1.35-2
debian:upstream/1.35
debian:upstream/1.32
debian:upstream/1.20
debian:upstream/1.18
debian:upstream/1.17
debian:upstream/1.16
debian:upstream/1.14
debian:upstream/1.10pre8b
debian:upstream/1.10pre7c
debian:debian/1.35-1
debian:debian/1.32-2
debian:debian/1.32-1
debian:debian/1.20-1
debian:debian/1.17-1
debian:debian/1.16-2
debian:debian/1.18-1
debian:debian/1.16-1
debian:debian/1.14-1
debian:debian/1.10pre8b-1
debian:debian/1.10pre7c-3
debian:debian/1.10pre7c-2
debian:debian/1.10pre7c-1

176 commits
upstream/1 ... master

Author SHA1 Message Date
waja 029e669a4d
Merge pull request #7 from waja/dependabot-github_actions-actions-checkout-4 2023-09-05 07:38:41 +02:00
dependabot[bot] 976c2d744a
Bump actions/checkout from 3 to 4 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-05 04:03:02 +00:00
waja ae154809fa
Merge pull request #6 from waja/dependabot-github_actions-dawidd6-action-debian-package-1.5.0 2023-03-07 06:05:01 +01:00
dependabot[bot] 403902b14e
Bump dawidd6/action-debian-package from 1.4.4 to 1.5.0 
Bumps [dawidd6/action-debian-package](https://github.com/dawidd6/action-debian-package) from 1.4.4 to 1.5.0.
- [Release notes](https://github.com/dawidd6/action-debian-package/releases)
- [Commits](https://github.com/dawidd6/action-debian-package/compare/v1.4.4...v1.5.0)

---
updated-dependencies:
- dependency-name: dawidd6/action-debian-package
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-07 05:00:41 +00:00
Jan Wagner 4f4ed41198 Nwe changelog 2023-01-23 12:43:26 +00:00
Jan Wagner a26d98d14b Prepare release 2023-01-23 12:41:59 +00:00
Jan Wagner be975fbdee Set Rules-Requires-Root: no. 
Changes-By: lintian-brush
Fixes: lintian: silent-on-rules-requiring-root
See-also: https://lintian.debian.org/tags/silent-on-rules-requiring-root.html
 2023-01-23 09:55:23 +00:00
Jan Wagner 7ba39f1c93 Drop lsb-base, sysvinit-utils is essential 2023-01-18 14:20:45 +00:00
Jan Wagner 59857d198d disable not working ci pipelines 2023-01-18 12:57:40 +00:00
Jan Wagner 98d8062480 Update watch file format version to 4. 
Changes-By: lintian-brush
Fixes: lintian: older-debian-watch-file-standard
See-also: https://lintian.debian.org/tags/older-debian-watch-file-standard.html
 2023-01-18 12:39:30 +00:00
Jan Wagner cac0b96b8e Bump Standards-Version to 4.6.2 2023-01-18 12:27:13 +00:00
Jan Wagner 47e9ee09be Bump debhelper from old 12 to 13. 
Changes-By: lintian-brush
Fixes: lintian: package-uses-old-debhelper-compat-version
See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
 2023-01-18 12:25:37 +00:00
Jan Wagner a8be52417a Merge branch 'master' of github.com:waja/postfwd 2022-11-09 13:46:07 +00:00
waja 10918eed3e
Merge pull request #5 from waja/dependabot-github_actions-dawidd6-action-debian-package-1.4.4 
Bump dawidd6/action-debian-package from 1.4.0 to 1.4.4
 2022-11-09 13:28:59 +01:00
dependabot[bot] 2ffb8c60fb
Bump dawidd6/action-debian-package from 1.4.0 to 1.4.4 
Bumps [dawidd6/action-debian-package](https://github.com/dawidd6/action-debian-package) from 1.4.0 to 1.4.4.
- [Release notes](https://github.com/dawidd6/action-debian-package/releases)
- [Commits](https://github.com/dawidd6/action-debian-package/compare/v1.4.0...v1.4.4)

---
updated-dependencies:
- dependency-name: dawidd6/action-debian-package
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-09 04:04:12 +00:00
Jan Wagner e6e417836b Updating build pipelines 2022-10-20 12:59:09 +02:00
waja 1226646b53
Merge pull request #3 from waja/dependabot-github_actions-actions-checkout-3 2022-03-02 08:03:52 +01:00
dependabot[bot] f9187fd915
Bump actions/checkout from 2 to 3 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-03-02 04:24:36 +00:00
waja 639153062a
Merge pull request #2 from waja/dependabot-github_actions-skx-github-action-publish-binaries-release-2.0 
Bump skx/github-action-publish-binaries from release-0.15 to 2.0
 2021-09-29 06:42:46 +02:00
dependabot[bot] c67651fdbc
Bump skx/github-action-publish-binaries from release-0.15 to 2.0 
Bumps [skx/github-action-publish-binaries](https://github.com/skx/github-action-publish-binaries) from release-0.15 to 2.0. This release includes the previously tagged commit.
- [Release notes](https://github.com/skx/github-action-publish-binaries/releases)
- [Commits](https://github.com/skx/github-action-publish-binaries/compare/release-0.15...release-2.0)

---
updated-dependencies:
- dependency-name: skx/github-action-publish-binaries
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-09-29 04:23:22 +00:00
Jan Wagner d32c972205 d/watch: Update to new url scheme 2021-09-28 16:15:44 +02:00
Jan Wagner 4f49a720ed Prepare release 2021-09-28 13:30:06 +02:00
Jan Wagner d0ecd91cc7 d/rules: Calling dh_installsystemd (Closes: #994901) 2021-09-28 12:12:52 +02:00
Jan Wagner 492650502d ci: pin action versions 2021-07-21 15:39:56 +02:00
Jan Wagner b16de7788f Do not remove .git* anymore 2021-07-16 23:30:21 +02:00
Jan Wagner 94f95bcdac Adding Dependabot config 2021-07-16 23:10:06 +02:00
Jan Wagner f32e604eac Adding d/.gitlab-ci.yml 2021-02-05 12:57:50 +01:00
Jan Wagner 1563d389a1 d/source/options: Adding .github to diff ignore 2021-02-05 12:39:08 +01:00
Jan Wagner 270413d087 Use secure URI in Homepage field. 
Changes-By: lintian-brush
Fixes: lintian: homepage-field-uses-insecure-uri
See-also: https://lintian.debian.org/tags/homepage-field-uses-insecure-uri.html
 2021-02-04 21:36:53 +01:00
Jan Wagner f2a169dabb Use secure copyright file specification URI. 
Changes-By: lintian-brush
Fixes: lintian: insecure-copyright-format-uri
See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html
 2021-02-04 21:36:51 +01:00
Jan Wagner 363adb4501 New changelog 2021-01-06 21:52:48 +01:00
Jan Wagner 10a8321154 Prepare release 2021-01-06 21:49:36 +01:00
Jan Wagner a282d2933c d/control: Raise compat level to 12 2020-12-29 18:38:57 +01:00
Jan Wagner 27de180b05 Adding Github CI 2020-12-27 23:40:54 +01:00
Jan Wagner 3abd7a4527 Bump Standards-Version to 4.5.1.0, no changes needed 2020-12-08 22:41:30 +01:00
Jan Wagner 1446da07f7 Fix initscript (Closes: #942414) 2020-12-08 22:40:14 +01:00
Jan Wagner 4515eb633d New changelog entry 2019-01-24 09:46:04 +01:00
Jan Wagner c2fa2b49a5 Prepare release 2019-01-24 09:40:43 +01:00
Jan Wagner e438455e0f d/postfwd.postrm: detect existens of command by which and not 'test -x' 2019-01-24 09:17:49 +01:00
Jan Wagner ac0ac42ae2 d/control: Bump Standards-Version to 4.3.0, no changes needed 2019-01-24 08:28:58 +01:00
Jan Wagner 62139a7cf6 travis-ci: Use xenial image 2018-11-08 16:32:22 +01:00
Jan Wagner 8e419b4474 Add a bit documentation about systemd (and sysvinit) 2017-10-19 10:23:22 +02:00
Jan Wagner 217213b661 Adding systemd unit file 2017-10-19 10:16:23 +02:00
Jan Wagner 39a9081632 d/changelog: Add missing entry 2016-12-05 14:41:02 +01:00
Jan Wagner 1e354b74db d/changelog: New changelog 2016-12-05 11:54:18 +01:00
Jan Wagner e36c4de6f9 d/changelog: Prepare release 2016-12-05 11:53:01 +01:00
Jan Wagner 583a10d923 travis-ci: Make use of travis.d.n 2016-11-18 18:09:59 +01:00
Jan Wagner 80b011cb91 d/control: Depend on lsb-base 2016-11-14 00:39:06 +01:00
Jan Wagner 7ad8c99ddc d/control: Bump Standards-Version to 3.9.8, no changes needed 2016-11-14 00:36:52 +01:00
Jan Wagner 11da7cab5e travis-ci: automatically install dependencies 2015-10-19 16:51:04 +02:00
Jan Wagner 4d0d01d1bf travis-ci: Adding requried arguments for trusty 2015-10-19 16:50:54 +02:00
Jan Wagner d4687eea4c travis-ci: grab actual used upstream version 2015-08-21 11:16:13 +02:00
Jan Wagner 3862572972 Reformating with warp-and-sort the rest of debian/ 2015-08-20 14:11:32 +02:00
Jan Wagner 5e353b5dc7 debian/control: reformating with warp-and-sort 2015-08-20 14:11:16 +02:00
Jan Wagner b832cd014e Updating copyright and author of debian/bin/github-release.sh 2015-03-18 21:32:10 +01:00
Jan Wagner 231a90ff5a Merging upstream changes of github-release.sh 2015-03-16 23:51:05 +01:00
Jan Wagner 07e9eeb6ac travis-ci: Initial support for uploading releases to github 2015-03-15 16:57:19 +01:00
Jan Wagner c86c540de6 travis-ci: build package with dpkg-buildpackage 2015-03-10 15:38:08 +01:00
Jan Wagner e8799d3ad7 travis-ci: don't install build-deps manual 2015-03-10 15:19:13 +01:00
Jan Wagner a62702a8ed Updating debian/changelog 2014-10-13 15:02:56 +02:00
Jan Wagner 17c1925886 Bump Standards-Version to 3.9.6, no changes needed 2014-10-13 14:54:37 +02:00
Jan Wagner 965e0d7ea0 Remove shiped html files from binaries 2014-10-13 14:52:26 +02:00
Jan Wagner 09e0bfafc4 Prepare changelog for release 2014-03-09 23:46:38 +01:00
Jan Wagner 172a432662 Fix bug report source format move 2014-03-09 22:42:22 +01:00
Jan Wagner dd5f01dca6 Add 20_fix_postfwd1_default_umask.patch to fix postfwd default umask 
(Closes: #717607), thanks Jesse Norell
 2014-03-09 22:42:20 +01:00
Jan Wagner f7da50f0b8 travis-ci: Remove dpatch from build-deps 2014-03-09 22:41:46 +01:00
Jan Wagner 1e7c202918 Add 10_fix_wording_manpages.patch to fix manpages 2014-03-09 22:41:42 +01:00
Jan Wagner b9b503e2df Move samples into /usr/share/doc/postfwd/examples 2014-03-09 15:04:11 +01:00
Jan Wagner ddbfcc06ad Update to recent copyright format 2014-03-09 15:04:11 +01:00
Jan Wagner 7025f4fbe5 Add lintian checks after build 2014-03-09 15:04:11 +01:00
Jan Wagner 7542e86782 Reorder and comment .travis.yml 2014-03-09 15:04:11 +01:00
Jan Wagner 010082b4df Remove unneeded purge from travis config 2014-03-09 15:04:11 +01:00
Jan Wagner 86f8f617ff Add travis-ci config 2014-03-09 15:04:11 +01:00
Jan Wagner 0df5d0ae68 Updating standards version to 3.9.5, no changes needed 2014-03-09 15:04:08 +01:00
Jan Wagner 5d8b250576 Update Vcs-headers 2014-03-09 15:03:42 +01:00
Jan Wagner bb64a82a45 Source init functions in init script 2013-11-05 22:08:06 +01:00
Jan Wagner 05ca589b75 Updating standards version to 3.9.4, no changes needed 2013-11-05 21:40:08 +01:00
Jan Wagner 6f4f77bb4e Remove generated hapolicy manpage in clean target 2013-11-05 21:33:02 +01:00
Jan Wagner cf9402a5ac Merge tag 'upstream/1.35' 
Upstream version 1.35
 2013-11-05 17:33:54 +01:00
Jan Wagner 3c1cc6eb3d Imported Upstream version 1.35 2013-11-05 17:33:53 +01:00
Jan Wagner ac46679343 Merge tag 'upstream/1.32' 
Upstream version 1.32
 2013-11-05 17:33:44 +01:00
Jan Wagner db065246e2 Imported Upstream version 1.32 2013-11-05 17:33:44 +01:00
Jan Wagner 19ceeb5e37 Merge tag 'upstream/1.20' 
Upstream version 1.20
 2013-11-05 17:33:35 +01:00
Jan Wagner a01d770de1 Merge tag 'upstream/1.18' 
Upstream version 1.18
 2013-11-05 17:33:16 +01:00
Jan Wagner 0c9c44d39f Merge tag 'upstream/1.17' 
Upstream version 1.17
 2013-11-05 17:33:06 +01:00
Jan Wagner af9371f56e Merge tag 'upstream/1.16' 
Upstream version 1.16
 2013-11-05 17:32:50 +01:00
Jan Wagner 49660f29ce Merge tag 'upstream/1.14' 
Upstream version 1.14
 2013-11-05 17:32:43 +01:00
Jan Wagner a895768a2d Merge tag 'upstream/1.10pre8b' 
Upstream version 1.10pre8b
 2013-11-05 17:32:28 +01:00
Jan Wagner f0257c6790 Merge tag 'upstream/1.10pre7c' 
Upstream version 1.10pre7c
 2013-11-05 17:31:59 +01:00
Jan Wagner 09cf6daca7 Add plugins/*.sample 2013-11-05 07:51:16 +00:00
Jan Wagner 22c00e144d Use examples install file 2013-11-05 07:50:23 +00:00
Jan Wagner 8f137a2f67 new upstream 2013-05-22 12:58:52 +00:00
Jan Wagner 59ecaa21a9 fixing typo 2013-01-08 07:29:09 +00:00
Jan Wagner b7873e98bb adding the corresponding bug report 2013-01-08 07:27:12 +00:00
Jan Wagner 02bf99013f new upstream release 2012-09-17 13:05:14 +00:00
Jan Wagner 08a2aafddd fix comment 2012-07-02 15:06:09 +00:00
Jan Wagner ee2ef96a99 new changelog 2012-03-29 18:31:38 +00:00
Jan Wagner 5859580fc0 prepare release 2012-03-29 18:23:47 +00:00
Jan Wagner 098742a936 Add build-arch and build-indep 2012-03-29 18:18:46 +00:00
Jan Wagner 3591935d0e use dh_prep 2012-03-29 18:14:57 +00:00
Jan Wagner 65ebbf4ec2 drop dpatch 2012-03-29 18:11:13 +00:00
Jan Wagner 414c73aa10 bump standards to 3.9.3 2012-03-29 18:07:13 +00:00
Jan Wagner a18ff31a26 packaging format 3.0 (quilt) 2012-03-29 18:05:18 +00:00
Jan Wagner 894bae2f8c new changelog entry 2011-12-23 08:24:47 +00:00
Jan Wagner 22e7f49b13 bump standards 2011-12-21 21:35:54 +00:00
Jan Wagner 2c1e833af2 cleanup changelog 2011-12-21 21:35:05 +00:00
Jan Wagner c3275db7c3 new upstream 2011-12-21 21:28:24 +00:00
Jan Wagner dc428dba60 split hapolicy into own binary package 2011-09-26 13:23:56 +00:00
Jan Wagner e896c6dda4 use pod2man to generate the manpage 2011-09-26 12:07:57 +00:00
Jan Wagner f0d1eb62bd ship hapolicy 2011-09-14 12:58:00 +00:00
Jan Wagner 75ad0273c0 restructure documentation 2011-09-14 12:56:18 +00:00
Jan Wagner c67cf1bdeb new upstream release 2011-09-14 12:54:58 +00:00
Jan Wagner a1302576d2 Suppress output on restarting via init script 2011-08-06 13:45:16 +00:00
Jan Wagner df8eb0c719 release 2011-02-10 07:38:32 +00:00
Jan Wagner 6eef795080 provide bug 2010-12-14 09:38:23 +00:00
Jan Wagner 0be2b10c9c polishing the package 2010-12-08 21:14:57 +00:00
Jan Wagner b60d3a2540 drop patch of postfwd2 2010-12-08 21:06:31 +00:00
Jan Wagner 3e24c21906 update to recent release 2010-12-08 21:05:38 +00:00
Jan Wagner 73984312a1 prepare release 2010-10-17 13:54:29 +00:00
Jan Wagner 6fab673b25 remove obsolete stuff 2010-10-17 13:50:15 +00:00
Jan Wagner adf5c50722 add priorities 2010-10-17 13:49:05 +00:00
Jan Wagner 22332f8a93 provide changelog entry 2010-10-17 13:16:45 +00:00
Jan Wagner a2f877c4f1 migrate over to update-alternatives 2010-10-17 13:15:15 +00:00
Jan Wagner b56c74420d symlink postfwd2 manpage to postfwd one 2010-06-16 15:08:03 +00:00
Jan Wagner d89af43cde add missing changelog entries 2010-06-16 14:56:08 +00:00
Jan Wagner fa94aa7164 install postfwd stuff 2010-06-16 14:53:41 +00:00
Jan Wagner 9250f8281c install changelog of postfwd2 2010-06-16 14:46:55 +00:00
Jan Wagner 45cc40d9d1 add changelog to patch 2010-06-16 14:42:27 +00:00
Jan Wagner 282172dd79 a way to choose between postfwd and postfwd2 2010-06-16 14:35:43 +00:00
Jan Wagner dc1d9f7d40 we will stay with one package 2010-06-16 13:56:40 +00:00
Jan Wagner c615938d8a prepare postfwd2 package 2010-06-16 12:40:05 +00:00
Jan Wagner c45f811ae2 prepare postfwd2 package 2010-06-16 12:39:16 +00:00
Jan Wagner d43172b6fa add postfwd2 2010-06-16 12:38:03 +00:00
Jan Wagner e11360a2d6 add missing documentation 2010-06-16 12:20:15 +00:00
Jan Wagner 47f61ec708 add dpatch infrastructure 2010-06-16 12:12:15 +00:00
Jan Wagner c69417d934 new changelog 2010-04-29 06:49:50 +00:00
Jan Wagner 392f384c59 new release 2010-04-29 06:48:34 +00:00
Jan Wagner f61ad1d51d new changelog 2010-03-22 08:14:49 +00:00
Jan Wagner 017f6192d7 release 2010-03-22 08:07:16 +00:00
Jan Wagner 4d6f363860 new upstrem 2010-03-22 08:02:23 +00:00
Jan Wagner 13ed17b745 new changelog 2010-03-10 11:37:57 +00:00
Jan Wagner 159b81fed2 prepare release 2010-03-10 11:36:13 +00:00
Jan Wagner 8e3a76093b Add trailing trunk/ at Vcs-Svn-field 2010-03-10 08:16:15 +00:00
Jan Wagner 50395b4f55 * Bump Standards-Version to 3.8.4, no changes needed 
* Migrate Vcs-Fields over to scm.uncompleted.org
* Add 1.0 to debian/source/format
 2010-02-23 15:44:51 +00:00
Jan Wagner 473ea9970f fix spelling errors 2010-01-14 18:33:12 +00:00
Jan Wagner 4c0a32b283 new uptream 2010-01-14 18:28:19 +00:00
Jan Wagner 31e2e69bb1 fixup copyright 2009-07-25 23:40:55 +00:00
Jan Wagner 467a554679 verbose changelog 2009-07-06 19:16:14 +00:00
Jan Wagner 2b381673ac bump standards 2009-06-29 22:09:10 +00:00
Jan Wagner ea74626a0d new upstream release 2009-06-29 22:05:26 +00:00
Jan Wagner 2874894fca new upstream release 2009-06-28 11:51:45 +00:00
Jan Wagner 8adbccfd04 new release 2009-02-19 21:58:10 +00:00
Jan Wagner f51db916bb new upstream release 2009-02-19 21:57:22 +00:00
Jan Wagner 6ea308e66e provide bugreports 2008-10-31 08:56:16 +00:00
Jan Wagner 4d664293de fix init script and example-cfg2.txt 2008-10-31 08:25:06 +00:00
Jan Wagner d07b4c2eab release 2008-07-20 11:27:55 +00:00
Jan Wagner 35e480b2c4 machine-interpretable copyright 2008-07-20 11:27:38 +00:00
Jan Wagner 12706723e0 release 2008-07-15 20:56:27 +00:00
Jan Wagner cf8e227b7b Updating standards version to 3.8.0 2008-06-07 10:01:23 +00:00
Jan Wagner 94f34b3643 fix exmaples 2008-06-02 21:12:59 +00:00
Jan Wagner 4d5cd5d354 use dh_installexamples 2008-06-02 20:50:56 +00:00
Jan Wagner 18a6f7d42e just be kind 2008-06-02 20:39:07 +00:00
Jan Wagner 881441b12c adjust copyright 2008-06-01 17:55:55 +00:00
Jan Wagner f4c44fc93d rename config file 2008-06-01 17:54:13 +00:00
Jan Wagner 6eec16da5d readd heges config 2008-06-01 17:53:57 +00:00
Jan Wagner 5ae37bda31 remove URL, too verbose 2008-05-31 20:59:28 +00:00
Jan Wagner 30f943a10f remove unneeded dh_installdirs 2008-05-31 20:59:09 +00:00
Jan Wagner 44d7d35f56 remove shipped example config and removed 2nd cause unclear license 2008-05-31 20:10:16 +00:00
Jan Wagner a13949794c update timestamp 2008-05-12 20:44:58 +00:00
Jan Wagner 219ae7d9a6 update to 1.10 upstream and drop dpatch 2008-05-12 20:40:59 +00:00
Jan Wagner eb1fef3fe6 provide content in README.Debian 2008-04-14 19:30:30 +00:00
Jan Wagner e1a89b693e add conditional deluser and delgroup 2008-04-14 13:56:11 +00:00
Jan Wagner 863763f6a0 conditional use of deluser and delgroup 2008-04-14 09:12:19 +00:00
Jan Wagner f31cd74f74 add to depends 2008-04-14 09:11:27 +00:00
Jan Wagner cdf2b02425 dont startup 2008-04-14 08:30:45 +00:00
Jan Wagner 229f91b71f adjust copyright year 2008-04-14 08:30:20 +00:00
57 changed files with 8895 additions and 3000 deletions
Show stats Expand all files Collapse all files

12
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
time: "04:00"
reviewers:
- "waja"
pull-request-branch-name:
separator: "-"
open-pull-requests-limit: 10

36
.github/workflows/packaging_test.yml vendored Normal file
View file

@ -0,0 +1,36 @@
name: Packaging Test
on:
push:
branches:
- $default-branch
- development
- master
# Run tests for any PRs
pull_request:
env:
SOURCE_DIR: ./
ARTIFACTS_DIR: debian/build/release/
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
env:
DEBIAN_FRONTEND: "noninteractive"
- name: Remove github artefacts
run: |
rm -rf .github*
- name: Adjust distibution in changelog file
run: |
sed -i '0,/restricted/s//stable/' debian/changelog
- name: Build Debian package
uses: dawidd6/action-debian-package@v1.5.0
with:
artifacts_directory: debian/build/release/
os_distribution: testing
- name: Debug
run: |
ls -la

71
.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,71 @@
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'debian/*' # Push events to matching debian/*, i.e. debian/1.0-2, debian/20.15.10, debian/23.20020326
name: Release Process
env:
SOURCE_DIR: ./
ARTIFACTS_DIR: debian/build/release/
jobs:
create-release:
name: Create Release
runs-on: ubuntu-latest
outputs:
release-id: ${{ steps.create_release.outputs.id }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install needed packages
run: |
if [ $(dpkg -l | grep -c dpkg-dev) -ne 1 ]; then sudo apt-get update && sudo apt-get install -y dpkg-dev; fi
- name: Gather changelog
run: |
ls -la
dpkg-parsechangelog | tail -n +9 > debian.changelog
- name: Create Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
body_path: debian.changelog
draft: false
prerelease: false
build:
name: Build and upload packages
needs: create-release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
env:
DEBIAN_FRONTEND: "noninteractive"
- name: Remove github artefacts
run: |
rm -rf .github*
- name: Adjust distibution in changelog file
run: |
sed -i '0,/restricted/s//stable/' debian/changelog
- name: Build Debian package
uses: dawidd6/action-debian-package@v1.5.0
with:
artifacts_directory: debian/build/release/
os_distribution: testing
# - name: Build Debian package
# uses: pi-top/action-debian-package@v0.2.0
# with:
# artifacts_directory: debian/build/release/
# target_architectures: "amd64,i386"
- name: Upload the artifacts
uses: skx/github-action-publish-binaries@release-2.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
releaseId: ${{ needs.create-release.outputs.release-id }}
args: debian/build/release/*

32
.travis.yml Normal file
View file

@ -0,0 +1,32 @@
dist: xenial
sudo: required
env:
- TRAVIS_DEBIAN_DISTRIBUTION=unstable TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/" TRAVIS_DEBIAN_SECURITY_UPDATES=false
- TRAVIS_DEBIAN_DISTRIBUTION=testing TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/"
- TRAVIS_DEBIAN_DISTRIBUTION=stable TRAVIS_DEBIAN_MIRROR="http://httpredir.debian.org/debian/"
services:
- docker
before_script:
# fetch all tags (not done due travis cloning with depth=50)
- git fetch --tags
script:
# build the debian package
- wget -O- http://travis.debian.net/script.sh | sh -
after_script:
# run lintian after build
- sudo add-apt-repository -y ppa:waja/trusty-backports
- sudo apt-get update -qq
- sudo apt-get install -qq --no-install-recommends lintian
- lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.deb && lintian --info --display-info --display-experimental --pedantic --show-overrides ../*.dsc
#notifications:
# email: false
branches:
except:
- /^debian\/\d/

14
debian/.gitlab-ci.yml vendored Normal file
View file

@ -0,0 +1,14 @@
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
variables:
RELEASE: 'unstable'
SALSA_CI_DISABLE_APTLY: 0
SALSA_CI_DISABLE_AUTOPKGTEST: 1
SALSA_CI_DISABLE_BLHC: 0
SALSA_CI_DISABLE_LINTIAN: 0
SALSA_CI_DISABLE_PIUPARTS: 1
SALSA_CI_DISABLE_REPROTEST: 1
SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 0
SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 0

188
debian/bin/github-release.sh vendored Executable file
View file

@ -0,0 +1,188 @@
#!/bin/bash
# Copyright (c) 2014 Terry Burton
#
# https://github.com/terryburton/travis-github-release
#
# Permission is hereby granted, free of charge, to any
# person obtaining a copy of this software and associated
# documentation files (the "Software"), to deal in the
# Software without restriction, including without
# limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software
# is furnished to do so, subject to the following
# conditions:
#
# The above copyright notice and this permission notice
# shall be included in all copies or substantial portions
# of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
# KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
# THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
# CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
# This script provides a simple continuous deployment
# solution that allows Travis CI to publish a new GitHub
# release and upload assets to it whenever a tag is pushed:
# git tag; git push --tags
#
# It is created as a temporary solution whilst we wait for
# Travis DPL to support GitHub:
#
# https://github.com/travis-ci/dpl
#
# Place this script somewhere in your project repository (perhaps by forking
# the github-travis-release repo and adding your fork as a git submodule) then
# put something like this to your .travis.yml:
#
# after_success: .travis/github-release.sh "$TRAVIS_REPO_SLUG" "`head -1 src/VERSION`" build/release/*
#
# The first argument is your repository in the format
# "username/repository", which Travis provides in the
# TRAVIS_REPO_SLUG environment variable.
#
# The second argument is the release version which as a
# sanity check should match the tag that you are releasing.
# You could pass "`git describe`" to satisfy this check.
#
# The remaining arguments are a list of asset files that you
# want to publish along with the release.
#
# The script requires that you create a GitHub OAuth access
# token to facilitate the upload:
#
# https://help.github.com/articles/creating-an-access-token-for-command-line-use
#
# You must pass this securely in the GITHUBTOKEN environment
# variable:
#
# http://docs.travis-ci.com/user/encryption-keys/
#
# For testing purposes you can create a local convenience
# file in the script directory called GITHUBTOKEN that sets
# the GITHUBTOKEN environment variable. If you do so you MUST
# ensure that this doesn't get pushed to your repository,
# perhaps by adding it to a .gitignore file.
#
# Should you get stuck then look at a working example. This
# code is being used by Barcode Writer in Pure PostScript
# for automated deployment:
#
# https://github.com/terryburton/postscriptbarcode
set -e
REPO=$1 && shift
RELEASE=$1 && shift
RELEASEFILES=$@
if ! TAG=`git describe --exact-match --tags 2>/dev/null`; then
echo "This commit is not a tag so not creating a release"
exit 0
fi
if [ "$TRAVIS" = "true" ] && [ -z "$TRAVIS_TAG" ]; then
echo "This build is not for the tag so not creating a release"
exit 0
fi
if [ "$TRAVIS" = "true" ] && [ "$TRAVIS_TAG" != "$RELEASE" ]; then
echo "Error: TRAVIS_TAG ($TRAVIS_TAG) does not match the indicated release ($RELEASE)"
exit 1
fi
if [ "$TAG" != "$RELEASE" ]; then
echo "Error: The tag ($TAG) does not match the indicated release ($RELEASE)"
exit 1
fi
if [[ -z "$RELEASEFILES" ]]; then
echo "Error: No release files provided"
exit 1
fi
SCRIPTDIR=`dirname $0`
[ -e "$SCRIPTDIR/GITHUBTOKEN" ] && . "$SCRIPTDIR/GITHUBTOKEN"
if [[ -z "$GITHUBTOKEN" ]]; then
echo "Error: GITHUBTOKEN is not set"
exit 1
fi
echo "Creating GitHub release for $RELEASE"
echo -n "Create draft release... "
JSON=$(cat <<EOF
{
"tag_name": "$TAG",
"target_commitish": "master",
"name": "$TAG: New release",
"draft": true,
"prerelease": false
}
EOF
)
RESULT=`curl -s -w "\n%{http_code}\n" \
-H "Authorization: token $GITHUBTOKEN" \
-d "$JSON" \
"https://api.github.com/repos/$REPO/releases"`
if [ "`echo "$RESULT" | tail -1`" != "201" ]; then
echo FAILED
echo "$RESULT"
exit 1
fi
RELEASEID=`echo "$RESULT" | sed -ne 's/^ "id": \(.*\),$/\1/p'`
if [[ -z "$RELEASEID" ]]; then
echo FAILED
echo "$RESULT"
exit 1
fi
echo DONE
for FILE in $RELEASEFILES; do
if [ ! -f $FILE ]; then
echo "Warning: $FILE not a file"
continue
fi
FILESIZE=`stat -c '%s' "$FILE"`
FILENAME=`basename $FILE`
echo -n "Uploading $FILENAME... "
RESULT=`curl -s -w "\n%{http_code}\n" \
-H "Authorization: token $GITHUBTOKEN" \
-H "Accept: application/vnd.github.manifold-preview" \
-H "Content-Type: application/zip" \
--data-binary "@$FILE" \
"https://uploads.github.com/repos/$REPO/releases/$RELEASEID/assets?name=$FILENAME&size=$FILESIZE"`
if [ "`echo "$RESULT" | tail -1`" != "201" ]; then
echo FAILED
echo "$RESULT"
exit 1
fi
echo DONE
done
echo -n "Publishing release... "
JSON=$(cat <<EOF
{
"draft": false
}
EOF
)
RESULT=`curl -s -w "\n%{http_code}\n" \
-X PATCH \
-H "Authorization: token $GITHUBTOKEN" \
-d "$JSON" \
"https://api.github.com/repos/$REPO/releases/$RELEASEID"`
if [ "`echo "$RESULT" | tail -1`" = "200" ]; then
echo DONE
else
echo FAILED
echo "$RESULT"
exit 1
fi

298
debian/changelog vendored Normal file
View file

@ -0,0 +1,298 @@
postfwd (1.35-9) UNRELEASED; urgency=medium
*
-- Jan Wagner <waja@cyconet.org> Mon, 23 Jan 2023 12:43:03 +0000
postfwd (1.35-8) unstable; urgency=medium
* [d32c972] d/watch: Update to new url scheme
* [47e9ee0] Bump debhelper from old 12 to 13.
* [cac0b96] Bump Standards-Version to 4.6.2
* [98d8062] Update watch file format version to 4.
* [7ba39f1] Drop lsb-base, sysvinit-utils is essential
* [be975fb] Set Rules-Requires-Root: no.
-- Jan Wagner <waja@cyconet.org> Mon, 23 Jan 2023 12:40:57 +0000
postfwd (1.35-7) unstable; urgency=medium
* [f2a169d] Use secure copyright file specification URI.
* [270413d] Use secure URI in Homepage field.
* [1563d38] d/source/options: Adding .github to diff ignore
* [f32e604] Adding d/.gitlab-ci.yml
* [94f95bc] Adding Dependabot config
* [b16de77] Do not remove .git* anymore
* [4926505] ci: pin action versions
* [d0ecd91] d/rules: Calling dh_installsystemd (Closes: #994901)
-- Jan Wagner <waja@cyconet.org> Tue, 28 Sep 2021 13:28:53 +0200
postfwd (1.35-6) unstable; urgency=medium
* [1446da0] Fix initscript (Closes: #942414)
* [3abd7a4] Bump Standards-Version to 4.5.1.0, no changes needed
* [27de180] Adding Github CI
* [a282d29] d/control: Raise compat level to 12
-- Jan Wagner <waja@cyconet.org> Wed, 06 Jan 2021 21:49:07 +0100
postfwd (1.35-5) unstable; urgency=medium
* [217213b] Adding systemd unit file
* [8e419b4] Add a bit documentation about systemd (and sysvinit)
* [62139a7] travis-ci: Use xenial image
* [ac0ac42] d/control: Bump Standards-Version to 4.3.0, no changes needed
* [e438455] d/postfwd.postrm: detect existens of command by which and
not 'test -x'
-- Jan Wagner <waja@cyconet.org> Thu, 24 Jan 2019 09:37:19 +0100
postfwd (1.35-4) unstable; urgency=medium
* [e8799d3] travis-ci: don't install build-deps manual
* [c86c540] travis-ci: build package with dpkg-buildpackage
* [07e9eeb] travis-ci: Initial support for uploading releases to github
* [231a90f] Merging upstream changes of github-release.sh
* [b832cd0] Updating copyright and author of debian/bin/github-release.sh
* [5e353b5] debian/control: reformating with warp-and-sort
* [3862572] Reformating with warp-and-sort the rest of debian/
* [d4687ee] travis-ci: grab actual used upstream version
* [4d0d01d] travis-ci: Adding required arguments for trusty
* [11da7ca] travis-ci: automatically install dependencies
* [7ad8c99] d/control: Bump Standards-Version to 3.9.8, no changes needed
* [80b011c] d/control: Depend on lsb-base
* [583a10d] travis-ci: Make use of travis.d.n
-- Jan Wagner <waja@cyconet.org> Mon, 05 Dec 2016 11:50:27 +0100
postfwd (1.35-3) unstable; urgency=medium
* [965e0d7] Remove shiped html files from binaries
* [17c1925] Bump Standards-Version to 3.9.6, no changes needed
-- Jan Wagner <waja@cyconet.org> Mon, 13 Oct 2014 15:02:11 +0200
postfwd (1.35-2) unstable; urgency=low
* Migrate over example installation to postfwd.examples
* Add plugins/*.sample to examples
* [6f4f77b] Remove generated hapolicy manpage in clean target
* [05ca589] Updating standards version to 3.9.4, no changes needed
* [bb64a82] Source init functions in init script
* [5d8b250] Update Vcs-headers
* [0df5d0a] Updating standards version to 3.9.5, no changes needed
* [86f8f61] Add travis-ci config
* [010082b] Remove unneeded purge from travis config
* [7542e86] Reorder and comment .travis.yml
* [7025f4f] Add lintian checks after build
* [ddbfcc0] Update to recent copyright format
* [b9b503e] Move samples into /usr/share/doc/postfwd/examples
* [1e7c202] Add 10_fix_wording_manpages.patch to fix manpages
* [f7da50f] travis-ci: Remove dpatch from build-deps
* [dd5f01d] Add 20_fix_postfwd1_default_umask.patch to fix postfwd default
umask (Closes: #717607), thanks Jesse Norell
* [172a432] Fix bug report source format move
-- Jan Wagner <waja@cyconet.org> Sun, 09 Mar 2014 23:43:28 +0100
postfwd (1.35-1) unstable; urgency=low
* New upstream release
- fixed fixed taint mode logging error
- check_* functions use print/getline instead of send/recv for large
--dumpcache output
- log_* routines added to allow the same plugins for postfwd1 and postfwd2
- added more information when using --debug=cleanup
- new sendmail(sendmail-path::from::to::subject::body) action
- rate(), size() and rcpt() function index is now case insensitive by
default
- fixed segfault when using new perl versions (Closes: #697653)
-- Jan Wagner <waja@cyconet.org> Wed, 22 May 2013 14:49:15 +0200
postfwd (1.33-1) UNRELEASED; urgency=low
* New upstream release
- fixed bug when computing scores with more than 1 digit after the "."
- fixed bug when computing negative values with the set action
- ITEMS plugins returning zero values were handled incorrectly
- max command recursion was not reset for each rule
- fixed warning about use of (uninitialized value) when STORABLE
is available but no cache file was defined (Closes: #697657)
* Fix comment in /etc/default/postfwd (Closes: #679924), thanks Jeroen
Koekkoek
* Fix typo in README.Debian (closes: #691242), thanks Axel Beckert
-- Jan Wagner <waja@cyconet.org> Thu, 29 Mar 2012 20:31:17 +0200
postfwd (1.32-2) unstable; urgency=low
* Switch over to packaging format 3.0 (quilt) (Closes: #664368)
* Updating standards version to 3.9.3, no changes needed
* Remove build-dependency of dpatch
* Use dh_prep instead of dh_clean -k
* Add build-arch and build-indep targets to debian/rules
-- Jan Wagner <waja@cyconet.org> Thu, 29 Mar 2012 20:22:17 +0200
postfwd (1.32-1) unstable; urgency=low
* New upstream release
- new option --save_rates=<file> is able to load and save rate limit counters
to disk on program start and termination.
- the --debugitem="sender=example\.org$" option allows verbose logging for
particular requests
- the debug() action enables verbose logging for certain rules
- nested commands are possible now
- new mail(server/helo/from/to/subject/body) action.
- single cache items can be wiped
- sasl_username is logged if available
- rate limit action is executed, if the first request exceeds the limit
- exceeded ratecounters will not be kept permanently anymore
- rate limits are evaluated at ruleset stage now
- new parser enhancement is able to omit the trailing "\" for multi-line
rules
- new plugin interface (BETA)
- Time::HiRes is used if available
- multiple rate limits for the same items are supported now
- new $$ratecount variable for rate() actions
- new option --keep_rates
- queueid is logged when available
- rate limits fixed
- new --debug class 'cleanup'
- documentation updates and fixes
* Suppress output on restarting via init script (Closes: #636782), thanks
Martin F. Krafft for reporting
* Add hapolicy and manpage into separate binary package
* Reorganize documentation
- Add new files from upstream to documentation
- Changelogs where renamed by upstream
* Bump Standards-Version to 3.9.2, no changes needed
-- Jan Wagner <waja@cyconet.org> Wed, 21 Dec 2011 22:27:27 +0100
postfwd (1.20-1) unstable; urgency=low
* New upstream release
- Release contains postfwd1 and postfwd2 now (Closes: #582969)
- new --umask setting allows to set filepermissions for pidfiles and unix
domain sockets
- Rate limit code rewritten
- rbl checks disabled for ipv6 addresses, cidr compare will switch to
default (regex/string)
- rbl check could fail on multiple dnsbl answers
* Add dpatch infrastructure
* Provide update-alternatives for choosing the postfwd variant
* Install also CHANGELOG2
* Bump Standards-Version to 3.9.1, no changes needed
-- Jan Wagner <waja@cyconet.org> Thu, 10 Feb 2011 08:38:04 +0100
postfwd (1.18-1) unstable; urgency=low
* New upstream release
- Fixed bug when comparing sender and recipient addresses, like
"sender=$$recipient"
-- Jan Wagner <waja@cyconet.org> Thu, 29 Apr 2010 08:46:25 +0200
postfwd (1.17-1) unstable; urgency=low
* New upstream release
- Net::DNS internal errors will now be handled gracefully
- default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of
100
- Fixed variable substitution when the '=' operator is used
-- Jan Wagner <waja@cyconet.org> Mon, 22 Mar 2010 09:02:31 +0100
postfwd (1.16-2) unstable; urgency=low
* Bump Standards-Version to 3.8.4, no changes needed
* Migrate Vcs-Fields over to scm.uncompleted.org
* Add 1.0 to debian/source/format
-- Jan Wagner <waja@cyconet.org> Wed, 10 Mar 2010 12:35:57 +0100
postfwd (1.16-1) unstable; urgency=low
* NEW upstream release
- documentation fixed
- configuration parser improvements
- option --reload (HUP signal) now reloads config, if the file is unchanged
- redirect syslog to stdout for --kill, --reload and --showconfig
- new rcpt() command counts recipients for rate limits
- helo_address, and sender_(ns|mx)_addrs can now be csv items
- items may now be retrieved from files using "item=file:/some/where"
* Add "Copyright" to all copyrights in debian/copyright
* Bump standards version to 3.8.3 (no changes needed)
* Fix speeling errors in debian/README.Debian
-- Jan Wagner <waja@cyconet.org> Thu, 14 Jan 2010 19:32:26 +0100
postfwd (1.14-1) unstable; urgency=low
* new upstream release
- new compare operators
- added --nodaemon option
- perform non dns items first
- enabled dns cache for sender(ns|mx) and helo address
- new options --dns_max_ns_lookups and --dns_max_mx_lookups
- new items sender_ns_names and sender_ns_addrs
- new items sender_mx_names and sender_mx_addrs
- new item helo_address, please see docs for more
- added --proto switch, to enable the use of unix domain sockets
- added command-line options --kill and --reload
- dnsbl txt lookups only for dnsbls with at least one a record
- small performance improvement
- ask() action allows to use another policy service
- new options --noidlestats and --norulelog
* install postfwd.cf.sample, was renamed upstream
* leave hints about documentation and config verification in README.Debian
* Bump standards version to 3.8.2 (no changes needed)
-- Jan Wagner <waja@cyconet.org> Mon, 06 Jul 2009 21:15:35 +0200
postfwd (1.10pre8b-1) unstable; urgency=low
* new upstream release
- Net::CIDR::Lite is not required any longer
- Net::DNS::Async is no longer used
- changed Net::Server behaviour to ignore syslog errors
- --shortlog is now default behaviour (use -v to see more)
- days=Wed now means exactly Wednesday
- disabled fallback to synchronous dns on timed out rbls
- new item "rhsbl_helo" allows to check helo against rhsbls
- the new variable $$request_hits contains a list of all matching ruleids
- the new variable $$dnsbltext allows access to txt records of rbls
- new options --no-rulestats and --nodnslog
- ttls of the dns responses override --cache-rbl-timeout when bigger
* drop dependency of libnet-cidr-lite-perl and libnet-dns-async-perl
* add dependency of libnet-dns-perl
-- Jan Wagner <waja@cyconet.org> Thu, 19 Feb 2009 22:39:09 +0100
postfwd (1.10pre7c-3) unstable; urgency=low
* implement machine-interpretable copyright file
* fix init script (Closes: #503597).
- let daemon write pid file for his own
- point start-stop daemon to pidfile when stoping
- fix reload by fixing the way how to get the pid
* fix example-cfg2.txt to work with 1.10pre7 (Closes: #503596).
-- Jan Wagner <waja@cyconet.org> Fri, 31 Oct 2008 09:55:52 +0100
postfwd (1.10pre7c-2) unstable; urgency=low
* Uploading to unstable.
* Updating standards version to 3.8.0, no changes needed
-- Jan Wagner <waja@cyconet.org> Tue, 15 Jul 2008 22:43:08 +0200
postfwd (1.10pre7c-1) experimental; urgency=low
* Initial release (Closes: #470356).
-- Jan Wagner <waja@cyconet.org> Sat, 31 May 2008 22:07:08 +0200

36
debian/control vendored Normal file
View file

@ -0,0 +1,36 @@
Source: postfwd
Section: mail
Priority: optional
Maintainer: Jan Wagner <waja@cyconet.org>
Build-Depends: debhelper-compat (= 13), html2text
Homepage: https://www.postfwd.org/
Vcs-Browser: https://gitlab.uncompleted.org/debian/postfwd
Vcs-Git: https://gitlab.uncompleted.org/debian/postfwd.git
Standards-Version: 4.6.2
Rules-Requires-Root: no
Package: postfwd
Architecture: all
Depends: adduser,
libnet-dns-perl,
libnet-server-perl,
${misc:Depends},
${perl:Depends}
Conflicts: postfwd2
Description: Postfix policyd to combine complex restrictions in a ruleset
Postfwd is written in perl to combine complex postfix restrictions in a
ruleset similar to those of the most firewalls. The program uses the postfix
policy delegation protocol to control access to the mail system before a
message has been accepted. It allows you to choose an action (e.g. reject,
dunno) for a combination of several smtp parameters (like sender and recipient
address, size or the client's TLS fingerprint).
Package: hapolicy
Architecture: all
Depends: ${misc:Depends}, ${perl:Depends}
Description: Balancing and fallback postfix policy delegation service
Hapolicy enables high availability, weighted loadbalancing and a fallback
action for postfix policy delegation services. Invoked via postfix spawn
it acts as a wrapper that queries other policy servers via tcp connection.
The order of the service queries can be influenced by assigning a specific
priority and weight to each service.

82
debian/copyright vendored Normal file
View file

@ -0,0 +1,82 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: postfwd
Upstream-Contact: Jan Peter Kessler <info@postfwd.org>
Source: http://www.postfwd.org
Files: *
Copyright: Copyright (c) 2007, Jan Peter Kessler, All rights reserved.
License: BSD-3
Files: debian/*
Copyright: Copyright (C) 2006, 2008 Jan Wagner <waja@cyconet.org>
License: GPL-2+
Files: debian/example-cfg2.txt
Copyright: Copyright (c) 2008, Henrik Krohns <hege@hege.li>
License: BSD-3
Files: debian/bin/github-release.sh
Copyright: Copyright (c) 2014 Terry Burton
License: Expat
License: Expat
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
.
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
License: BSD-3
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
.
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the authors nor the names of his contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License: GPL-2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public License can be
found in /usr/share/common-licenses/GPL-2 file.

146
debian/example-cfg2.txt vendored Normal file
View file

@ -0,0 +1,146 @@
# downloaded from http://hege.li/howto/spam/etc/postfwd/postfwd.conf
# check for more recent versions!
###
### Example config for postfwd 1.10pre7+
###
## Check DNS whitelists, maybe we don't need more checks
id=OK_DNSWL; \
rbl=list.dnswl.org/^127/43200; \
action=DUNNO
## Check (non-fqdn/ip/dynamic) HELO and (missing) reverse DNS
id=SET_HELO; \
helo_name=!!\.; \
helo_name=[0-9.-]{7}; \
action=set(HIT_helo=1)
id=SET_NODNS; \
client_name=^unknown$; \
action=set(HIT_nodns=1)
id=REJECT_HELO_NODNS; \
HIT_helo==1; HIT_nodns==1; \
action=REJECT Blocked - contact postmaster@example.net for help - Suspicious HELO [$$helo_name] and missing reverse DNS [$$client_address]
## Check ZEN first for immediate blocking - less queries for other lists
## See usage policy: http://www.spamhaus.org/organization/dnsblusage.html
id=REJECT_RBL_ZEN; \
rbl=zen.spamhaus.org; \
action=REJECT Blocked - contact postmaster@example.net for help - zen.spamhaus.org RBL
## Check other DNSBLs in parallel
&&DNSBLS { \
rbl=bl.spamcop.net; \
rbl=dnsbl-1.uceprotect.net; \
rbl=dnsbl-2.uceprotect.net; \
rbl=dnsbl-3.uceprotect.net; \
rbl=psbl.surriel.com; \
rbl=combined.njabl.org; \
rbl=dnsbl.ahbl.org; \
rbl=dnsbl.sorbs.net; \
rbl=ix.dnsbl.manitu.net; \
rbl=dyna.spamrats.com; \
};
id=EVAL_DNSBLS; \
&&DNSBLS; rblcount=all; \
action=set(HIT_rbls=$$rblcount)
id=REJECT_RBL_MULTI; \
HIT_rbls>=2; \
action=REJECT Blocked - contact postmaster@example.net for help - Multiple DNSBLs
## Check RHSBLs if there wasn't enough DNSBLs hit
&&RHSBLS_REVERSE { \
rhsbl_reverse_client=dynamic.rhs.mailpolice.com; \
};
&&RHSBLS_SENDER { \
rhsbl_sender=multi.uribl.com; \
rhsbl_sender=multi.surbl.org; \
rhsbl_sender=bulk.rhs.mailpolice.com; \
rhsbl_sender=rhsbl.ahbl.org; \
rhsbl_sender=rhsbl.sorbs.net; \
rhsbl_sender=dsn.rfc-ignorant.org; \
};
id=EVAL_RHSBLS; \
&&RHSBLS_REVERSE; &&RHSBLS_SENDER; rhsblcount=all; \
action=set(HIT_rhsbls=$$rhsblcount)
id=REJECT_RHSBL_MULTI; \
HIT_rhsbls>=2; \
action=REJECT Blocked - contact postmaster@example.net for help - Multiple RHSBLs
## See if we get any combined hits from rules before
id=REJECT_RBL_RHSBL; \
HIT_rbls>=1; HIT_rhsbls>=1; \
action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and DNSBL
id=REJECT_RBL_HELO; \
HIT_rbls>=1; HIT_helo==1; \
action=REJECT Blocked - contact postmaster@example.net for help - DNSBL and suspicious HELO [$$helo_name]
id=REJECT_RBL_NODNS; \
HIT_rbls>=1; HIT_nodns==1; \
action=REJECT Blocked - contact postmaster@example.net for help - DNSBL and missing reverse DNS [$$client_address]
id=REJECT_RHSBL_HELO; \
HIT_rhsbls>=1; HIT_helo==1; \
action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and suspicious HELO [$$helo_name]
id=REJECT_RHSBL_NODNS; \
HIT_rhsbls>=1; HIT_nodns==1; \
action=REJECT Blocked - contact postmaster@example.net for help - RHSBL and missing reverse DNS [$$client_address]
## Finally greylist all lesser hits.
##
## A more DNSBL friendly way would be to greylist everything suspicious
## before DNS checks. Currently this requires you to setup some postfix
## tables before postfwd is called, since greylisting can be only done last
## in postfwd (action always exits processing).
id=GREY_HELO; HIT_helo==1; action=check_postgrey
id=GREY_NODNS; HIT_nodns==1; action=check_postgrey
id=GREY_RBL; HIT_rbls>=1; action=check_postgrey
id=GREY_RHSBL; HIT_rhsbls>=1; action=check_postgrey
##
## This example is free to use as per BSD license:
##
## Copyright (c) 2008, Henrik Krohns <hege@hege.li>
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without modification,
## are permitted provided that the following conditions are met:
##
## * Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
## * Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in
## the documentation and/or other materials provided with the
## distribution.
## * Neither the name of the authors nor the names of his contributors
## may be used to endorse or promote products derived from this
## software without specific prior written permission.
##
## THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
## INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
## INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
## NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
## PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
##

3
debian/hapolicy.docs vendored Normal file
View file

@ -0,0 +1,3 @@
doc/hapolicy.txt
tools/hapolicy/hapolicy.*
tools/hapolicy/hapolicy[0-9a-zA-Z.]*

1
debian/hapolicy.manpages vendored Normal file
View file

@ -0,0 +1 @@
man/man8/hapolicy.1

172
debian/patches/10_fix_wording_manpages.patch vendored Normal file
View file

@ -0,0 +1,172 @@
From: Jan Wagner <waja@cyconet.org>
Subject: Fixing cosmetical issues
diff --git a/man/man8/postfwd.8 b/man/man8/postfwd.8
index 3e4354b..49deff1 100644
--- a/man/man8/postfwd.8
+++ b/man/man8/postfwd.8
@@ -335,7 +335,7 @@ postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters:
\& the specified action will be returned to postfix
\& scores are set global until redefined!
\&
-\& request_score \- this value allows to access a request\*(Aqs score. it
+\& request_score \- this value allows one to access a request\*(Aqs score. it
\& may be used as variable ($$request_score).
\&
\& rbl, rhsbl, \- query the specified RBLs/RHSBLs, possible values are:
@@ -466,7 +466,7 @@ The following items currently have to be unique:
\& id, minimum and maximum values, rblcount and rhsblcount
.Ve
.PP
-Any item can be negated by preceeding '!!' to it, e.g.:
+Any item can be negated by preceding '!!' to it, e.g.:
.PP
.Vb 1
\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
@@ -484,7 +484,7 @@ To avoid confusion with regexps or simply for better visibility you can use '!!(
\& id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?
.Ve
.PP
-Request attributes can be compared by preceeding '$$' characters, e.g.:
+Request attributes can be compared by preceding '$$' characters, e.g.:
.PP
.Vb 3
\& id=R\-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
@@ -637,7 +637,7 @@ with postfwd1 v1.15 and postfwd2 v0.18 and higher.
\&\fIGeneral\fR
.PP
Actions will be executed, when all rule items have matched a request (or at least one of any item list). You can refer to
-request attributes by preceeding $$ characters, like:
+request attributes by preceding $$ characters, like:
.PP
.Vb 3
\& id=R\-003; client_name = !!$$helo_name; action=WARN helo \*(Aq$$helo_name\*(Aq does not match DNS \*(Aq$$client_name\*(Aq
@@ -730,7 +730,7 @@ postfwd actions control the behaviour of the program. Currently you can specify
\& means that requests from bob@example.local and BoB@example.local will be treated differently
\&
\& ask (<addr>:<port>[:<ignore>])
-\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first
+\& allows one to delegate the policy decision to another policy service (e.g. postgrey). the first
\& and the second argument (address and port) are mandatory. a third optional argument may be
\& specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
\& # example1: query postgrey and return it\*(Aqs answer to postfix
@@ -832,7 +832,7 @@ carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that you know
what you do because some of them are used internally.
.PP
-Please keep security in mind, when you access sensible ressources and never, ever
+Please keep security in mind, when you access sensible resources and never, ever
run postfwd as privileged user! Also never trust your input (especially hostnames,
and e\-mail addresses).
.PP
@@ -866,7 +866,7 @@ the policy delegation request and therefore may be used in postfwd's ruleset.
\&
\& # EXAMPLES \- integrated in postfwd. no need to activate them here.
\&
-\& # allows to check postfwd version in ruleset
+\& # allows one to check postfwd version in ruleset
\& "version" => sub {
\& my(%request) = @_;
\& my(%result) = (
@@ -1505,7 +1505,7 @@ equals to
\& id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno
.Ve
.PP
-Lists will be evaluated in the specified order. This allows to place faster expressions at first:
+Lists will be evaluated in the specified order. This allows one to place faster expressions at first:
.PP
.Vb 1
\& postfwd \-vv \-L \-r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
diff --git a/man/man8/postfwd2.8 b/man/man8/postfwd2.8
index 11319fd..fdb3a6f 100644
--- a/man/man8/postfwd2.8
+++ b/man/man8/postfwd2.8
@@ -193,7 +193,7 @@ postfwd2 \- postfix firewall daemon
\& \-n, \-\-nodns skip any dns based test
\& \-\-dns_timeout <i> dns query timeout in seconds
\& \-\-dns_timeout_max <i> disable dnsbl after <i> timeouts
-\& \-\-dns_timeout_interval <i> reenable dnsbl after <i> seconds
+\& \-\-dns_timeout_interval <i> re-enable dnsbl after <i> seconds
\& \-\-cache\-rbl\-timeout <i> default dns ttl if not specified in ruleset
\& \-\-cache\-rbl\-default <s> default dns pattern if not specified in ruleset
\& \-\-cleanup\-rbls <i> cleanup old dns cache items every <i> seconds
@@ -364,7 +364,7 @@ postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters:
\& the specified action will be returned to postfix
\& scores are set global until redefined!
\&
-\& request_score \- this value allows to access a request\*(Aqs score. it
+\& request_score \- this value allows one to access a request\*(Aqs score. it
\& may be used as variable ($$request_score).
\&
\& rbl, rhsbl, \- query the specified RBLs/RHSBLs, possible values are:
@@ -495,7 +495,7 @@ The following items must be unique:
\& id, minimum and maximum values, rblcount and rhsblcount
.Ve
.PP
-Any item can be negated by preceeding '!!' to it, e.g.:
+Any item can be negated by preceding '!!' to it, e.g.:
.PP
.Vb 1
\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
@@ -513,7 +513,7 @@ To avoid confusion with regexps or simply for better visibility you can use '!!(
\& id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?
.Ve
.PP
-Request attributes can be compared by preceeding '$$' characters, e.g.:
+Request attributes can be compared by preceding '$$' characters, e.g.:
.PP
.Vb 3
\& id=R\-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
@@ -666,7 +666,7 @@ with postfwd1 v1.15 and postfwd2 v0.18 and higher.
\&\fIGeneral\fR
.PP
Actions will be executed, when all rule items have matched a request (or at least one of any item list). You can refer to
-request attributes by preceeding $$ characters, like:
+request attributes by preceding $$ characters, like:
.PP
.Vb 3
\& id=R\-003; client_name = !!$$helo_name; action=WARN helo \*(Aq$$helo_name\*(Aq does not match DNS \*(Aq$$client_name\*(Aq
@@ -750,7 +750,7 @@ postfwd2 actions control the behaviour of the program. Currently you can specify
\& means that requests from bob@example.local and BoB@example.local will be treated differently
\&
\& ask (<addr>:<port>[:<ignore>])
-\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first
+\& allows one to delegate the policy decision to another policy service (e.g. postgrey). the first
\& and the second argument (address and port) are mandatory. a third optional argument may be
\& specified to tell postfwd2 to ignore certain answers and go on parsing the ruleset:
\& # example1: query postgrey and return it\*(Aqs answer to postfix
@@ -852,7 +852,7 @@ carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that you know
what you do because some of them are used internally.
.PP
-Please keep security in mind, when you access sensible ressources and never, ever
+Please keep security in mind, when you access sensible resources and never, ever
run postfwd as privileged user! Also never trust your input (especially hostnames,
and e\-mail addresses).
.PP
@@ -886,7 +886,7 @@ the policy delegation request and therefore may be used in postfwd's ruleset.
\&
\& # EXAMPLES \- integrated in postfwd. no need to activate them here.
\&
-\& # allows to check postfwd version in ruleset
+\& # allows one to check postfwd version in ruleset
\& "version" => sub {
\& my(%request) = @_;
\& my(%result) = (
@@ -1524,7 +1524,7 @@ equals to
\& id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno
.Ve
.PP
-Lists will be evaluated in the specified order. This allows to place faster expressions at first:
+Lists will be evaluated in the specified order. This allows one to place faster expressions at first:
.PP
.Vb 1
\& postfwd2 \-\-nodaemon \-vv \-L \-r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
@@ -1601,7 +1601,7 @@ To debug special steps of the parser the '\-\-debug' switch takes a list of debu
.PP
The common way to use postfwd2 is to start it as daemon, listening at a specified tcp port.
postfwd2 will spawn multiple child processes which communicate with a parent cache. This is
-the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:
+the preferred way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:
.PP
.Vb 1
\& postfwd2 \-d \-f /etc/postfwd.cf \-i 127.0.0.1 \-p 10045 \-u nobody \-g nobody \-S

15
debian/patches/20_fix_postfwd1_default_umask.patch vendored Normal file
View file

@ -0,0 +1,15 @@
From: Jan Wagner <waja@cyconet.org>
Subject: Fixing default umask of postfwd
diff --git a/sbin/postfwd b/sbin/postfwd
index e17a729..62f90bb 100755
--- a/sbin/postfwd
+++ b/sbin/postfwd
@@ -49,7 +49,7 @@ our($def_net_chroot) = "";
our($def_net_interface) = "127.0.0.1";
our($def_net_port) = "10040";
our($def_net_proto) = "tcp";
-our($def_net_umask) = "0111";
+our($def_net_umask) = "0177";
our($def_net_user) = "nobody";
our($def_net_group) = "nobody";
our($def_dns_queuesize) = "300";

2
debian/patches/series vendored Normal file
View file

@ -0,0 +1,2 @@
10_fix_wording_manpages.patch
20_fix_postfwd1_default_umask.patch

68
debian/postfwd.README.Debian vendored Normal file
View file

@ -0,0 +1,68 @@
postfwd for Debian
------------------
1. PROVIDE A CONFIGFILE
-----------------------
Please provide a config file, usually /etc/postfix/postfwd.cf. Examples are
located in /usr/share/doc/postfwd/examples/.
Another can be found at http://hege.li/howto/spam/etc/postfwd/postfwd.conf
and is provided as example-cfg2.txt.
A quickstart guide is available at http://www.postfwd.org/quick.html and the
online documentation at http://www.postfwd.org/doc.html, the offline version
can be viewed with 'postfwd -m'.
2. VERIFY CONFIG
----------------
How interpret the parser your rules, you can check with:
# postfwd -f /etc/postfix/postfwd.cf -C -v
Check your rules against sample request:
# cat request.sample | postfwd -f /etc/postfix/postfwd.cf -L
# cat request.sample
------ snip -------
ccert_fingerprint=
size=64063
helo_name=english-breakfast.cloud9.net
reverse_client_name=english-breakfast.cloud9.net
queue_id=
encryption_cipher=
encryption_protocol=
etrn_domain=
ccert_subject=
request=smtpd_access_policy
protocol_state=RCPT
recipient=someone@domain.local
instance=6748.46adf3f8.62156.0
protocol_name=ESMTP
encryption_keysize=0
recipient_count=0
ccert_issuer=
sender=owner-postfix-users@postfix.org
client_name=english-breakfast.cloud9.net
client_address=168.100.1.7
------ snip -------
Samples can be taken into the logfile when starting the daemon with "-vv"
3. AUTOMATIC STARTUP
--------------------
In order to avoid the startup of the daemon on an unconfigured machine,
automatic startup, on boot, is disabled by default. To enable it just run
'systemctl enable postfwd.service', when still using SysVinit edit the
file /etc/default/postfwd and set the "startup" variable to 1.
4. CHOOSING WHICH POSTFWD VERSION TO USE
----------------------------------------
Since some time, there is also a prefork version available, called postfwd2.
You can use update-alternatives to choose between 'postfwd1' and 'postfwd2'.
-- Jan Wagner <waja@cyconet.org> Mon, 10 Mar 2008 22:37:44 +0100

15
debian/postfwd.default vendored Normal file
View file

@ -0,0 +1,15 @@
# Global options for postfwd(8).
# Set to '1' to enable startup (daemon mode), doesn't affect systemd
STARTUP=0
# Config file
CONF=/etc/postfix/postfwd.cf
# IP where listen to
INET=127.0.0.1
# Port where listen to
PORT=10040
# run as user postfw
RUNAS="postfw"
# Arguments passed on start (--daemon implied)
ARGS="--summary=600 --cache=600 --cache-rdomain-only --cache-no-size"

5
debian/postfwd.docs vendored Normal file
View file

@ -0,0 +1,5 @@
debian/tmp/*.txt
doc/*.txt
doc/postfwd-ARCH.png
doc/postfwd2.CHANGELOG
tools/*.pl

4
debian/postfwd.examples vendored Normal file
View file

@ -0,0 +1,4 @@
debian/example-cfg*
etc/postfwd.cf.sample
plugins/*.sample
tools/*.sample

103
debian/postfwd.init vendored Normal file
View file

@ -0,0 +1,103 @@
#! /bin/sh
# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl
# /etc/init.d/postfwd: v1 2008/03/12 Jan Wagner <waja@cyconet.org>
### BEGIN INIT INFO
# Provides: postfwd
# Required-Start: $local_fs $network $remote_fs $syslog
# Required-Stop: $local_fs $network $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the postfw daemon
# Description: a Perl policy daemon for the Postfix MTA
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=postfwd
DAEMON=/usr/sbin/${NAME}
PIDFILE=/var/run/$NAME.pid
DESC=postfwd
. /lib/lsb/init-functions
test -x $DAEMON || exit 0
not_configured () {
echo "#### WARNING ####"
echo "${NAME} won't be started/stopped unless it is configured."
echo "If you want to start ${NAME} as daemon, see /etc/default/${NAME}."
echo "#################"
exit 0
}
no_configfile () {
echo "#### WARNING ####"
echo "${NAME} won't be started/stopped unless a rules file is provided at $CONF."
echo "#################"
exit 0
}
# check if postfwd is configured or not
if [ -f "/etc/default/$NAME" ]
then
. /etc/default/$NAME
if [ "$STARTUP" != "1" ]
then
not_configured
fi
else
not_configured
fi
# check if rules file is there
if [ ! -f $CONF ]
then
no_configfile
fi
# Check whether we have to drop privileges.
if [ -n "$RUNAS" ]
then
if ! getent passwd "$RUNAS" >/dev/null; then
RUNAS=""
fi
fi
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet \
--name ${NAME} \
--exec $DAEMON -- ${ARGS} --daemon --file=${CONF} --interface=${INET} --port=${PORT} --user=${RUNAS} --group=${RUNAS} --pidfile=$PIDFILE
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE && rm -rf $PIDFILE
echo "$NAME."
;;
reload)
echo "Reloading $DESC configuration files."
kill -HUP $(cat $PIDFILE)
;;
restart|force-reload)
echo -n "Restarting $DESC (incl. cache): "
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
exit 1
;;
esac
exit 0

2
debian/postfwd.manpages vendored Normal file
View file

@ -0,0 +1,2 @@
debian/tmp/postfwd1.8
man/man8/postfwd2.8

63
debian/postfwd.postinst vendored Normal file
View file

@ -0,0 +1,63 @@
#!/bin/sh
# based on arpwatch.postinst: v11 2004/09/15 KELEMEN Peter <fuji@debian.org>
# postinst: v1 2006/01/12 Jan Wagner <waja@cyconet.org>
set -e
NUSER="postfw"
NGROUP="postfw"
NHOME="/var/lib/$NUSER"
NGECOS="postfwd user"
case "$1" in
configure)
# Take care of group.
if NGROUP_ENTRY=`getent group $NGROUP`; then
# group exists
:
else
# group does not exist yet
addgroup --quiet --system $NGROUP
fi
# Take care of user.
if NUSER_ENTRY=`getent passwd $NUSER`; then
# user exists
adduser --quiet $NUSER $NGROUP
#
else
# user does not exist yet
adduser --quiet --system \
--ingroup $NGROUP \
--gecos "$NGECOS" \
--home $NHOME \
--no-create-home \
--shell /bin/sh \
--disabled-login \
--disabled-password \
--shell /bin/false \
$NUSER
fi
# Set up home directory.
if [ -d $NHOME ]; then
chown -R ${NUSER}:${NGROUP} $NHOME
chmod -R o-rwX $NHOME
fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
update-alternatives --install /usr/sbin/postfwd postfwd /usr/sbin/postfwd1 100 \
--slave /usr/share/man/man1/postfwd.1.gz postfwd.1.gz \
/usr/share/man/man1/postfwd1.1.gz
update-alternatives --install /usr/sbin/postfwd postfwd /usr/sbin/postfwd2 120 \
--slave /usr/share/man/man1/postfwd.2.gz postfwd.2.gz \
/usr/share/man/man1/postfwd2.1.gz
#DEBHELPER#

56
debian/postfwd.postrm vendored Normal file
View file

@ -0,0 +1,56 @@
#!/bin/sh
# based on arpwatch.postrm: v2 2004/09/15 KELEMEN Peter <fuji@debian.org>
# postrm: v1 2006/10/12 Jan Wagner <waja@cyconet.org>
NUSER="postfw"
NGROUP="postfw"
set -e
case "$1" in
purge)
# find first and last SYSTEM_UID numbers
for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do
case $LINE in
FIRST_SYSTEM_UID*)
FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
LAST_SYSTEM_UID*)
LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='`
;;
*)
;;
esac
done
# remove system account if necessary
if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then
if USERID=`getent passwd $NUSER | cut -f 3 -d ':'`; then
if [ -n "$USERID" ]; then
if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \
[ "$USERID" -le "$LAST_SYSTEM_UID" ]; then
if which deluser > /dev/null; then
deluser --quiet $NUSER || true
# And then remove the group
GROUPID=`getent group $NGROUP | cut -f 3 -d ':'`
if [ -n "$GROUPID" ]; then
if which delgroup > /dev/null; then
delgroup --quiet $NGROUP || true
fi
fi
fi
fi
fi
fi
fi
;;
remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
*)
echo "postrm called with unknown argument \`$1'" >&2
exit 1
;;
esac
#DEBHELPER#

10
debian/postfwd.prerm vendored Normal file
View file

@ -0,0 +1,10 @@
#!/bin/sh
set -e
if [ "$1" = remove ] || [ "$1" = deconfigure ]; then
update-alternatives --remove postfwd /usr/sbin/postfwd1
update-alternatives --remove postfwd /usr/sbin/postfwd2
fi
#DEBHELPER#

15
debian/postfwd.service vendored Normal file
View file

@ -0,0 +1,15 @@
[Unit]
Description=Postfix firewall daemon
After=network.target
Before=postfix.service
[Service]
Environment=PIDFILE=/var/run/postfwd.pid
EnvironmentFile=-/etc/default/postfwd
ExecStart=/usr/sbin/postfwd $ARGS --daemon --file $CONF --interface $INET --port $PORT --user $RUNAS --group $RUNAS --pidfile $PIDFILE
ExecStop=/usr/sbin/postfwd --file $CONF --pidfile $PIDFILE --kill
ExecReload=/usr/sbin/postfwd --file $CONF --pidfile $PIDFILE --reload
Type=forking
[Install]
WantedBy=multi-user.target

57
debian/rules vendored Executable file
View file

@ -0,0 +1,57 @@
#!/usr/bin/make -f
# written by Jan Wagner <waja@cyconet.org>
#
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
build: build-arch build-indep
build-arch:
build-indep:
clean:
# removing generated manpage (not initial shipped)
rm -rf man/man8/hapolicy.1
dh_testdir
dh_testroot
dh_clean
install: build
dh_testdir
dh_testroot
dh_prep
# install binaries
install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd1
install -D -m 644 sbin/postfwd2 debian/postfwd/usr/sbin/postfwd2
install -D -m 644 tools/hapolicy/hapolicy debian/hapolicy/usr/sbin/hapolicy
# install man page
mkdir -p debian/tmp/
cp man/man8/postfwd.8 debian/tmp/postfwd1.8
html2text doc/quick.html > debian/tmp/quick.txt
html2text doc/versions.html > debian/tmp/versions.txt
pod2man debian/hapolicy/usr/sbin/hapolicy man/man8/hapolicy.1
# Build architecture-independent files here.
binary-indep: build install
dh_testdir
dh_testroot
dh_installchangelogs doc/postfwd.CHANGELOG
dh_installdocs -ppostfwd -Xhapolicy
dh_installdocs -phapolicy tools/hapolicy/hapolicy[0-9a-zA-Z.]*
dh_installexamples
dh_installinit -- defaults 19 21
dh_installsystemd --no-enable
dh_installman
dh_compress
dh_fixperms
dh_perl
dh_installdeb
dh_gencontrol
dh_md5sums
dh_builddeb
# Build architecture-dependent files here.
binary-arch: build install
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install

1
debian/source/format vendored Normal file
View file

@ -0,0 +1 @@
3.0 (quilt)

1
debian/source/options vendored Normal file
View file

@ -0,0 +1 @@
extend-diff-ignore = '(^|/)(\.travis\.yml|\.git|\.github|\.gitgnore|config\.sub|config\.guess)'

2
debian/watch vendored Normal file
View file

@ -0,0 +1,2 @@
version=4
https://postfwd.org postfwd-(.*)\.tar\.gz

27
doc/arch.html Normal file
View file

@ -0,0 +1,27 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd - basic architecture</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="basic architecture of postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd architecture, postfwd workflow, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body>
<h1>postfwd workflow</h1> <br>
<img src="postfwd-ARCH.png">
<br><br>
<p>
<center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/</small>
<td width="34%" align="center"><small>2007 - 2009 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center>
</p>
</body>

151
doc/hapolicy.html Normal file
View file

@ -0,0 +1,151 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>hapolicy - policy delegation high availability script</title>
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<ul>
<li><a href="#name">NAME</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<ul>
<li><a href="#introduction">INTRODUCTION</a></li>
<li><a href="#configuration">CONFIGURATION</a></li>
<li><a href="#integration">INTEGRATION</a></li>
</ul>
<li><a href="#links">LINKS</a></li>
<li><a href="#license">LICENSE</a></li>
<li><a href="#author">AUTHOR</a></li>
</ul>
<!-- INDEX END -->
<hr />
<p>
</p>
<h1><a name="name">NAME</a></h1>
<p>hapolicy - policy delegation high availability script</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<p><strong>hapolicy</strong> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]</p>
<pre>
Services:
-s, --service &lt;name&gt;=&lt;address&gt;:&lt;port&gt;[:&lt;prio&gt;:&lt;weight&gt;:&lt;timeout&gt;]</pre>
<pre>
Options:
-d, --default &lt;action&gt; returns &lt;action&gt; if no service was available (default: 'dunno')
-l, --logging log requests
-v, --verbose increase logging verbosity
-L, --stdout log to stdout, for debugging, do NOT use with postfix</pre>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>
</p>
<h2><a name="introduction">INTRODUCTION</a></h2>
<p><strong>hapolicy</strong> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, <strong>hapolicy</strong> returns a default action (e.g. dunno) to postfix.</p>
<p>With version 1.00 <strong>hapolicy</strong> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
user account. This should allow fast and reliable operation.</p>
<p>
</p>
<h2><a name="configuration">CONFIGURATION</a></h2>
<p>A service has the following attributes</p>
<pre>
&quot;servicename&quot; =&gt; {
ip =&gt; '127.0.0.1', # ip address
port =&gt; '10040', # tcp port
prio =&gt; '10', # optional, lower wins
weight =&gt; '1', # optional, for items with same prio (weighted round-robin), higher is better
timeout =&gt; '30', # optional, query timeout in seconds
},</pre>
<p>You may define multiple services at the command line. Which means that</p>
<pre>
hapolicy -s &quot;grey1=10.0.0.1:10031:10&quot; -s &quot;grey2=10.0.0.2:10031:20&quot;</pre>
<p>will always try first service <em>grey1</em> at ip 10.0.0.1 port 10031 and if that service is not available or
does not answer within the default of 30 seconds the next service <em>grey2</em> at ip 10.0.0.2 port 10031 will
be queried.</p>
<p>If you want to load balance connections you may define</p>
<pre>
hapolicy -s &quot;polw1=10.0.0.1:12525:10:2&quot; -s &quot;polw2=10.0.0.2:12525:10:1&quot;</pre>
<p>which queries service <em>polw1</em> at ip 10.0.0.1 twice as much as service <em>polw2</em> at ip 10.0.0.2. Note that this
setup also ensures high availability for both services. If <em>polw1</em> is not available or does not answer
within the default of 30 seconds <em>polw2</em> will be queried and vice versa. There is no reason to define a service twice.</p>
<p>
</p>
<h2><a name="integration">INTEGRATION</a></h2>
<p>Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):</p>
<pre>
# service description, note the leading blanks at the second line
127.0.0.1:10060 inet n n n - 0 spawn
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10</pre>
<p>save the file and open postfix main.cf. Modify it as follows:</p>
<pre>
127.0.0.1:10060_time_limit = 3600</pre>
<pre>
smtpd_recipient_restrictions =
permit_mynetworks,
... other authed permits ...
reject_unauth_destination,
... other restrictions ...
check_policy_service inet:127.0.0.1:10060 # &lt;- hapolicy query</pre>
<p>Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
using postfix restriction classes. Please see <a href="#links">LINKS</a> for further options.</p>
<p>
</p>
<hr />
<h1><a name="links">LINKS</a></h1>
<p>[1] Postfix SMTP Access Policy Delegation
<a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a></p>
<p>[2] Postfix Per-Client/User/etc. Access Control
<a href="http://www.postfix.org/RESTRICTION_CLASS_README.html">http://www.postfix.org/RESTRICTION_CLASS_README.html</a></p>
<p>
</p>
<hr />
<h1><a name="license">LICENSE</a></h1>
<p>hapolicy is free software and released under BSD license, which basically means
that you can do what you want as long as you keep the copyright notice:</p>
<p>Copyright (c) 2008, Jan Peter Kessler
All rights reserved.</p>
<p>Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:</p>
<pre>
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of the authors nor the names of his contributors
may be used to endorse or promote products derived from this
software without specific prior written permission.</pre>
<p>THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.</p>
<p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
</body>
</html>

127
doc/hapolicy.txt Normal file
View file

@ -0,0 +1,127 @@
NAME
hapolicy - policy delegation high availability script
SYNOPSIS
hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
Services:
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
Options:
-d, --default <action> returns <action> if no service was available (default: 'dunno')
-l, --logging log requests
-v, --verbose increase logging verbosity
-L, --stdout log to stdout, for debugging, do NOT use with postfix
DESCRIPTION
INTRODUCTION
hapolicy enables high availability, weighted loadbalancing and a
fallback action for postfix policy delegation services. Invoked via
postfix spawn it acts as a wrapper that queries other policy servers via
tcp connection. The order of the service queries can be influenced by
assigning a specific priority and weight to each service. A service is
considered 'failing', if the connection is refused or the specified
service timeout is reached. If all of the configured policy services
were failing, hapolicy returns a default action (e.g. dunno) to postfix.
With version 1.00 hapolicy has less than 200 lines of perl code using
only standard perl modules. It does not require any disk access nor
configuration files and runs under an unpriviledged user account. This
should allow fast and reliable operation.
CONFIGURATION
A service has the following attributes
"servicename" => {
ip => '127.0.0.1', # ip address
port => '10040', # tcp port
prio => '10', # optional, lower wins
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
timeout => '30', # optional, query timeout in seconds
},
You may define multiple services at the command line. Which means that
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
will always try first service *grey1* at ip 10.0.0.1 port 10031 and if
that service is not available or does not answer within the default of
30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be
queried.
If you want to load balance connections you may define
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
which queries service *polw1* at ip 10.0.0.1 twice as much as service
*polw2* at ip 10.0.0.2. Note that this setup also ensures high
availability for both services. If *polw1* is not available or does not
answer within the default of 30 seconds *polw2* will be queried and vice
versa. There is no reason to define a service twice.
INTEGRATION
Enter the following at the bottom of your postfix master.cf (usually
located at /etc/postfix):
# service description, note the leading blanks at the second line
127.0.0.1:10060 inet n n n - 0 spawn
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
save the file and open postfix main.cf. Modify it as follows:
127.0.0.1:10060_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
... other authed permits ...
reject_unauth_destination,
... other restrictions ...
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
Now issue 'postfix reload' at the command line. Of course you can have
more enhanced setups using postfix restriction classes. Please see
"LINKS" for further options.
LINKS
[1] Postfix SMTP Access Policy Delegation
<http://www.postfix.org/SMTPD_POLICY_README.html>
[2] Postfix Per-Client/User/etc. Access Control
<http://www.postfix.org/RESTRICTION_CLASS_README.html>
LICENSE
hapolicy is free software and released under BSD license, which
basically means that you can do what you want as long as you keep the
copyright notice:
Copyright (c) 2008, Jan Peter Kessler All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of the authors nor the names of his contributors
may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
AUTHOR
Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you
have any suggestions.

BIN
doc/postfwd-ARCH.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 37 KiB

125
doc/CHANGELOG → doc/postfwd.CHANGELOG
View file

@ -1,3 +1,128 @@
1.35
====
- code: rate(), size() and rcpt() function index is now case insensitive by default
(same limit counters for from@example.org and fRom@eXample.org)
if you need to treat the localpart case-sensitive according to rfc5321
you may use rate5321(), size5321() and rcpt5321()
1.34
====
- bugfix: fixed taint mode logging error for verbose --showconfig and --stdoutlog
options and newer perl versions.
- bugfix: check_* functions use print/getline instead of send/recv for large
--dumpcache output (thanks to Alexandre Simon)
- code: log_* routines added to allow the same plugins for postfwd1 and postfwd2
- code: added more information when using --debug=cleanup
- docs: documentation updates
- feature: new sendmail(sendmail-path::from::to::subject::body) action.
Please take a look at the manual, especially about
it's limitations, before using it!
------------------------------------------------------------
# alert
action=sendmail(/usr/sbin/sendmail::from@example.org::to@example.org::Subject::Text)
------------------------------------------------------------
1.33
====
- feature: new compare operators *
====================================================================
*ITEM > VALUE true if ITEM > VALUE
*ITEM < VALUE true if ITEM < VALUE
====================================================================
- bugfix: fixed bug when computing scores with more than 1 digit after the "." (n.nn)
- bugfix: fixed bug when computing negative values with the set action
- bugfix: ITEMS plugins returning zero values were handled incorrectly
- bugfix: max command recursion was not reset for each rule
1.32
====
- feature: new option --save_rates=<file> allows to load and save
rate limit counters to disk on program start and termination.
this allows rate limit persistence during restarts and reboots
(requires perl module 'Storable')
- feature: the --debugitem="sender=example\.org$" option
allows verbose logging for particular requests
- feature: the debug() action allows verbose logging for certain
rules:
------------------------------------------------------------
id=R01
client_address=1.1.1.1
action=debug(on)
id=R02
...
id=R42
action=debug(off)
------------------------------------------------------------
- feature: nested commands are possible now, e.g.:
------------------------------------------------------------
# throttle
action=rate(client_address/10/60/wait(3))
------------------------------------------------------------
- feature: new mail(server/helo/from/to/subject/body) action.
Please take a look at the manual, especially about
it's limitations, before using it!
------------------------------------------------------------
# alert
action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text))
------------------------------------------------------------
1.31
====
- feature: single cache items can be wiped using --delcache <item>
or --delrate <item> options. use --dumpcache to identify
- feature: sasl_username is logged if available
(thanks to Bernhard Schmidt)
- code: rate limit action is executed, if the first request exceeds the limit
- code: exceeded ratecounters will not be kept permanently anymore. this
allows further requests to pass, if they are below the limit
- code: rate limits are evaluated at ruleset stage now, which leads to
much more comprehensible behaviour. due to this change the request
cache is now disabled, if rate limits are used. use the
--fast_limit_evaluation option to revert to the former mode.
1.30
====
- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules,
if the following lines are prefixed by whitespace characters:
--------------------------------------
id=RCPTCOUNT
protocol_state == END-OF-MESSAGE
client_address != 10.1.1.0/24
recipient_count >= 100
action=REJECT too many recipients
--------------------------------------
- feature: new plugin interface (BETA)
- feature: Time::HiRes is used if available
- feature: new $$ratecount variable for rate() actions
- feature: ported --dumpstats and --dumpcache option from postfwd2
- bugfix: fixed program usage statistics (--summary)
- docs: documentation updates
1.22
=====
- feature: new option --keep_rates
- feature: queueid is logged when available
- bugfix: rate limits using the same item and the same limits
did not work correctly (thanks to Yves Blusseau):
id=INT01; INT_DOMAIN==1; \
action=rate(sender/100/60/450 4.7.1 too much for internal domains)
id=EXT01; EXT_DOMAIN==1; \
action=rate(sender/100/60/450 4.7.1 too much for external domains)
- bugfix: small fix for cleanup of old rate limits
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
1.21
=====
- feature: postfwd supports multiple rate limits to the same items now.
this means that the following will now work as expected:
id=R001; recipient_count>=100; action=rate(sender/3/3600/WARN state RED)
id=R002; recipient_count>=100; action=rate(sender/2/3600/WARN state YELLOW)
id=R003; recipient_count>=100; action=rate(sender/1/3600/WARN state GREEN)
- code: ported command-line option --facility from postfwd2
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
1.20
=====
- code: changed the default umask for the server socket to 0111

585
doc/postfwd.html
View file

@ -1,14 +1,18 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>postfwd - postfix firewall daemon</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<ul>
@ -37,9 +41,11 @@
<li><a href="#license">LICENSE</a></li>
<li><a href="#author">AUTHOR</a></li>
</ul>
<hr name="index" />
</div>
<!-- INDEX END -->
<hr />
<p>
</p>
<h1><a name="name">NAME</a></h1>
@ -51,54 +57,71 @@
<p>postfwd [OPTIONS] [SOURCE1, SOURCE2, ...]</p>
<pre>
Ruleset: (at least one, multiple use is allowed):
-f, --file &lt;file&gt; reads rules from &lt;file&gt;
-r, --rule &lt;rule&gt; adds &lt;rule&gt; to config</pre>
-f, --file &lt;file&gt; reads rules from &lt;file&gt;
-r, --rule &lt;rule&gt; adds &lt;rule&gt; to config</pre>
<pre>
Scoring:
-s, --scores &lt;v&gt;=&lt;r&gt; returns &lt;r&gt; when score exceeds &lt;v&gt;</pre>
-s, --scores &lt;v&gt;=&lt;r&gt; returns &lt;r&gt; when score exceeds &lt;v&gt;</pre>
<pre>
Control:
-d, --daemon run postfwd as daemon
-k, --kill stops daemon
--reload reloads configuration
--dumpstats displays usage statistics
--dumpcache displays cache contents
--delcache &lt;item&gt; removes an item from the request cache
--delrate &lt;item&gt; removes an item from the rate cache</pre>
<pre>
Networking:
-d, --daemon run postfwd as daemon
-i, --interface &lt;dev&gt; listen on interface &lt;dev&gt;
-p, --port &lt;port&gt; listen on port &lt;port&gt;
--proto &lt;proto&gt; socket type (tcp or unix)
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
--umask &lt;mask&gt; set umask for file permissions
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;
-l, --logname &lt;label&gt; label for syslog messages
--loglen &lt;int&gt; truncates syslogs after &lt;int&gt; chars</pre>
-i, --interface &lt;dev&gt; listen on interface &lt;dev&gt;
-p, --port &lt;port&gt; listen on port &lt;port&gt;
--proto &lt;proto&gt; socket type (tcp or unix)
-u, --user &lt;name&gt; set uid to user &lt;name&gt;
-g, --group &lt;name&gt; set gid to group &lt;name&gt;
--umask &lt;mask&gt; set umask for file permissions
-R, --chroot &lt;path&gt; chroot the daemon to &lt;path&gt;
--pidfile &lt;path&gt; create pidfile under &lt;path&gt;
--facility &lt;f&gt; syslog facility
--socktype &lt;s&gt; syslog socktype
-l, --logname &lt;label&gt; label for syslog messages
--loglen &lt;int&gt; truncates syslogs after &lt;int&gt; chars</pre>
<pre>
Caching:
-c, --cache &lt;int&gt; sets the request-cache timeout to &lt;int&gt; seconds
--cache-no-size ignores size attribute for caching
--cache-no-sender ignores sender address in cache
--cache-rdomain-only ignores localpart of recipient address in cache
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
--cache-rbl-default default rbl response pattern to match (regexp)
--cacheid &lt;item&gt;, .. list of attributes for request cache identifier
--cleanup-requests cleanup interval in seconds for request cache
--cleanup-rbls cleanup interval in seconds for rbl cache
--cleanup-rates cleanup interval in seconds for rate cache</pre>
-c, --cache &lt;int&gt; sets the request-cache timeout to &lt;int&gt; seconds
--cache-no-size ignores size attribute for caching
--cache-no-sender ignores sender address in cache
--cache-rdomain-only ignores localpart of recipient address in cache
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
--cache-rbl-default default rbl response pattern to match (regexp)
--cacheid &lt;item&gt;, .. list of attributes for request cache identifier
--cleanup-requests cleanup interval in seconds for request cache
--cleanup-rbls cleanup interval in seconds for rbl cache
--cleanup-rates cleanup interval in seconds for rate cache</pre>
<pre>
Optional:
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request
--config_timeout &lt;i&gt; parser timeout in seconds</pre>
-t, --test testing, always returns &quot;dunno&quot;
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary &lt;int&gt; show some usage statistics every &lt;int&gt; seconds
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request
--config_timeout &lt;i&gt; parser timeout in seconds
--keep_rates do not clear rate limit counters on reload
--save_rates &lt;file&gt; save and load rate limits on disk
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
(please note the limitations)</pre>
<pre>
Plugins:
--plugins &lt;file&gt; loads postfwd plugins from file</pre>
<pre>
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
@ -107,9 +130,6 @@
-V, --version shows program version
-h, --help shows usage
-m, --manual shows program manual</pre>
<pre>
Plugins:
--plugins &lt;file&gt; loads plugins from &lt;file&gt;</pre>
<p>
</p>
<hr />
@ -138,7 +158,7 @@ which should allow straightforward and easy-to-read configurations.</p>
<p>A configuration line consists of optional item=value pairs, separated by semicolons
(`;`) and the appropriate desired action:</p>
<pre>
[ &lt;item1&gt;[=&gt;&lt;~]=&lt;value&gt;; &lt;item2&gt;[=&gt;&lt;~]=&lt;value&gt;; ... ] action=&lt;result&gt;</pre>
[ &lt;item1&gt;=&lt;value&gt;; &lt;item2&gt;=&lt;value&gt;; ... ] action=&lt;result&gt;</pre>
<p><em>Example:</em></p>
<pre>
client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT</pre>
@ -152,6 +172,8 @@ is not important. So the following would lead to the same result as the previous
ITEM == VALUE true if ITEM equals VALUE
ITEM =&gt; VALUE true if ITEM &gt;= VALUE
ITEM =&lt; VALUE true if ITEM &lt;= VALUE
ITEM &gt; VALUE true if ITEM &gt; VALUE
ITEM &lt; VALUE true if ITEM &lt; VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
ITEM != VALUE false if ITEM equals VALUE
ITEM !&gt; VALUE false if ITEM &gt;= VALUE
@ -167,10 +189,19 @@ or trailing whitespace characters will be ignored. Use '#' to comment your confi
appreciate.</p>
<p>A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
arguments. Please see the COMMAND LINE section below for more information on this topic.</p>
<p>Rules can span multiple lines by adding a trailing backslash ``\'' character:</p>
<p>Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
lines with one or multiple whitespace characters (or '}' for macros):</p>
<pre>
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
action=REJECT please use your relay from there</pre>
id=RULE001
client_address=192.168.1.0/24
sender==no@bad.local
action=REJECT no access</pre>
<p>postfwd versions prior to 1.30 require trailing ';' and '\'-characters:</p>
<pre>
id=RULE001; \
client_address=192.168.1.0/24; \
sender==no@bad.local; \
action=REJECT no access</pre>
<p>
</p>
<h2><a name="items">ITEMS</a></h2>
@ -236,8 +267,14 @@ arguments. Please see the COMMAND LINE section below for more information on thi
this enables version based checks in your rulesets
(e.g. for migration). works with old versions too,
because a non-existing item always returns false:
id=R01; version~=1.10; sender_domain==some.org \
# version &gt;= 1.10
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
; action=REJECT sorry no access</pre>
<pre>
ratecount - only available for rate(), size() and rcpt() actions.
contains the actual limit counter:
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])</pre>
<p>Besides these you can specify any attribute of the postfix policy delegation protocol.
Feel free to combine them the way you need it (have a look at the EXAMPLES section below).</p>
<p>Most values can be specified as regular expressions (PCRE). Please see the table below
@ -287,34 +324,33 @@ for details:</p>
encryption_keysize=256 mask = numeric, will match if keysize &gt;= 256
...</pre>
<p>the current list can be found at <a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a>. Please read carefully about which
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level).
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
Pattern matching is performed case insensitive.</p>
<p>Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected:</p>
<pre>
id=TRUST001; action=OK; encryption_keysize=64; \
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
id=TRUST001; action=OK; encryption_keysize=64
ccert_fingerprint=11:22:33:44:55:66:77:88:99
ccert_fingerprint=22:33:44:55:66:77:88:99:00
ccert_fingerprint=33:44:55:66:77:88:99:00:11
sender=@domain\.local$</pre>
<p>client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:</p>
<pre>
id=SKIP01; action=dunno; \
id=SKIP01; action=dunno
client_address=192.168.1.0/24, 172.16.254.23
id=SKIP02; action=dunno; \
client_address= 10.10.3.32 \
10.216.222.0/27</pre>
id=SKIP02; action=dunno
client_address=10.10.3.32 10.216.222.0/27</pre>
<p>The following items currently have to be unique:</p>
<pre>
id, minimum and maximum values, rblcount and rhsblcount</pre>
<p>Any item can be negated by preceeding '!!' to it, e.g.:</p>
<pre>
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please</pre>
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please</pre>
<p>or using the right compare operator:</p>
<pre>
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?</pre>
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please</pre>
<p>To avoid confusion with regexps or simply for better visibility you can use '!!(...)':</p>
<pre>
id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?</pre>
id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?</pre>
<p>Request attributes can be compared by preceeding '$$' characters, e.g.:</p>
<pre>
id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
@ -322,6 +358,29 @@ Pattern matching is performed case insensitive.</p>
id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS</pre>
<p>This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match.
Use the '-vv' option to debug.</p>
<p>These special items will be reset for any new rule:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special items will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all; rblcount=all
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="files">FILES</a></h2>
@ -341,15 +400,15 @@ Use the '-vv' option to debug.</p>
id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO</pre>
<p>This will ignore the right-hand value. Items can be mixed:</p>
<pre>
id=R002 ; action=REJECT \
client_name==unknown; \
id=R002 ; action=REJECT
client_name==unknown
client_name==<a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
<p>and for non pcre (comma separated) items:</p>
<pre>
id=R003 ; action=REJECT \
id=R003 ; action=REJECT
client_address==10.1.1.1, <a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
<pre>
id=R004 ; action=REJECT \
id=R004 ; action=REJECT
rbl=myrbl.home.local, zen.spamhaus.org, <a href="file:/etc/postfwd/rbls_changing">file:/etc/postfwd/rbls_changing</a></pre>
<p>You can check your configuration with the --show_config option at the command line:</p>
<pre>
@ -392,7 +451,7 @@ necessary. Of course this might increase the system load, so please use it with
<pre>
-- FILE /etc/postfwd/clients_west.cf --
192.168.3.0/24</pre>
<p>Remind that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
<p>Note that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
with postfwd1 v1.15 and postfwd2 v0.18 and higher.</p>
<p>
</p>
@ -406,7 +465,7 @@ request attributes by preceeding $$ characters, like:</p>
id=R-003; client_name = !!$$helo_name; action=WARN helo '$$(helo_name)' does not match DNS '$$(client_name)'</pre>
<p><em>postfix actions</em></p>
<p>Actions will be replied to postfix as result to policy delegation requests. Any action that postfix understands is allowed - see
``man 5 access'' or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
&quot;man 5 access&quot; or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
which simply logs the event will be used for the corresponding rule.</p>
<p>postfwd will return dunno if it has reached the end of the ruleset and no rule has matched. This can be changed by placing a last
rule containing only an action statement:</p>
@ -444,19 +503,28 @@ rule containing only an action statement:</p>
this command creates a counter for the given &lt;item&gt;, which will be increased any time a request
containing it arrives. if it exceeds &lt;max&gt; within &lt;time&gt; seconds it will return &lt;action&gt; to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that &lt;action&gt; is currently limited to postfix actions (no postfwd actions)!
please note that &lt;action&gt; was limited to postfix actions (no postfwd actions) for postfwd versions &lt;1.33!
# no more than 3 requests per 5 minutes
# from the same &quot;unknown&quot; client
id=RATE01 ; client_name==unknown ; \
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
id=RATE01 ; client_name==unknown
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
Please note also that the order of rate limits in your ruleset is important, which means
that this:
# works as expected
id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
leads to different results than this:
# rule R002 never gets executed
id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)</pre>
<pre>
size (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
increased by the request's size attribute. to do this reliably you should call postfwd from
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
<pre>
rcpt (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
@ -464,8 +532,13 @@ rule containing only an action statement:</p>
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
<pre>
rate5321,size5321,rcpt5321 (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
same as the corresponding non-5321 functions, with the difference that the localpart of
sender oder recipient addresses are evaluated case-sensitive according to rfc5321. That
means that requests from bob@example.local and BoB@example.local will be treated differently</pre>
<pre>
ask (&lt;addr&gt;:&lt;port&gt;[:&lt;ignore&gt;])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -473,9 +546,20 @@ rule containing only an action statement:</p>
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
# example1: query postgrey and return it's answer to postfix
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# example2: query postgrey but ignore the answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)</pre>
<pre>
mail(server/helo/from/to/subject/body)
This command is deprecated. You should try to use the sendmail() action instead.
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
This basically performs a telnet. No authentication or TLS are available. Additionally it does
not track notification state and will notify you any time, the corresponding rule hits.</pre>
<pre>
sendmail(sendmail-path::from::to::subject::body)
Mail command, that uses an existing sendmail binary and sends a message with the given arguments.
LIMITATIONS: The command does not track notification state and will notify you any time, the
corresponding rule hits (which could mean 100 mails for a mail with 100 recipients at RCPT stage).</pre>
<pre>
wait (&lt;delay&gt;)
pauses the program execution for &lt;delay&gt; seconds. use this for
@ -483,7 +567,7 @@ rule containing only an action statement:</p>
<pre>
note (&lt;string&gt;)
just logs the given string and continues parsing the ruleset.
if the string is empty, nothing will be logged.</pre>
if the string is empty, nothing will be logged (noop).</pre>
<pre>
quit (&lt;code&gt;)
terminates the program with the given exit-code. postfix doesn`t
@ -491,29 +575,6 @@ rule containing only an action statement:</p>
<p>You can reference to request attributes, like</p>
<pre>
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'</pre>
<p>These special attributes will be reset for any new rule:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special attributes will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
@ -536,18 +597,18 @@ First the macros have to be defined as follows:</p>
&amp;&amp;GONOW ; &amp;&amp;RBLS ; client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]</pre>
<p>Macros can contain macros, too:</p>
<pre>
# definition (note the trailing &quot;\&quot; characters)
&amp;&amp;RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
# definition
&amp;&amp;RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&amp;&amp;DYNAMIC { \
client_name=^unknown$ ; \
client_name=(\d+[\.-_]){4} ; \
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&amp;&amp;DYNAMIC{
client_name=^unknown$
client_name=(\d+[\.-_]){4}
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
};
&amp;&amp;GOAWAY { &amp;&amp;RBLS; &amp;&amp;DYNAMIC; };
# rules
@ -556,7 +617,145 @@ First the macros have to be defined as follows:</p>
<p>
</p>
<h2><a name="plugins">PLUGINS</a></h2>
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
<p><strong>Description</strong></p>
<p>The plugin interface allow you to define your own checks and enhance postfwd's
functionality. Feel free to share useful things!</p>
<p><strong>Warning</strong></p>
<p>Note that the plugin interface is still at devel stage. Please test your plugins
carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that you know
what you do because some of them are used internally.</p>
<p>Please keep security in mind, when you access sensible ressources and never, ever
run postfwd as privileged user! Also never trust your input (especially hostnames,
and e-mail addresses).</p>
<p><strong>ITEMS</strong></p>
<p>Item plugins are perl subroutines which integrate additional attributes to requests
before they are evaluated against postfwd's ruleset like any other item of the
policy delegation protocol. This allows you to create your own checks.</p>
<p>plugin-items can not be used selective. these functions will be executed for every
request postfwd receives, so keep performance in mind.</p>
<pre>
SYNOPSIS: %result = postfwd_items_plugin{&lt;name&gt;}(%request)</pre>
<p>means that your subroutine, called &lt;name&gt;, has access to a hash called %request,
which contains all request attributes, like $request{client_name} and must
return a value in the following form:</p>
<pre>
save: $result{&lt;item&gt;} = &lt;value&gt;</pre>
<p>this creates the new item &lt;item&gt; containing &lt;value&gt;, which will be integrated in
the policy delegation request and therefore may be used in postfwd's ruleset.</p>
<pre>
# do NOT remove the next line
%postfwd_items_plugin = (</pre>
<pre>
# EXAMPLES - integrated in postfwd. no need to activate them here.
# allows to check postfwd version in ruleset
&quot;version&quot; =&gt; sub {
my(%request) = @_;
my(%result) = (
&quot;version&quot; =&gt; $NAME.&quot; &quot;.$VERSION,
);
return %result;
},
# sender_domain and recipient_domain
&quot;address_parts&quot; =&gt; sub {
my(%request) = @_;
my(%result) = ();
$request{sender} =~ /@([^@]*)$/;
$result{sender_domain} = ($1 || '');
$request{recipient} =~ /@([^@]*)$/;
$result{recipient_domain} = ($1 || '');
return %result;
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p><strong>COMPARE</strong></p>
<p>Compare plugins allow you to define how your new items should be compared to the ruleset.
These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
will be used.</p>
<pre>
SYNOPSIS: &lt;item&gt; =&gt; sub { return &amp;{$postfwd_compare{&lt;type&gt;}}(@_); },</pre>
<pre>
# do NOT remove the next line
%postfwd_compare_plugin = (</pre>
<pre>
EXAMPLES - integrated in postfwd. no need to activate them here.
# Simple example
# SYNOPSIS: &lt;result&gt; = &lt;item&gt; (return &amp;{$postfwd_compare{&lt;type&gt;}}(@_))
&quot;client_address&quot; =&gt; sub { return &amp;{$postfwd_compare{cidr}}(@_); },
&quot;size&quot; =&gt; sub { return &amp;{$postfwd_compare{numeric}}(@_); },
&quot;recipient_count&quot; =&gt; sub { return &amp;{$postfwd_compare{numeric}}(@_); },
# Complex example
# SYNOPSIS: &lt;result&gt; = &lt;item&gt;(&lt;operator&gt;, &lt;ruleset value&gt;, &lt;request value&gt;, &lt;request&gt;)
&quot;numeric&quot; =&gt; sub {
my($cmp,$val,$myitem,%request) = @_;
my($myresult) = undef; $myitem ||= &quot;0&quot;; $val ||= &quot;0&quot;;
if ($cmp eq '==') {
$myresult = ($myitem == $val);
} elsif ($cmp eq '=&lt;') {
$myresult = ($myitem &lt;= $val);
} elsif ($cmp eq '=&gt;') {
$myresult = ($myitem &gt;= $val);
} elsif ($cmp eq '&lt;') {
$myresult = ($myitem &lt; $val);
} elsif ($cmp eq '&gt;') {
$myresult = ($myitem &gt; $val);
} elsif ($cmp eq '!=') {
$myresult = not($myitem == $val);
} elsif ($cmp eq '!&lt;') {
$myresult = not($myitem &lt;= $val);
} elsif ($cmp eq '!&gt;') {
$myresult = not($myitem &gt;= $val);
} else {
$myresult = ($myitem &gt;= $val);
};
return $myresult;
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p><strong>ACTIONS</strong></p>
<p>Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to
continue or to stop parsing the ruleset.</p>
<pre>
SYNOPSIS: (&lt;stop rule parsing&gt;, &lt;next rule index&gt;, &lt;return action&gt;, &lt;logprefix&gt;, &lt;request&gt;) =
&lt;action&gt; (&lt;current rule index&gt;, &lt;current time&gt;, &lt;command name&gt;, &lt;argument&gt;, &lt;logprefix&gt;, &lt;request&gt;)</pre>
<pre>
# do NOT remove the next line
%postfwd_actions_plugin = (</pre>
<pre>
# EXAMPLES - integrated in postfwd. no need to activate them here.
# note(&lt;logstring&gt;) command
&quot;note&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
log_info &quot;[RULES] &quot;.$myline.&quot; - note: &quot;.$myarg if $myarg;
return ($stop,$index,$myaction,$myline,%request);
},
# skips next &lt;myarg&gt; rules
&quot;skip&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
$index += $myarg if ( $myarg and not(($index + $myarg) &gt; $#Rules) );
return ($stop,$index,$myaction,$myline,%request);
},
# dumps current request contents to syslog
&quot;dumprequest&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
map { log_info &quot;[DUMP] rule=$index, Attribute: $_=$request{$_}&quot; } (keys %request);
return ($stop,$index,$myaction,$myline,%request);
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p>
</p>
<h2><a name="command_line">COMMAND LINE</a></h2>
@ -571,29 +770,51 @@ that at least one of the following is required for postfwd to work.</p>
-r, --rule &lt;rule&gt;
Adds &lt;rule&gt; to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.</pre>
<p><em>Scoring</em></p>
<pre>
-s, --scores &lt;val&gt;=&lt;action&gt;
Returns &lt;action&gt; to postfix, when the request's score exceeds &lt;val&gt;</pre>
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
<pre>
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; --plugins &lt;file&gt; ...
postfwd -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; ...
or
postfwd --scores 4.5=&quot;WARN high score&quot; --scores 5.0=&quot;REJECT postfwd score too high&quot; ...</pre>
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
reflected in the postfwd ruleset.</p>
<p><em>Networking</em></p>
<p>postfwd can be run as daemon so that it listens on the network for incoming requests.
The following arguments will control it's behaviour in this case.</p>
<p><em>Control</em></p>
<pre>
-d, --daemon
postfwd will run as daemon and listen on the network for incoming
queries (default 127.0.0.1:10040).</pre>
<pre>
-k, --kill
Stops a running postfwd daemon.</pre>
<pre>
--reload
Reloads configuration.</pre>
<pre>
--dumpstats
Displays program usage statistics.</pre>
<pre>
--dumpcache
Displays cache contents.</pre>
<pre>
--delcache &lt;item&gt;
Removes an item from the request cache. Use --dumpcache to identify objects.
E.g.:
# postfwd --dumpcache
...
%rate_cache -&gt; %sender=gmato@jqvo.org -&gt; %RATE002+2_600 -&gt; @count -&gt; '1'
%rate_cache -&gt; %sender=gmato@jqvo.org -&gt; %RATE002+2_600 -&gt; @maxcount -&gt; '2'
...
# postfwd --delrate=&quot;sender=gmato@jqvo.org&quot;
rate cache item 'sender=gmato@jqvo.org' removed</pre>
<pre>
--delrate &lt;item&gt;
Removes an item from the rate cache. Use --dumpcache to identify objects.</pre>
<p><em>Networking</em></p>
<p>postfwd can be run as daemon so that it listens on the network for incoming requests.
The following arguments will control it's behaviour in this case.</p>
<pre>
-i, --interface &lt;dev&gt;
Bind postfwd to the specified interface (default 127.0.0.1).</pre>
@ -623,6 +844,13 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
<pre>
--facility &lt;f&gt;
sets the syslog facility, default is 'mail'</pre>
<pre>
--socktype &lt;s&gt;
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
Default is to auto-detect this depening on module version and os.</pre>
<pre>
-l, --logname &lt;label&gt;
Labels the syslog messages. Useful when running multiple
@ -630,6 +858,11 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
--loglen &lt;int&gt;
Truncates any syslog message after &lt;int&gt; characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins &lt;file&gt;
Loads postfwd plugins from file. Please see <a href="http://postfwd.org/postfwd.plugins">http://postfwd.org/postfwd.plugins</a>
or the plugins.postfwd.sample that is available from the tarball for more info.</pre>
<p><em>Optional arguments</em></p>
<p>These parameters influence the way postfwd is working. Any of them can be combined.</p>
<pre>
@ -754,7 +987,26 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
--config_timeout (default=3)
timeout in seconds to parse a single configuration line. if exceeded, the rule will
be skipped. this is used to prevent problems due to large files or loops.</pre>
be skipped. this is used to prevent problems due to large files or loops.
--keep_rates (default=0)
With this option set postfwd does not clear the rate limit counters on reload. Please
note that you have to restart (not reload) postfwd with this option if you change
any rate limit rules.</pre>
<pre>
--save_rates (default=none)
With this option postfwd saves existing rate limit counters to disk and reloads them
on program start. This allows persistent rate limits across program restarts or reboots.
Please note that postfwd needs read and write access to the specified file.</pre>
<pre>
--fast_limit_evaluation (default=0)
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
before consulting the ruleset. This mode was the default behaviour until v1.30.
With this mode rate limits will be faster, but also eventually set up
whitelisting-rules within the ruleset might not work as expected.
LIMITATIONS: This option does not allow nested postfwd commands like
action=rate(sender/3/60/wait(3))
This option doe not work with the strict-rfc5321 rate() functions.</pre>
<p><em>Informational arguments</em></p>
<p>These arguments are for command line usage only. Never ever use them with postfix spawn!</p>
<pre>
@ -812,18 +1064,25 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size&lt;=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large</pre>
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=30000000 ; client_name=\.customer1.tld$
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=20000000 ; sasl_username==joejob
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=10000000
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large</pre>
<pre>
## Selective Greylisting
##
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
## at port 10031 and the following postfix restriction class in your main.cf:
##
## smtpd_restriction_classes = check_postgrey, ...
## check_postgrey = check_policy_service inet:127.0.0.1:10031
#
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
# 2. Client has no rDNS
# 3. Client comes from several dialin domains
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=greylisting ; client_name=^unknown$
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=check_postgrey ; client_name=^unknown$
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
<pre>
## Date Time
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
@ -831,7 +1090,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
months=-Apr ; action=450 4.7.1 see you in may
days=!!Mon-Fri ; action=greylist</pre>
days=!!Mon-Fri ; action=check_postgrey</pre>
<pre>
## Usage of jump
# The following allows a message size of 30MB for different
@ -841,8 +1100,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
<pre>
## Usage of score
# The following rejects a mail, if the client
@ -850,7 +1109,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
# - other clients without correct rDNS will be greylist-checked
# - some whitelists are used to lower the score
id=S01 ; score=2.6 ; action=greylisting
id=S01 ; score=2.6 ; action=check_postgrey
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
@ -863,10 +1122,10 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
# The following temporary rejects requests from &quot;unknown&quot; clients, if they
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
<pre>
## Macros
# definition
@ -879,34 +1138,34 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
<pre>
## Groups
# definition
&amp;&amp;RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
&amp;&amp;RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&amp;&amp;RHSBLS { \
&amp;&amp;RHSBLS{
...
};
&amp;&amp;DYNAMIC { \
client_name==unknown ; \
client_name~=(\d+[\.-_]){4} ; \
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&amp;&amp;DYNAMIC{
client_name==unknown
client_name~=(\d+[\.-_]){4}
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
...
};
&amp;&amp;BAD_HELO { \
helo_name==my.name.tld; \
helo_name~=^([^\.]+)$; \
helo_name~=\.(local|lan)$; \
&amp;&amp;BAD_HELO{
helo_name==my.name.tld
helo_name~=^([^\.]+)$
helo_name~=\.(local|lan)$
...
};
&amp;&amp;MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
&amp;&amp;MAINTENANCE{
date=15.01.2007
date=15.04.2007
date=15.07.2007
date=15.10.2007
time=03:00:00 - 04:00:00
};
# rules
id=COMBINED ; &amp;&amp;RBLS ; &amp;&amp;DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -923,7 +1182,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd r
<pre>
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS ; \
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
<p>
@ -961,7 +1220,7 @@ check the parser with the -C | --showconfig switch at the command line before ap
Rule 0: id-&gt;&quot;RBL001&quot;; action-&gt;&quot;REJECT listed on spamcop and bad rdns&quot;; rbl-&gt;&quot;bl.spamcop.net&quot;; client_name-&gt;&quot;^unknown$&quot;</pre>
<p><em>Request processing</em></p>
<p>When a policy delegation request arrives it will be compared against postfwd`s ruleset. To inspect the processing in detail you should increase
verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages to stdout.</p>
verbority using use the &quot;-v&quot; or &quot;-vv&quot; switch. &quot;-L&quot; redirects log messages to stdout.</p>
<p>Keeping the order of the ruleset in general, items will be compared in random order, which basically means that</p>
<pre>
id=R001; action=dunno; client_address=192.168.1.1; sender=bob@alice.local</pre>
@ -1000,7 +1259,7 @@ to compare against the request attribute the parser will jump to the next rule i
<p>If a rule matches, there are two options:</p>
<p>* Rule returns postfix action (dunno, reject, ...)
The parser stops rule processing and returns the action to postfix. Other rules will not be evaluated.</p>
<p>* Rule returns postfwd action (jump(), note(), ...)
<p>* Rule returns postfwd action (jump(), <code>note()</code>, ...)
The parser evaluates the given action and continues with the next rule (except for the <code>jump()</code> or <code>quit()</code> actions - please see the <a href="#actions">ACTIONS</a> section
for more information). Nothing will be sent to postfix.</p>
<p>If no rule has matched and the end of the ruleset is reached postfwd will return dunno without logging anything unless in verbose mode. You may
@ -1020,7 +1279,7 @@ it`s internal caching in that case. Start postfwd with the following parameters:
postfwd -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S</pre>
<p>For efficient caching you should check if you can use the options --cache-rdomain-only, --cache-no-sender
and --cache-no-size.</p>
<p>Now check your syslogs (default facility ``mail'') for a line like:</p>
<p>Now check your syslogs (default facility &quot;mail&quot;) for a line like:</p>
<pre>
Aug 9 23:00:24 mail postfwd[5158]: postfwd n.nn ready for input</pre>
<p>and use `netstat -an|grep 10040` to check for something like</p>
@ -1075,7 +1334,7 @@ I won`t discuss that here. If you plan to do so, just add the following line to
disable = no
}</pre>
<p>and restart the xinetd daemon (usually a SIGHUP should be fine). If you experience problems
you might want to check your system's log for xinetd errors like ``socket already in use''.</p>
you might want to check your system's log for xinetd errors like &quot;socket already in use&quot;.</p>
<p>The integration with postfix is similar to the <em>Integration via daemon mode</em> section above.
Reload postfix and watch your logs to see if everything works.</p>
<p>

594
doc/postfwd.txt
View file

@ -5,54 +5,71 @@ SYNOPSIS
postfwd [OPTIONS] [SOURCE1, SOURCE2, ...]
Ruleset: (at least one, multiple use is allowed):
-f, --file <file> reads rules from <file>
-r, --rule <rule> adds <rule> to config
-f, --file <file> reads rules from <file>
-r, --rule <rule> adds <rule> to config
Scoring:
-s, --scores <v>=<r> returns <r> when score exceeds <v>
-s, --scores <v>=<r> returns <r> when score exceeds <v>
Control:
-d, --daemon run postfwd as daemon
-k, --kill stops daemon
--reload reloads configuration
--dumpstats displays usage statistics
--dumpcache displays cache contents
--delcache <item> removes an item from the request cache
--delrate <item> removes an item from the rate cache
Networking:
-d, --daemon run postfwd as daemon
-i, --interface <dev> listen on interface <dev>
-p, --port <port> listen on port <port>
--proto <proto> socket type (tcp or unix)
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
--umask <mask> set umask for file permissions
-R, --chroot <path> chroot the daemon to <path>
--pidfile <path> create pidfile under <path>
-l, --logname <label> label for syslog messages
--loglen <int> truncates syslogs after <int> chars
-i, --interface <dev> listen on interface <dev>
-p, --port <port> listen on port <port>
--proto <proto> socket type (tcp or unix)
-u, --user <name> set uid to user <name>
-g, --group <name> set gid to group <name>
--umask <mask> set umask for file permissions
-R, --chroot <path> chroot the daemon to <path>
--pidfile <path> create pidfile under <path>
--facility <f> syslog facility
--socktype <s> syslog socktype
-l, --logname <label> label for syslog messages
--loglen <int> truncates syslogs after <int> chars
Caching:
-c, --cache <int> sets the request-cache timeout to <int> seconds
--cache-no-size ignores size attribute for caching
--cache-no-sender ignores sender address in cache
--cache-rdomain-only ignores localpart of recipient address in cache
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
--cache-rbl-default default rbl response pattern to match (regexp)
--cacheid <item>, .. list of attributes for request cache identifier
--cleanup-requests cleanup interval in seconds for request cache
--cleanup-rbls cleanup interval in seconds for rbl cache
--cleanup-rates cleanup interval in seconds for rate cache
-c, --cache <int> sets the request-cache timeout to <int> seconds
--cache-no-size ignores size attribute for caching
--cache-no-sender ignores sender address in cache
--cache-rdomain-only ignores localpart of recipient address in cache
--cache-rbl-timeout default rbl timeout, if not specified in ruleset
--cache-rbl-default default rbl response pattern to match (regexp)
--cacheid <item>, .. list of attributes for request cache identifier
--cleanup-requests cleanup interval in seconds for request cache
--cleanup-rbls cleanup interval in seconds for rbl cache
--cleanup-rates cleanup interval in seconds for rate cache
Optional:
-t, --test testing, always returns "dunno"
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary <int> show some usage statistics every <int> seconds
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request
--config_timeout <i> parser timeout in seconds
-t, --test testing, always returns "dunno"
-v, --verbose verbose logging, use twice (-vv) to increase level
-S, --summary <int> show some usage statistics every <int> seconds
--norulelog disbles rule logging
--norulestats disables per rule statistics
--noidlestats disables statistics when idle
-n, --nodns disable dns
--nodnslog disable dns logging
--dns_async_txt perform dnsbl A and TXT lookups simultaneously
--dns_timeout timeout in seconds for asynchonous dns queries
--dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
--dns_timeout_interval interval in seconds for dns timeout maximum counter
--dns_max_ns_lookups max names to look up with sender_ns_addrs
--dns_max_mx_lookups max names to look up with sender_mx_addrs
-I, --instantcfg re-reads rulefiles for every new request
--config_timeout <i> parser timeout in seconds
--keep_rates do not clear rate limit counters on reload
--save_rates <file> save and load rate limits on disk
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
(please note the limitations)
Plugins:
--plugins <file> loads postfwd plugins from file
Informational (use only at command-line!):
-C, --showconfig shows ruleset summary, -v for verbose
@ -62,9 +79,6 @@ SYNOPSIS
-h, --help shows usage
-m, --manual shows program manual
Plugins:
--plugins <file> loads plugins from <file>
DESCRIPTION
INTRODUCTION
postfwd is written to combine complex postfix restrictions in a ruleset
@ -101,7 +115,7 @@ DESCRIPTION
A configuration line consists of optional item=value pairs, separated by
semicolons (`;`) and the appropriate desired action:
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
[ <item1>=<value>; <item2>=<value>; ... ] action=<result>
*Example:*
@ -120,6 +134,8 @@ DESCRIPTION
ITEM == VALUE true if ITEM equals VALUE
ITEM => VALUE true if ITEM >= VALUE
ITEM =< VALUE true if ITEM <= VALUE
ITEM > VALUE true if ITEM > VALUE
ITEM < VALUE true if ITEM < VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
ITEM != VALUE false if ITEM equals VALUE
ITEM !> VALUE false if ITEM >= VALUE
@ -142,11 +158,21 @@ DESCRIPTION
files or passed as command line arguments. Please see the COMMAND LINE
section below for more information on this topic.
Rules can span multiple lines by adding a trailing backslash "\"
character:
Since postfwd version 1.30 rules spanning span multiple lines can be
defined by prefixing the following lines with one or multiple whitespace
characters (or '}' for macros):
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
action=REJECT please use your relay from there
id=RULE001
client_address=192.168.1.0/24
sender==no@bad.local
action=REJECT no access
postfwd versions prior to 1.30 require trailing ';' and '\'-characters:
id=RULE001; \
client_address=192.168.1.0/24; \
sender==no@bad.local; \
action=REJECT no access
ITEMS
id - a unique rule id, which can be used for log analysis
@ -210,9 +236,15 @@ DESCRIPTION
this enables version based checks in your rulesets
(e.g. for migration). works with old versions too,
because a non-existing item always returns false:
id=R01; version~=1.10; sender_domain==some.org \
# version >= 1.10
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
; action=REJECT sorry no access
ratecount - only available for rate(), size() and rcpt() actions.
contains the actual limit counter:
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
Besides these you can specify any attribute of the postfix policy
delegation protocol. Feel free to combine them the way you need it (have
a look at the EXAMPLES section below).
@ -267,26 +299,25 @@ DESCRIPTION
the current list can be found at
<http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully
about which attribute can be used at which level of the smtp transaction
(e.g. size will only work reliably at END_OF_DATA level). Pattern
(e.g. size will only work reliably at END-OF-MESSAGE level). Pattern
matching is performed case insensitive.
Multiple use of the same item is allowed and will compared as logical
OR, which means that this will work as expected:
id=TRUST001; action=OK; encryption_keysize=64; \
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
id=TRUST001; action=OK; encryption_keysize=64
ccert_fingerprint=11:22:33:44:55:66:77:88:99
ccert_fingerprint=22:33:44:55:66:77:88:99:00
ccert_fingerprint=33:44:55:66:77:88:99:00:11
sender=@domain\.local$
client_address, rbl and rhsbl items may also be specified as
whitespace-or-comma-separated values:
id=SKIP01; action=dunno; \
id=SKIP01; action=dunno
client_address=192.168.1.0/24, 172.16.254.23
id=SKIP02; action=dunno; \
client_address= 10.10.3.32 \
10.216.222.0/27
id=SKIP02; action=dunno
client_address=10.10.3.32 10.216.222.0/27
The following items currently have to be unique:
@ -294,16 +325,16 @@ DESCRIPTION
Any item can be negated by preceeding '!!' to it, e.g.:
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
or using the right compare operator:
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
To avoid confusion with regexps or simply for better visibility you can
use '!!(...)':
id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?
id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that?
Request attributes can be compared by preceeding '$$' characters, e.g.:
@ -315,6 +346,33 @@ DESCRIPTION
be performed as case insensitive exact match. Use the '-vv' option to
debug.
These special items will be reset for any new rule:
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
These special items will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all; rblcount=all
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
FILES
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in
separate files:
@ -337,16 +395,16 @@ DESCRIPTION
This will ignore the right-hand value. Items can be mixed:
id=R002 ; action=REJECT \
client_name==unknown; \
id=R002 ; action=REJECT
client_name==unknown
client_name==file:/etc/postfwd/blacklisted
and for non pcre (comma separated) items:
id=R003 ; action=REJECT \
id=R003 ; action=REJECT
client_address==10.1.1.1, file:/etc/postfwd/blacklisted
id=R004 ; action=REJECT \
id=R004 ; action=REJECT
rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
You can check your configuration with the --show_config option at the
@ -402,7 +460,7 @@ DESCRIPTION
-- FILE /etc/postfwd/clients_west.cf --
192.168.3.0/24
Remind that there is currently no loop detection (/a/file calls /a/file)
Note that there is currently no loop detection (/a/file calls /a/file)
and that this feature is only available with postfwd1 v1.15 and postfwd2
v0.18 and higher.
@ -465,19 +523,28 @@ DESCRIPTION
this command creates a counter for the given <item>, which will be increased any time a request
containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that <action> is currently limited to postfix actions (no postfwd actions)!
please note that <action> was limited to postfix actions (no postfwd actions) for postfwd versions <1.33!
# no more than 3 requests per 5 minutes
# from the same "unknown" client
id=RATE01 ; client_name==unknown ; \
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
id=RATE01 ; client_name==unknown
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
Please note also that the order of rate limits in your ruleset is important, which means
that this:
# works as expected
id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
leads to different results than this:
# rule R002 never gets executed
id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender)
id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded)
size (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
increased by the request's size attribute. to do this reliably you should call postfwd from
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
rcpt (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
@ -485,8 +552,13 @@ DESCRIPTION
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
rate5321,size5321,rcpt5321 (<item>/<max>/<time>/<action>)
same as the corresponding non-5321 functions, with the difference that the localpart of
sender oder recipient addresses are evaluated case-sensitive according to rfc5321. That
means that requests from bob@example.local and BoB@example.local will be treated differently
ask (<addr>:<port>[:<ignore>])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -494,17 +566,28 @@ DESCRIPTION
specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
# example1: query postgrey and return it's answer to postfix
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# example2: query postgrey but ignore the answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
mail(server/helo/from/to/subject/body)
This command is deprecated. You should try to use the sendmail() action instead.
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
This basically performs a telnet. No authentication or TLS are available. Additionally it does
not track notification state and will notify you any time, the corresponding rule hits.
sendmail(sendmail-path::from::to::subject::body)
Mail command, that uses an existing sendmail binary and sends a message with the given arguments.
LIMITATIONS: The command does not track notification state and will notify you any time, the
corresponding rule hits (which could mean 100 mails for a mail with 100 recipients at RCPT stage).
wait (<delay>)
pauses the program execution for <delay> seconds. use this for
delaying or throtteling connections.
note (<string>)
just logs the given string and continues parsing the ruleset.
if the string is empty, nothing will be logged.
if the string is empty, nothing will be logged (noop).
quit (<code>)
terminates the program with the given exit-code. postfix doesn`t
@ -514,33 +597,6 @@ DESCRIPTION
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'
These special attributes will be reset for any new rule:
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
These special attributes will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
MACROS/ACLS
Multiple use of long items or combinations of them may be abbreviated by
macros. Those must be prefixed by '&&' (two '&' characters). First the
@ -565,18 +621,18 @@ DESCRIPTION
Macros can contain macros, too:
# definition (note the trailing "\" characters)
&&RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
# definition
&&RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&&DYNAMIC { \
client_name=^unknown$ ; \
client_name=(\d+[\.-_]){4} ; \
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&&DYNAMIC{
client_name=^unknown$
client_name=(\d+[\.-_]){4}
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
};
&&GOAWAY { &&RBLS; &&DYNAMIC; };
# rules
@ -586,7 +642,160 @@ DESCRIPTION
section for more information.
PLUGINS
Please visit <http://www.postfwd.org/postfwd.plugins>
Description
The plugin interface allow you to define your own checks and enhance
postfwd's functionality. Feel free to share useful things!
Warning
Note that the plugin interface is still at devel stage. Please test your
plugins carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that
you know what you do because some of them are used internally.
Please keep security in mind, when you access sensible ressources and
never, ever run postfwd as privileged user! Also never trust your input
(especially hostnames, and e-mail addresses).
ITEMS
Item plugins are perl subroutines which integrate additional attributes
to requests before they are evaluated against postfwd's ruleset like any
other item of the policy delegation protocol. This allows you to create
your own checks.
plugin-items can not be used selective. these functions will be executed
for every request postfwd receives, so keep performance in mind.
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
means that your subroutine, called <name>, has access to a hash called
%request, which contains all request attributes, like
$request{client_name} and must return a value in the following form:
save: $result{<item>} = <value>
this creates the new item <item> containing <value>, which will be
integrated in the policy delegation request and therefore may be used in
postfwd's ruleset.
# do NOT remove the next line
%postfwd_items_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
# allows to check postfwd version in ruleset
"version" => sub {
my(%request) = @_;
my(%result) = (
"version" => $NAME." ".$VERSION,
);
return %result;
},
# sender_domain and recipient_domain
"address_parts" => sub {
my(%request) = @_;
my(%result) = ();
$request{sender} =~ /@([^@]*)$/;
$result{sender_domain} = ($1 || '');
$request{recipient} =~ /@([^@]*)$/;
$result{recipient_domain} = ($1 || '');
return %result;
},
# do NOT remove the next line
);
COMPARE
Compare plugins allow you to define how your new items should be
compared to the ruleset. These are optional. If you don't specify one,
the default (== for exact match, =~ for PCRE, ...) will be used.
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
# do NOT remove the next line
%postfwd_compare_plugin = (
EXAMPLES - integrated in postfwd. no need to activate them here.
# Simple example
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
# Complex example
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
"numeric" => sub {
my($cmp,$val,$myitem,%request) = @_;
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
if ($cmp eq '==') {
$myresult = ($myitem == $val);
} elsif ($cmp eq '=<') {
$myresult = ($myitem <= $val);
} elsif ($cmp eq '=>') {
$myresult = ($myitem >= $val);
} elsif ($cmp eq '<') {
$myresult = ($myitem < $val);
} elsif ($cmp eq '>') {
$myresult = ($myitem > $val);
} elsif ($cmp eq '!=') {
$myresult = not($myitem == $val);
} elsif ($cmp eq '!<') {
$myresult = not($myitem <= $val);
} elsif ($cmp eq '!>') {
$myresult = not($myitem >= $val);
} else {
$myresult = ($myitem >= $val);
};
return $myresult;
},
# do NOT remove the next line
);
ACTIONS
Action plugins allow to define new postfwd actions. By setting the
$stop-flag you can decide to continue or to stop parsing the ruleset.
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
# do NOT remove the next line
%postfwd_actions_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
# note(<logstring>) command
"note" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
log_info "[RULES] ".$myline." - note: ".$myarg if $myarg;
return ($stop,$index,$myaction,$myline,%request);
},
# skips next <myarg> rules
"skip" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
return ($stop,$index,$myaction,$myline,%request);
},
# dumps current request contents to syslog
"dumprequest" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
map { log_info "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
return ($stop,$index,$myaction,$myline,%request);
},
# do NOT remove the next line
);
COMMAND LINE
*Ruleset*
@ -603,12 +812,6 @@ DESCRIPTION
Adds <rule> to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.
*Plugins*
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.
*Scoring*
-s, --scores <val>=<action>
@ -616,23 +819,51 @@ DESCRIPTION
Multiple usage is allowed. Just chain your arguments, like:
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
or
postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
In case of multiple scores, the highest match will count. The order of
the arguments will be reflected in the postfwd ruleset.
*Control*
-d, --daemon
postfwd will run as daemon and listen on the network for incoming
queries (default 127.0.0.1:10040).
-k, --kill
Stops a running postfwd daemon.
--reload
Reloads configuration.
--dumpstats
Displays program usage statistics.
--dumpcache
Displays cache contents.
--delcache <item>
Removes an item from the request cache. Use --dumpcache to identify objects.
E.g.:
# postfwd --dumpcache
...
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
...
# postfwd --delrate="sender=gmato@jqvo.org"
rate cache item 'sender=gmato@jqvo.org' removed
--delrate <item>
Removes an item from the rate cache. Use --dumpcache to identify objects.
*Networking*
postfwd can be run as daemon so that it listens on the network for
incoming requests. The following arguments will control it's behaviour
in this case.
-d, --daemon
postfwd will run as daemon and listen on the network for incoming
queries (default 127.0.0.1:10040).
-i, --interface <dev>
Bind postfwd to the specified interface (default 127.0.0.1).
@ -662,6 +893,13 @@ DESCRIPTION
--pidfile <path>
The process id will be saved in the specified file.
--facility <f>
sets the syslog facility, default is 'mail'
--socktype <s>
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
Default is to auto-detect this depening on module version and os.
-l, --logname <label>
Labels the syslog messages. Useful when running multiple
instances of postfwd.
@ -669,6 +907,12 @@ DESCRIPTION
--loglen <int>
Truncates any syslog message after <int> characters.
*Plugins*
--plugins <file>
Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
or the plugins.postfwd.sample that is available from the tarball for more info.
*Optional arguments*
These parameters influence the way postfwd is working. Any of them can
@ -797,6 +1041,25 @@ DESCRIPTION
timeout in seconds to parse a single configuration line. if exceeded, the rule will
be skipped. this is used to prevent problems due to large files or loops.
--keep_rates (default=0)
With this option set postfwd does not clear the rate limit counters on reload. Please
note that you have to restart (not reload) postfwd with this option if you change
any rate limit rules.
--save_rates (default=none)
With this option postfwd saves existing rate limit counters to disk and reloads them
on program start. This allows persistent rate limits across program restarts or reboots.
Please note that postfwd needs read and write access to the specified file.
--fast_limit_evaluation (default=0)
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
before consulting the ruleset. This mode was the default behaviour until v1.30.
With this mode rate limits will be faster, but also eventually set up
whitelisting-rules within the ruleset might not work as expected.
LIMITATIONS: This option does not allow nested postfwd commands like
action=rate(sender/3/60/wait(3))
This option doe not work with the strict-rfc5321 rate() functions.
*Informational arguments*
These arguments are for command line usage only. Never ever use them
@ -854,18 +1117,25 @@ DESCRIPTION
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
## Selective Greylisting
##
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
## at port 10031 and the following postfix restriction class in your main.cf:
##
## smtpd_restriction_classes = check_postgrey, ...
## check_postgrey = check_policy_service inet:127.0.0.1:10031
#
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
# 2. Client has no rDNS
# 3. Client comes from several dialin domains
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=greylisting ; client_name=^unknown$
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=check_postgrey ; client_name=^unknown$
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
## Date Time
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
@ -873,7 +1143,7 @@ DESCRIPTION
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
months=-Apr ; action=450 4.7.1 see you in may
days=!!Mon-Fri ; action=greylist
days=!!Mon-Fri ; action=check_postgrey
## Usage of jump
# The following allows a message size of 30MB for different
@ -883,8 +1153,8 @@ DESCRIPTION
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
## Usage of score
# The following rejects a mail, if the client
@ -892,7 +1162,7 @@ DESCRIPTION
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
# - other clients without correct rDNS will be greylist-checked
# - some whitelists are used to lower the score
id=S01 ; score=2.6 ; action=greylisting
id=S01 ; score=2.6 ; action=check_postgrey
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
@ -905,10 +1175,10 @@ DESCRIPTION
# The following temporary rejects requests from "unknown" clients, if they
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
## Macros
# definition
@ -921,34 +1191,34 @@ DESCRIPTION
## Groups
# definition
&&RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
&&RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&&RHSBLS { \
&&RHSBLS{
...
};
&&DYNAMIC { \
client_name==unknown ; \
client_name~=(\d+[\.-_]){4} ; \
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&&DYNAMIC{
client_name==unknown
client_name~=(\d+[\.-_]){4}
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
...
};
&&BAD_HELO { \
helo_name==my.name.tld; \
helo_name~=^([^\.]+)$; \
helo_name~=\.(local|lan)$; \
&&BAD_HELO{
helo_name==my.name.tld
helo_name~=^([^\.]+)$
helo_name~=\.(local|lan)$
...
};
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
&&MAINTENANCE{
date=15.01.2007
date=15.04.2007
date=15.07.2007
date=15.10.2007
time=03:00:00 - 04:00:00
};
# rules
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -965,7 +1235,7 @@ DESCRIPTION
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]

99
doc/postfwd2-chroot.html Normal file
View file

@ -0,0 +1,99 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd2 - chroot setup</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd version differences">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd 2 chroot, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body>
<p>
<h1>postfwd2 - chroot setup</h1><br>
If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared.
<p><pre>
How to create a minimal chroot environment for postfwd2
=======================================================
Tested with SLES 11 x86_64, customize this to suit your specific system.
For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
and glibc version 2.4 instead of 2.11.1.
cd $CHROOTDIR
for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
usr/lib/perl5/site_perl \
usr/lib/perl5/site_perl/5.10.0 \
usr/lib/perl5/site_perl/5.10.0/Net \
usr/lib/perl5/site_perl/5.10.0/Net/Server \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
mkdir $dir
chmod --reference /$dir $dir
chown --reference /$dir $dir
done
for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
cp -p /$file $file
done
grep nobody /etc/passwd > etc/passwd
grep nobody /etc/group > etc/group
echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf
=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
>> /etc/sysconfig/syslog
/etc/init.d/syslog restart
=> Place your postfwd configuration in $CHROOTDIR:
cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf
=> Start postfwd2:
/usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR
List of directories
===================
tmp
lib64
dev
var
var/tmp
etc
usr
usr/lib
usr/lib/perl5
usr/lib/perl5/site_perl
usr/lib/perl5/site_perl/5.10.0
usr/lib/perl5/site_perl/5.10.0/Net
usr/lib/perl5/site_perl/5.10.0/Net/Server
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto
List of files
=============
lib64/libnss_files.so.2
lib64/libnss_files-2.11.1.so
dev/null
dev/log
etc/localtime
etc/protocols
etc/postfwd.conf
etc/nsswitch.conf
etc/passwd
etc/resolv.conf
etc/group
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm
</pre></p>
Thanks to Lukas Wunner for providing this howto and the patch for postfwd2!
</body>
</html>

82
doc/postfwd2-chroot.txt Normal file
View file

@ -0,0 +1,82 @@
postfwd2 - chroot setup
=======================
If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared.
How to create a minimal chroot environment for postfwd2
=======================================================
Tested with SLES 11 x86_64, customize this to suit your specific system.
For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
and glibc version 2.4 instead of 2.11.1.
cd $CHROOTDIR
for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
usr/lib/perl5/site_perl \
usr/lib/perl5/site_perl/5.10.0 \
usr/lib/perl5/site_perl/5.10.0/Net \
usr/lib/perl5/site_perl/5.10.0/Net/Server \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
mkdir $dir
chmod --reference /$dir $dir
chown --reference /$dir $dir
done
for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
cp -p /$file $file
done
grep nobody /etc/passwd > etc/passwd
grep nobody /etc/group > etc/group
echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf
=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
>> /etc/sysconfig/syslog
/etc/init.d/syslog restart
=> Place your postfwd configuration in $CHROOTDIR:
cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf
=> Start postfwd2:
/usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR
List of directories
===================
tmp
lib64
dev
var
var/tmp
etc
usr
usr/lib
usr/lib/perl5
usr/lib/perl5/site_perl
usr/lib/perl5/site_perl/5.10.0
usr/lib/perl5/site_perl/5.10.0/Net
usr/lib/perl5/site_perl/5.10.0/Net/Server
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto
List of files
=============
lib64/libnss_files.so.2
lib64/libnss_files-2.11.1.so
dev/null
dev/log
etc/localtime
etc/protocols
etc/postfwd.conf
etc/nsswitch.conf
etc/passwd
etc/resolv.conf
etc/group
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm
Thanks to Lukas Wunner for providing this howto and the patch for postfwd2!

113
doc/CHANGELOG2 → doc/postfwd2.CHANGELOG
View file

@ -1,3 +1,116 @@
postfwd2 1.35
=============
- code: rate(), size() and rcpt() function index is now case insensitive by default
(same limit counters for from@example.org and fRom@eXample.org)
if you need to treat the localpart case-sensitive according to rfc5321
you may use rate5321(), size5321() and rcpt5321().
- bugfix: fixed segfault when using new perl versions (prevented to work with upstart)
postfwd2 1.34
=============
- bugfix: fixed taint mode logging error for verbose --showconfig and --stdoutlog
options and newer perl versions.
- bugfix: check_* functions use print/getline instead of send/recv for large
--dumpcache output (thanks to Alexandre Simon)
- code: added more information when using --debug=cleanup
- docs: documentation updates
- feature: new sendmail(sendmail-path::from::to::subject::body) action.
Please take a look at the manual, especially about
it's limitations, before using it!
------------------------------------------------------------
# alert
action=sendmail(/usr/sbin/sendmail::from@example.org::to@example.org::Subject::Text)
------------------------------------------------------------
postfwd2 1.33
=============
- feature: new compare operators *
====================================================================
ITEM > VALUE true if ITEM > VALUE
ITEM < VALUE true if ITEM < VALUE
====================================================================
- bugfix: fixed bug when computing scores with more than 1 digit after the "." (n.nn)
- bugfix: fixed bug when computing negative values with the set action
- bugfix: ITEMS plugins returning zero values were handled incorrectly
- bugfix: max command recursion was not reset for each rule
- bugfix: fixed warning about use of (uninitialized value) when STORABLE is available
but no cache file was defined
postfwd2 1.32
=============
- feature: new option --save_rates=<file> allows to load and save
rate limit counters to disk on program start and termination.
this allows rate limit persistence during restarts and reboots
(requires perl module 'Storable')
- feature: the --debugitem="sender=example\.org$" option
allows verbose logging for particular requests
- feature: the debug() action allows verbose logging for certain
rules:
------------------------------------------------------------
id=R01
client_address=1.1.1.1
action=debug(on)
id=R02
...
id=R42
action=debug(off)
------------------------------------------------------------
- feature: nested commands are possible now, e.g.:
------------------------------------------------------------
# throttle
action=rate(client_address/10/60/wait(3))
------------------------------------------------------------
- feature: new mail(server/helo/from/to/subject/body) action.
Please take a look at the manual, especially about
it's limitations, before using it!
------------------------------------------------------------
# alert
action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text))
------------------------------------------------------------
- feature: --chroot option works now (patch by Lukas Wunner).
Look for his notes at http://postfwd.org/postfwd2-chroot.html
on how to set up the required chroot environment.
postfwd2 1.31
=============
- feature: single cache items can be wiped using --delcache <item>
or --delrate <item> options. use --dumpcache to identify
- feature: sasl_username is logged if available
(thanks to Bernhard Schmidt)
- code: rate limit action is executed, if the first request exceeds the limit
- code: exceeded ratecounters will not be kept permanently anymore. this
allows further requests to pass, if they are below the limit
- code: rate limits are evaluated at ruleset stage now, which leads to
much more comprehensible behaviour. due to this change the request
cache is now disabled, if rate limits are used. use the
--fast_limit_evaluation option to return to the former mode.
postfwd2 1.30
=============
- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules,
if the following lines are prefixed by whitespace characters:
--------------------------------------
id=RCPTCOUNT
protocol_state == END-OF-MESSAGE
client_address != 10.1.1.0/24
recipient_count >= 100
action=REJECT too many recipients
--------------------------------------
- feature: new plugin interface (BETA)
- feature: Time::HiRes is used if available
- feature: multiple rate limits for the same items are supported now
- feature: new $$ratecount variable for rate() actions
- feature: new option --keep_rates
- code: new --debug class 'cleanup'
- docs: documentation updates
postfwd2 1.22
=============
- general: adapted postfwd1 versioning scheme
- feature: queueid is logged when available
- bugfix: rate limits did not work correctly (thanks to Yves Blusseau)
- docs: documentation updates and fixes (thanks to Vincent Lefevre)
postfwd2 1.00
=============
- code: changed the default umask for the server socket to 0111

499
doc/postfwd2.html
View file

@ -1,14 +1,18 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>postfwd2 - postfix firewall daemon</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<div name="index">
<p><a name="__index__"></a></p>
<ul>
@ -38,9 +42,11 @@
<li><a href="#license">LICENSE</a></li>
<li><a href="#author">AUTHOR</a></li>
</ul>
<hr name="index" />
</div>
<!-- INDEX END -->
<hr />
<p>
</p>
<h1><a name="name">NAME</a></h1>
@ -85,7 +91,7 @@
--cache-no-size skip size for cache-id
--no_parent_request_cache disable parent request cache
--no_parent_rate_cache disable parent rate cache
--no_parent_dns_cache disable parent dns cache
--no_parent_dns_cache disable parent dns cache (default)
--no_parent_cache disable all parent caches</pre>
<pre>
Rates:
@ -99,7 +105,10 @@
--failures &lt;f&gt; max respawn failure counter
--daemons &lt;list&gt; list of daemons to start
--dumpcache show cache contents
--dumpstats show statistics</pre>
--dumpstats show statistics
-R, --chroot &lt;path&gt; chroot to &lt;path&gt; before start
--delcache &lt;item&gt; removes an item from the request cache
--delrate &lt;item&gt; removes an item from the rate cache</pre>
<pre>
DNS:
-n, --nodns skip any dns based test
@ -119,11 +128,19 @@
--noidlestats disables statistics when idle
--norulestats disables per rule statistics
-I, --instantcfg reloads ruleset on every new request
--config_timeout &lt;i&gt; parser timeout in seconds</pre>
--config_timeout &lt;i&gt; parser timeout in seconds
--keep_rates do not clear rate limit counters on reload
--save_rates &lt;file&gt; save and load rate limits on disk
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
(please note the limitations)</pre>
<pre>
Plugins:
--plugins &lt;file&gt; loads postfwd plugins from file</pre>
<pre>
Logging:
-l, --logname &lt;label&gt; label for syslog messages
--facility &lt;s&gt; use syslog facility &lt;s&gt;
--socktype &lt;s&gt; use syslog socktype &lt;s&gt;
--nodnslog do not log dns results
--anydnslog log any dns (even cached) results
--norulelog do not log rule actions
@ -170,7 +187,7 @@ which should allow straightforward and easy-to-read configurations.</p>
<p>A configuration line consists of optional item=value pairs, separated by semicolons
(`;`) and the appropriate desired action:</p>
<pre>
[ &lt;item1&gt;[=&gt;&lt;~]=&lt;value&gt;; &lt;item2&gt;[=&gt;&lt;~]=&lt;value&gt;; ... ] action=&lt;result&gt;</pre>
[ &lt;item1&gt;=&lt;value&gt;; &lt;item2&gt;=&lt;value&gt;; ... ] action=&lt;result&gt;</pre>
<p><em>Example:</em></p>
<pre>
client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT</pre>
@ -184,6 +201,8 @@ is not important. So the following would lead to the same result as the previous
ITEM == VALUE true if ITEM equals VALUE
ITEM =&gt; VALUE true if ITEM &gt;= VALUE
ITEM =&lt; VALUE true if ITEM &lt;= VALUE
ITEM &gt; VALUE true if ITEM &gt; VALUE
ITEM &lt; VALUE true if ITEM &lt; VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
ITEM != VALUE false if ITEM equals VALUE
ITEM !&gt; VALUE false if ITEM &gt;= VALUE
@ -199,10 +218,19 @@ or trailing whitespace characters will be ignored. Use '#' to comment your confi
appreciate.</p>
<p>A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
arguments. Please see the COMMAND LINE section below for more information on this topic.</p>
<p>Rules can span multiple lines by adding a trailing backslash ``\'' character:</p>
<p>Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following
lines with one or multiple whitespace characters (or '}' for macros):</p>
<pre>
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
action=REJECT please use your relay from there</pre>
id=RULE001
client_address=192.168.1.0/24
sender==no@bad.local
action=REJECT no access</pre>
<p>postfwd versions prior to 1.30 require trailing ';' and '\'-characters:</p>
<pre>
id=RULE001; \
client_address=192.168.1.0/24; \
sender==no@bad.local; \
action=REJECT no access</pre>
<p>
</p>
<h2><a name="items">ITEMS</a></h2>
@ -268,8 +296,14 @@ arguments. Please see the COMMAND LINE section below for more information on thi
this enables version based checks in your rulesets
(e.g. for migration). works with old versions too,
because a non-existing item always returns false:
id=R01; version~=1.10; sender_domain==some.org \
# version &gt;= 1.10
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
; action=REJECT sorry no access</pre>
<pre>
ratecount - only available for rate(), size() and rcpt() actions.
contains the actual limit counter:
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])</pre>
<p>Besides these you can specify any attribute of the postfix policy delegation protocol.
Feel free to combine them the way you need it (have a look at the EXAMPLES section below).</p>
<p>Most values can be specified as regular expressions (PCRE). Please see the table below
@ -319,34 +353,33 @@ for details:</p>
encryption_keysize=256 mask = numeric, will match if keysize &gt;= 256
...</pre>
<p>the current list can be found at <a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a>. Please read carefully about which
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level).
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level).
Pattern matching is performed case insensitive.</p>
<p>Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected:</p>
<pre>
id=TRUST001; action=OK; encryption_keysize=64; \
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
id=TRUST001; action=OK; encryption_keysize=64
ccert_fingerprint=11:22:33:44:55:66:77:88:99
ccert_fingerprint=22:33:44:55:66:77:88:99:00
ccert_fingerprint=33:44:55:66:77:88:99:00:11
sender=@domain\.local$</pre>
<p>client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:</p>
<pre>
id=SKIP01; action=dunno; \
id=SKIP01; action=dunno
client_address=192.168.1.0/24, 172.16.254.23
id=SKIP02; action=dunno; \
client_address= 10.10.3.32 \
10.216.222.0/27</pre>
id=SKIP02; action=dunno
client_address= 10.10.3.32 10.216.222.0/27</pre>
<p>The following items must be unique:</p>
<pre>
id, minimum and maximum values, rblcount and rhsblcount</pre>
<p>Any item can be negated by preceeding '!!' to it, e.g.:</p>
<pre>
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please</pre>
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please</pre>
<p>or using the right compare operator:</p>
<pre>
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?</pre>
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please</pre>
<p>To avoid confusion with regexps or simply for better visibility you can use '!!(...)':</p>
<pre>
id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that?</pre>
id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?</pre>
<p>Request attributes can be compared by preceeding '$$' characters, e.g.:</p>
<pre>
id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
@ -354,6 +387,29 @@ Pattern matching is performed case insensitive.</p>
id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS</pre>
<p>This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match.
Use the '-vv' option to debug.</p>
<p>These special items will be reset for any new rule:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special items will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all; rblcount=all
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="files">FILES</a></h2>
@ -373,15 +429,15 @@ Use the '-vv' option to debug.</p>
id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO</pre>
<p>This will ignore the right-hand value. Items can be mixed:</p>
<pre>
id=R002 ; action=REJECT \
client_name==unknown; \
id=R002 ; action=REJECT
client_name==unknown
client_name==<a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
<p>and for non pcre (comma separated) items:</p>
<pre>
id=R003 ; action=REJECT \
id=R003 ; action=REJECT
client_address==10.1.1.1, <a href="file:/etc/postfwd/blacklisted">file:/etc/postfwd/blacklisted</a></pre>
<pre>
id=R004 ; action=REJECT \
id=R004 ; action=REJECT
rbl=myrbl.home.local, zen.spamhaus.org, <a href="file:/etc/postfwd/rbls_changing">file:/etc/postfwd/rbls_changing</a></pre>
<p>You can check your configuration with the --show_config option at the command line:</p>
<pre>
@ -424,7 +480,7 @@ necessary. Of course this might increase the system load, so please use it with
<pre>
-- FILE /etc/postfwd/clients_west.cf --
192.168.3.0/24</pre>
<p>Remind that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
<p>Note that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
with postfwd1 v1.15 and postfwd2 v0.18 and higher.</p>
<p>
</p>
@ -438,7 +494,7 @@ request attributes by preceeding $$ characters, like:</p>
id=R-003; client_name = !!$$helo_name; action=WARN helo '$$(helo_name)' does not match DNS '$$(client_name)'</pre>
<p><em>postfix actions</em></p>
<p>Actions will be replied to postfix as result to policy delegation requests. Any action that postfix understands is allowed - see
``man 5 access'' or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
&quot;man 5 access&quot; or <a href="http://www.postfix.org/access.5.html">http://www.postfix.org/access.5.html</a> for a description. If no action is specified, the postfix WARN action
which simply logs the event will be used for the corresponding rule.</p>
<p>postfwd2 will return dunno if it has reached the end of the ruleset and no rule has matched. This can be changed by placing a last
rule containing only an action statement:</p>
@ -476,19 +532,19 @@ rule containing only an action statement:</p>
this command creates a counter for the given &lt;item&gt;, which will be increased any time a request
containing it arrives. if it exceeds &lt;max&gt; within &lt;time&gt; seconds it will return &lt;action&gt; to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that &lt;action&gt; is currently limited to postfix actions (no postfwd actions)!
please note that &lt;action&gt; was limited to postfix actions (no postfwd actions) for postfwd versions &lt;1.33!
# no more than 3 requests per 5 minutes
# from the same &quot;unknown&quot; client
id=RATE01 ; client_name==unknown ; \
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
id=RATE01 ; client_name==unknown
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)</pre>
<pre>
size (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
increased by the request's size attribute. to do this reliably you should call postfwd2 from
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)</pre>
<pre>
rcpt (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
this command works similar to the rate() command with the difference, that the rate counter is
@ -496,8 +552,13 @@ rule containing only an action statement:</p>
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)</pre>
<pre>
rate5321,size5321,rcpt5321 (&lt;item&gt;/&lt;max&gt;/&lt;time&gt;/&lt;action&gt;)
same as the corresponding non-5321 functions, with the difference that the localpart of
sender oder recipient addresses are evaluated case-sensitive according to rfc5321. That
means that requests from bob@example.local and BoB@example.local will be treated differently</pre>
<pre>
ask (&lt;addr&gt;:&lt;port&gt;[:&lt;ignore&gt;])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -508,6 +569,17 @@ rule containing only an action statement:</p>
# example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)</pre>
<pre>
mail(server/helo/from/to/subject/body)
This command is deprecated. You should try to use the sendmail() action instead.
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
This basically performs a telnet. No authentication or TLS are available. Additionally it does
not track notification state and will notify you any time, the corresponding rule hits.</pre>
<pre>
sendmail(sendmail-path::from::to::subject::body)
Mail command, that uses an existing sendmail binary and sends a message with the given arguments.
LIMITATIONS: The command does not track notification state and will notify you any time, the
corresponding rule hits (which could mean 100 mails for a mail with 100 recipients at RCPT stage).</pre>
<pre>
wait (&lt;delay&gt;)
pauses the program execution for &lt;delay&gt; seconds. use this for
@ -515,7 +587,7 @@ rule containing only an action statement:</p>
<pre>
note (&lt;string&gt;)
just logs the given string and continues parsing the ruleset.
if the string is empty, nothing will be logged.</pre>
if the string is empty, nothing will be logged (noop).</pre>
<pre>
quit (&lt;code&gt;)
terminates the program with the given exit-code. postfix doesn`t
@ -523,29 +595,6 @@ rule containing only an action statement:</p>
<p>You can reference to request attributes, like</p>
<pre>
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'</pre>
<p>These special attributes will be reset for any new rule:</p>
<pre>
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:&lt;txt&gt;; rbltype:rblname:&lt;txt&gt;; ...</pre>
<p>These special attributes will be changed for any matching rule:</p>
<pre>
request_hits - contains ids of all matching rules</pre>
<p>This means that it might be necessary to save them, if you plan to use these values in later rules:</p>
<pre>
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)</pre>
<pre>
# compare
id=RBL02 ; HIT_rhls&gt;=1 ; HIT_rbls&gt;=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]</pre>
<p>
</p>
<h2><a name="macros_acls">MACROS/ACLS</a></h2>
@ -568,18 +617,18 @@ First the macros have to be defined as follows:</p>
&amp;&amp;GONOW ; &amp;&amp;RBLS ; client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]</pre>
<p>Macros can contain macros, too:</p>
<pre>
# definition (note the trailing &quot;\&quot; characters)
&amp;&amp;RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
# definition
&amp;&amp;RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&amp;&amp;DYNAMIC { \
client_name=^unknown$ ; \
client_name=(\d+[\.-_]){4} ; \
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&amp;&amp;DYNAMIC{
client_name=^unknown$
client_name=(\d+[\.-_]){4}
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
};
&amp;&amp;GOAWAY { &amp;&amp;RBLS; &amp;&amp;DYNAMIC; };
# rules
@ -588,7 +637,145 @@ First the macros have to be defined as follows:</p>
<p>
</p>
<h2><a name="plugins">PLUGINS</a></h2>
<p>Please visit <a href="http://www.postfwd.org/postfwd.plugins">http://www.postfwd.org/postfwd.plugins</a></p>
<p><strong>Description</strong></p>
<p>The plugin interface allow you to define your own checks and enhance postfwd's
functionality. Feel free to share useful things!</p>
<p><strong>Warning</strong></p>
<p>Note that the plugin interface is still at devel stage. Please test your plugins
carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that you know
what you do because some of them are used internally.</p>
<p>Please keep security in mind, when you access sensible ressources and never, ever
run postfwd as privileged user! Also never trust your input (especially hostnames,
and e-mail addresses).</p>
<p><strong>ITEMS</strong></p>
<p>Item plugins are perl subroutines which integrate additional attributes to requests
before they are evaluated against postfwd's ruleset like any other item of the
policy delegation protocol. This allows you to create your own checks.</p>
<p>plugin-items can not be used selective. these functions will be executed for every
request postfwd receives, so keep performance in mind.</p>
<pre>
SYNOPSIS: %result = postfwd_items_plugin{&lt;name&gt;}(%request)</pre>
<p>means that your subroutine, called &lt;name&gt;, has access to a hash called %request,
which contains all request attributes, like $request{client_name} and must
return a value in the following form:</p>
<pre>
save: $result{&lt;item&gt;} = &lt;value&gt;</pre>
<p>this creates the new item &lt;item&gt; containing &lt;value&gt;, which will be integrated in
the policy delegation request and therefore may be used in postfwd's ruleset.</p>
<pre>
# do NOT remove the next line
%postfwd_items_plugin = (</pre>
<pre>
# EXAMPLES - integrated in postfwd. no need to activate them here.
# allows to check postfwd version in ruleset
&quot;version&quot; =&gt; sub {
my(%request) = @_;
my(%result) = (
&quot;version&quot; =&gt; $NAME.&quot; &quot;.$VERSION,
);
return %result;
},
# sender_domain and recipient_domain
&quot;address_parts&quot; =&gt; sub {
my(%request) = @_;
my(%result) = ();
$request{sender} =~ /@([^@]*)$/;
$result{sender_domain} = ($1 || '');
$request{recipient} =~ /@([^@]*)$/;
$result{recipient_domain} = ($1 || '');
return %result;
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p><strong>COMPARE</strong></p>
<p>Compare plugins allow you to define how your new items should be compared to the ruleset.
These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
will be used.</p>
<pre>
SYNOPSIS: &lt;item&gt; =&gt; sub { return &amp;{$postfwd_compare{&lt;type&gt;}}(@_); },</pre>
<pre>
# do NOT remove the next line
%postfwd_compare_plugin = (</pre>
<pre>
EXAMPLES - integrated in postfwd. no need to activate them here.
# Simple example
# SYNOPSIS: &lt;result&gt; = &lt;item&gt; (return &amp;{$postfwd_compare{&lt;type&gt;}}(@_))
&quot;client_address&quot; =&gt; sub { return &amp;{$postfwd_compare{cidr}}(@_); },
&quot;size&quot; =&gt; sub { return &amp;{$postfwd_compare{numeric}}(@_); },
&quot;recipient_count&quot; =&gt; sub { return &amp;{$postfwd_compare{numeric}}(@_); },
# Complex example
# SYNOPSIS: &lt;result&gt; = &lt;item&gt;(&lt;operator&gt;, &lt;ruleset value&gt;, &lt;request value&gt;, &lt;request&gt;)
&quot;numeric&quot; =&gt; sub {
my($cmp,$val,$myitem,%request) = @_;
my($myresult) = undef; $myitem ||= &quot;0&quot;; $val ||= &quot;0&quot;;
if ($cmp eq '==') {
$myresult = ($myitem == $val);
} elsif ($cmp eq '=&lt;') {
$myresult = ($myitem &lt;= $val);
} elsif ($cmp eq '=&gt;') {
$myresult = ($myitem &gt;= $val);
} elsif ($cmp eq '&lt;') {
$myresult = ($myitem &lt; $val);
} elsif ($cmp eq '&gt;') {
$myresult = ($myitem &gt; $val);
} elsif ($cmp eq '!=') {
$myresult = not($myitem == $val);
} elsif ($cmp eq '!&lt;') {
$myresult = not($myitem &lt;= $val);
} elsif ($cmp eq '!&gt;') {
$myresult = not($myitem &gt;= $val);
} else {
$myresult = ($myitem &gt;= $val);
};
return $myresult;
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p><strong>ACTIONS</strong></p>
<p>Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to
continue or to stop parsing the ruleset.</p>
<pre>
SYNOPSIS: (&lt;stop rule parsing&gt;, &lt;next rule index&gt;, &lt;return action&gt;, &lt;logprefix&gt;, &lt;request&gt;) =
&lt;action&gt; (&lt;current rule index&gt;, &lt;current time&gt;, &lt;command name&gt;, &lt;argument&gt;, &lt;logprefix&gt;, &lt;request&gt;)</pre>
<pre>
# do NOT remove the next line
%postfwd_actions_plugin = (</pre>
<pre>
# EXAMPLES - integrated in postfwd. no need to activate them here.
# note(&lt;logstring&gt;) command
&quot;note&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
log_info &quot;[RULES] &quot;.$myline.&quot; - note: &quot;.$myarg if $myarg;
return ($stop,$index,$myaction,$myline,%request);
},
# skips next &lt;myarg&gt; rules
&quot;skip&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
$index += $myarg if ( $myarg and not(($index + $myarg) &gt; $#Rules) );
return ($stop,$index,$myaction,$myline,%request);
},
# dumps current request contents to syslog
&quot;dumprequest&quot; =&gt; sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
map { log_info &quot;[DUMP] rule=$index, Attribute: $_=$request{$_}&quot; } (keys %request);
return ($stop,$index,$myaction,$myline,%request);
},</pre>
<pre>
# do NOT remove the next line
);</pre>
<p>
</p>
<h2><a name="command_line">COMMAND LINE</a></h2>
@ -603,18 +790,13 @@ that at least one of the following is required for postfwd2 to work.</p>
-r, --rule &lt;rule&gt;
Adds &lt;rule&gt; to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.</pre>
<p><em>Scoring</em></p>
<pre>
-s, --scores &lt;val&gt;=&lt;action&gt;
Returns &lt;action&gt; to postfix, when the request's score exceeds &lt;val&gt;</pre>
<p>Multiple usage is allowed. Just chain your arguments, like:</p>
<pre>
postfwd2 -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; --plugins &lt;file&gt; ...
postfwd2 -r &quot;&lt;item&gt;=&lt;value&gt;;action=&lt;result&gt;&quot; -f &lt;file&gt; -f &lt;file&gt; ...
or
postfwd2 --scores 4.5=&quot;WARN high score&quot; --scores 5.0=&quot;REJECT postfwd2 score too high&quot; ...</pre>
<p>In case of multiple scores, the highest match will count. The order of the arguments will be
@ -625,13 +807,13 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
-d, --daemon
postfwd2 will run as daemon and listen on the network for incoming
queries (default 127.0.0.1:10040).</pre>
queries (default 127.0.0.1:10045).</pre>
<pre>
-i, --interface &lt;dev&gt;
Bind postfwd2 to the specified interface (default 127.0.0.1).</pre>
<pre>
-p, --port &lt;port&gt;
postfwd2 listens on the specified port (default tcp/10040).</pre>
postfwd2 listens on the specified port (default tcp/10045).</pre>
<pre>
--proto &lt;type&gt;
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
@ -657,10 +839,17 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
-R, --chroot &lt;path&gt;
Chroot the process to the specified path.
Test this before using - you might need some libs there.</pre>
Please look at <a href="http://postfwd.org/postfwd2-chroot.html">http://postfwd.org/postfwd2-chroot.html</a> before use!</pre>
<pre>
--pidfile &lt;path&gt;
The process id will be saved in the specified file.</pre>
<pre>
--facility &lt;f&gt;
sets the syslog facility, default is 'mail'</pre>
<pre>
--socktype &lt;s&gt;
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
Default is to auto-detect this depening on module version and os.</pre>
<pre>
-l, --logname &lt;label&gt;
Labels the syslog messages. Useful when running multiple
@ -668,6 +857,11 @@ The following arguments will control it's behaviour in this case.</p>
<pre>
--loglen &lt;int&gt;
Truncates any syslog message after &lt;int&gt; characters.</pre>
<p><em>Plugins</em></p>
<pre>
--plugins &lt;file&gt;
Loads postfwd plugins from file. Please see <a href="http://postfwd.org/postfwd.plugins">http://postfwd.org/postfwd.plugins</a>
or the plugins.postfwd.sample that is available from the tarball for more info.</pre>
<p><em>Optional arguments</em></p>
<p>These parameters influence the way postfwd2 is working. Any of them can be combined.</p>
<pre>
@ -794,7 +988,25 @@ The following arguments will control it's behaviour in this case.</p>
timeout in seconds to parse a single configuration line. if exceeded, the rule will
be skipped. this is used to prevent problems due to large files or loops.
I&lt;Informational arguments&gt;</pre>
--keep_rates (default=0)
With this option set postfwd2 does not clear the rate limit counters on reload. Please
note that you have to restart (not reload) postfwd with this option if you change
any rate limit rules.</pre>
<pre>
--save_rates (default=none)
With this option postfwd saves existing rate limit counters to disk and reloads them
on program start. This allows persistent rate limits across program restarts or reboots.
Please note that postfwd needs read and write access to the specified file.</pre>
<pre>
--fast_limit_evaluation (default=0)
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
before consulting the ruleset. This mode was the default behaviour until v1.30.
With this mode rate limits will be faster, but also eventually set up
whitelisting-rules within the ruleset might not work as expected.
LIMITATIONS: This option does not allow nested postfwd commands like
action=rate(sender/3/60/wait(3))
This option doe not work with the strict-rfc5321 rate() functions.</pre>
<p><em>Informational arguments</em></p>
<p>These arguments are for command line usage only. Never ever use them with postfix!</p>
<pre>
-C, --showconfig
@ -815,6 +1027,26 @@ I&lt;Informational arguments&gt;</pre>
-P, --perfmon
This option turns of any syslogging and output. It is included
for performance testing.</pre>
<pre>
--dumpstats
Displays program usage statistics.</pre>
<pre>
--dumpcache
Displays cache contents.</pre>
<pre>
--delcache &lt;item&gt;
Removes an item from the request cache. Use --dumpcache to identify objects.
E.g.:
# postfwd --dumpcache
...
%rate_cache -&gt; %sender=gmato@jqvo.org -&gt; %RATE002+2_600 -&gt; @count -&gt; '1'
%rate_cache -&gt; %sender=gmato@jqvo.org -&gt; %RATE002+2_600 -&gt; @maxcount -&gt; '2'
...
# postfwd --delrate=&quot;sender=gmato@jqvo.org&quot;
rate cache item 'sender=gmato@jqvo.org' removed</pre>
<pre>
--delrate &lt;item&gt;
Removes an item from the rate cache. Use --dumpcache to identify objects.</pre>
<p>
</p>
<h2><a name="refresh">REFRESH</a></h2>
@ -854,18 +1086,25 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size&lt;=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size&lt;=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large</pre>
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=30000000 ; client_name=\.customer1.tld$
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=20000000 ; sasl_username==joejob
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size&lt;=10000000
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large</pre>
<pre>
## Selective Greylisting
##
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
## at port 10031 and the following postfix restriction class in your main.cf:
##
## smtpd_restriction_classes = check_postgrey, ...
## check_postgrey = check_policy_service inet:127.0.0.1:10031
#
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
# 2. Client has no rDNS
# 3. Client comes from several dialin domains
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=greylisting ; client_name=^unknown$
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=check_postgrey ; client_name=^unknown$
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$</pre>
<pre>
## Date Time
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
@ -873,7 +1112,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
months=-Apr ; action=450 4.7.1 see you in may
days=!!Mon-Fri ; action=greylist</pre>
days=!!Mon-Fri ; action=check_postgrey</pre>
<pre>
## Usage of jump
# The following allows a message size of 30MB for different
@ -883,8 +1122,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000</pre>
<pre>
## Usage of score
# The following rejects a mail, if the client
@ -892,8 +1131,8 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
# - other clients without correct rDNS will be greylist-checked
# - some whitelists are used to lower the score
id=S01 ; score=2.6 ; action=greylisting
id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high
id=S01 ; score=2.6 ; action=check_postgrey
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
@ -905,10 +1144,10 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
# The following temporary rejects requests from &quot;unknown&quot; clients, if they
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)</pre>
<pre>
## Macros
# definition
@ -921,34 +1160,34 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
<pre>
## Groups
# definition
&amp;&amp;RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
&amp;&amp;RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&amp;&amp;RHSBLS { \
&amp;&amp;RHSBLS{
...
};
&amp;&amp;DYNAMIC { \
client_name==unknown ; \
client_name~=(\d+[\.-_]){4} ; \
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&amp;&amp;DYNAMIC{
client_name==unknown
client_name~=(\d+[\.-_]){4}
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
...
};
&amp;&amp;BAD_HELO { \
helo_name==my.name.tld; \
helo_name~=^([^\.]+)$; \
helo_name~=\.(local|lan)$; \
&amp;&amp;BAD_HELO{
helo_name==my.name.tld
helo_name~=^([^\.]+)$
helo_name~=\.(local|lan)$
...
};
&amp;&amp;MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
&amp;&amp;MAINTENANCE{
date=15.01.2007
date=15.04.2007
date=15.07.2007
date=15.10.2007
time=03:00:00 - 04:00:00
};
# rules
id=COMBINED ; &amp;&amp;RBLS ; &amp;&amp;DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -965,7 +1204,7 @@ the '-I' switch to have your configuration refreshed for every request postfwd2
<pre>
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS ; \
id=RBL01 ; rhsblcount=all ; rblcount=all ; &amp;&amp;RBLS ; &amp;&amp;RHSBLS
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls&gt;=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]</pre>
<p>
@ -1003,7 +1242,7 @@ check the parser with the -C | --showconfig switch at the command line before ap
Rule 0: id-&gt;&quot;RBL001&quot;; action-&gt;&quot;REJECT listed on spamcop and bad rdns&quot;; rbl-&gt;&quot;bl.spamcop.net&quot;; client_name-&gt;&quot;^unknown$&quot;</pre>
<p><em>Request processing</em></p>
<p>When a policy delegation request arrives it will be compared against postfwd`s ruleset. To inspect the processing in detail you should increase
verbority using use the ``-v'' or ``-vv'' switch. ``-L'' redirects log messages to stdout.</p>
verbority using use the &quot;-v&quot; or &quot;-vv&quot; switch. &quot;-L&quot; redirects log messages to stdout.</p>
<p>Keeping the order of the ruleset in general, items will be compared in random order, which basically means that</p>
<pre>
id=R001; action=dunno; client_address=192.168.1.1; sender=bob@alice.local</pre>
@ -1042,7 +1281,7 @@ to compare against the request attribute the parser will jump to the next rule i
<p>If a rule matches, there are two options:</p>
<p>* Rule returns postfix action (dunno, reject, ...)
The parser stops rule processing and returns the action to postfix. Other rules will not be evaluated.</p>
<p>* Rule returns postfwd2 action (jump(), note(), ...)
<p>* Rule returns postfwd2 action (jump(), <code>note()</code>, ...)
The parser evaluates the given action and continues with the next rule (except for the <code>jump()</code> or <code>quit()</code> actions - please see the <a href="#actions">ACTIONS</a> section
for more information). Nothing will be sent to postfix.</p>
<p>If no rule has matched and the end of the ruleset is reached postfwd2 will return dunno without logging anything unless in verbose mode. You may
@ -1068,21 +1307,21 @@ place a last catch-all rule to change that behaviour:</p>
postfwd2 will spawn multiple child processes which communicate with a parent cache. This is
the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:</p>
<pre>
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S</pre>
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S</pre>
<p>For efficient caching you should check if you can use the options --cacheid, --cache-rdomain-only,
--cache-no-sender and --cache-no-size.</p>
<p>Now check your syslogs (default facility ``mail'') for a line like:</p>
<p>Now check your syslogs (default facility &quot;mail&quot;) for a line like:</p>
<pre>
Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input</pre>
<p>and use `netstat -an|grep 10040` to check for something like</p>
<p>and use `netstat -an|grep 10045` to check for something like</p>
<pre>
tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN</pre>
tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN</pre>
<p>If everything works, open your postfix main.cf and insert the following</p>
<pre>
127.0.0.1:10040_time_limit = 3600 &lt;--- integration
127.0.0.1:10045_time_limit = 3600 &lt;--- integration
smtpd_recipient_restrictions = permit_mynetworks &lt;--- recommended
reject_unauth_destination &lt;--- recommended
check_policy_service inet:127.0.0.1:10040 &lt;--- integration</pre>
check_policy_service inet:127.0.0.1:10045 &lt;--- integration</pre>
<p>Reload your configuration with `postfix reload` and watch your logs. In it works you should see
lines like the following in your mail log:</p>
<pre>
@ -1098,9 +1337,9 @@ tables. First create a file /etc/postfix/policy containing:</p>
<pre>
# Restriction Classes
smtpd_restriction_classes = postfwdcheck, &lt;some more&gt;... &lt;--- integration
postfwdcheck = check_policy_service inet:127.0.0.1:10040 &lt;--- integration</pre>
postfwdcheck = check_policy_service inet:127.0.0.1:10045 &lt;--- integration</pre>
<pre>
127.0.0.1:10040_time_limit = 3600 &lt;--- integration
127.0.0.1:10045_time_limit = 3600 &lt;--- integration
smtpd_recipient_restrictions = permit_mynetworks, &lt;--- recommended
reject_unauth_destination, &lt;--- recommended
... &lt;--- optional
@ -1122,7 +1361,7 @@ Simply change it to meet your requirements and use</p>
action=&lt;whateveryouconfigured&gt;</pre>
<p>For network tests I use netcat:</p>
<pre>
nc 127.0.0.1 10040 &lt;request.sample</pre>
nc 127.0.0.1 10045 &lt;request.sample</pre>
<p>to send a request to postfwd. If you receive nothing, make sure that postfwd2 is running and
listening on the specified network settings.</p>
<p>

505
doc/postfwd2.txt
View file

@ -38,7 +38,7 @@ SYNOPSIS
--cache-no-size skip size for cache-id
--no_parent_request_cache disable parent request cache
--no_parent_rate_cache disable parent rate cache
--no_parent_dns_cache disable parent dns cache
--no_parent_dns_cache disable parent dns cache (default)
--no_parent_cache disable all parent caches
Rates:
@ -53,6 +53,9 @@ SYNOPSIS
--daemons <list> list of daemons to start
--dumpcache show cache contents
--dumpstats show statistics
-R, --chroot <path> chroot to <path> before start
--delcache <item> removes an item from the request cache
--delrate <item> removes an item from the rate cache
DNS:
-n, --nodns skip any dns based test
@ -73,10 +76,19 @@ SYNOPSIS
--norulestats disables per rule statistics
-I, --instantcfg reloads ruleset on every new request
--config_timeout <i> parser timeout in seconds
--keep_rates do not clear rate limit counters on reload
--save_rates <file> save and load rate limits on disk
--fast_limit_evaluation evaluate rate limits before ruleset is parsed
(please note the limitations)
Plugins:
--plugins <file> loads postfwd plugins from file
Logging:
-l, --logname <label> label for syslog messages
--facility <s> use syslog facility <s>
--socktype <s> use syslog socktype <s>
--nodnslog do not log dns results
--anydnslog log any dns (even cached) results
--norulelog do not log rule actions
@ -132,7 +144,7 @@ DESCRIPTION
A configuration line consists of optional item=value pairs, separated by
semicolons (`;`) and the appropriate desired action:
[ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
[ <item1>=<value>; <item2>=<value>; ... ] action=<result>
*Example:*
@ -151,6 +163,8 @@ DESCRIPTION
ITEM == VALUE true if ITEM equals VALUE
ITEM => VALUE true if ITEM >= VALUE
ITEM =< VALUE true if ITEM <= VALUE
ITEM > VALUE true if ITEM > VALUE
ITEM < VALUE true if ITEM < VALUE
ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
ITEM != VALUE false if ITEM equals VALUE
ITEM !> VALUE false if ITEM >= VALUE
@ -173,11 +187,21 @@ DESCRIPTION
files or passed as command line arguments. Please see the COMMAND LINE
section below for more information on this topic.
Rules can span multiple lines by adding a trailing backslash "\"
character:
Since postfwd version 1.30 rules spanning span multiple lines can be
defined by prefixing the following lines with one or multiple whitespace
characters (or '}' for macros):
id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \
action=REJECT please use your relay from there
id=RULE001
client_address=192.168.1.0/24
sender==no@bad.local
action=REJECT no access
postfwd versions prior to 1.30 require trailing ';' and '\'-characters:
id=RULE001; \
client_address=192.168.1.0/24; \
sender==no@bad.local; \
action=REJECT no access
ITEMS
id - a unique rule id, which can be used for log analysis
@ -241,9 +265,15 @@ DESCRIPTION
this enables version based checks in your rulesets
(e.g. for migration). works with old versions too,
because a non-existing item always returns false:
id=R01; version~=1.10; sender_domain==some.org \
# version >= 1.10
id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \
; action=REJECT sorry no access
ratecount - only available for rate(), size() and rcpt() actions.
contains the actual limit counter:
id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])
Besides these you can specify any attribute of the postfix policy
delegation protocol. Feel free to combine them the way you need it (have
a look at the EXAMPLES section below).
@ -298,26 +328,25 @@ DESCRIPTION
the current list can be found at
<http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully
about which attribute can be used at which level of the smtp transaction
(e.g. size will only work reliably at END_OF_DATA level). Pattern
(e.g. size will only work reliably at END-OF-MESSAGE level). Pattern
matching is performed case insensitive.
Multiple use of the same item is allowed and will compared as logical
OR, which means that this will work as expected:
id=TRUST001; action=OK; encryption_keysize=64; \
ccert_fingerprint=11:22:33:44:55:66:77:88:99; \
ccert_fingerprint=22:33:44:55:66:77:88:99:00; \
ccert_fingerprint=33:44:55:66:77:88:99:00:11; \
id=TRUST001; action=OK; encryption_keysize=64
ccert_fingerprint=11:22:33:44:55:66:77:88:99
ccert_fingerprint=22:33:44:55:66:77:88:99:00
ccert_fingerprint=33:44:55:66:77:88:99:00:11
sender=@domain\.local$
client_address, rbl and rhsbl items may also be specified as
whitespace-or-comma-separated values:
id=SKIP01; action=dunno; \
id=SKIP01; action=dunno
client_address=192.168.1.0/24, 172.16.254.23
id=SKIP02; action=dunno; \
client_address= 10.10.3.32 \
10.216.222.0/27
id=SKIP02; action=dunno
client_address= 10.10.3.32 10.216.222.0/27
The following items must be unique:
@ -325,16 +354,16 @@ DESCRIPTION
Any item can be negated by preceeding '!!' to it, e.g.:
id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please
id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please
or using the right compare operator:
id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please
To avoid confusion with regexps or simply for better visibility you can
use '!!(...)':
id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that?
id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?
Request attributes can be compared by preceeding '$$' characters, e.g.:
@ -346,6 +375,33 @@ DESCRIPTION
be performed as case insensitive exact match. Use the '-vv' option to
debug.
These special items will be reset for any new rule:
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
These special items will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all; rblcount=all
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
FILES
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in
separate files:
@ -368,16 +424,16 @@ DESCRIPTION
This will ignore the right-hand value. Items can be mixed:
id=R002 ; action=REJECT \
client_name==unknown; \
id=R002 ; action=REJECT
client_name==unknown
client_name==file:/etc/postfwd/blacklisted
and for non pcre (comma separated) items:
id=R003 ; action=REJECT \
id=R003 ; action=REJECT
client_address==10.1.1.1, file:/etc/postfwd/blacklisted
id=R004 ; action=REJECT \
id=R004 ; action=REJECT
rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
You can check your configuration with the --show_config option at the
@ -433,7 +489,7 @@ DESCRIPTION
-- FILE /etc/postfwd/clients_west.cf --
192.168.3.0/24
Remind that there is currently no loop detection (/a/file calls /a/file)
Note that there is currently no loop detection (/a/file calls /a/file)
and that this feature is only available with postfwd1 v1.15 and postfwd2
v0.18 and higher.
@ -496,19 +552,19 @@ DESCRIPTION
this command creates a counter for the given <item>, which will be increased any time a request
containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
rate counters are very fast as they are executed before the ruleset is parsed.
please note that <action> is currently limited to postfix actions (no postfwd actions)!
please note that <action> was limited to postfix actions (no postfwd actions) for postfwd versions <1.33!
# no more than 3 requests per 5 minutes
# from the same "unknown" client
id=RATE01 ; client_name==unknown ; \
action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
id=RATE01 ; client_name==unknown
action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
size (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
increased by the request's size attribute. to do this reliably you should call postfwd2 from
smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
# size limit 1.5mb per hour per client
id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
rcpt (<item>/<max>/<time>/<action>)
this command works similar to the rate() command with the difference, that the rate counter is
@ -516,8 +572,13 @@ DESCRIPTION
from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
check it within the ruleset:
# recipient count limit 3 per hour per client
id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \
action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1)
action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
rate5321,size5321,rcpt5321 (<item>/<max>/<time>/<action>)
same as the corresponding non-5321 functions, with the difference that the localpart of
sender oder recipient addresses are evaluated case-sensitive according to rfc5321. That
means that requests from bob@example.local and BoB@example.local will be treated differently
ask (<addr>:<port>[:<ignore>])
allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@ -529,13 +590,24 @@ DESCRIPTION
# and continue parsing postfwd's ruleset
id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
mail(server/helo/from/to/subject/body)
This command is deprecated. You should try to use the sendmail() action instead.
Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
This basically performs a telnet. No authentication or TLS are available. Additionally it does
not track notification state and will notify you any time, the corresponding rule hits.
sendmail(sendmail-path::from::to::subject::body)
Mail command, that uses an existing sendmail binary and sends a message with the given arguments.
LIMITATIONS: The command does not track notification state and will notify you any time, the
corresponding rule hits (which could mean 100 mails for a mail with 100 recipients at RCPT stage).
wait (<delay>)
pauses the program execution for <delay> seconds. use this for
delaying or throtteling connections.
note (<string>)
just logs the given string and continues parsing the ruleset.
if the string is empty, nothing will be logged.
if the string is empty, nothing will be logged (noop).
quit (<code>)
terminates the program with the given exit-code. postfix doesn`t
@ -545,33 +617,6 @@ DESCRIPTION
id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name'
These special attributes will be reset for any new rule:
rblcount - contains the number of RBL answers
rhsblcount - contains the number of RHSBL answers
matches - contains the number of matched items
dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
These special attributes will be changed for any matching rule:
request_hits - contains ids of all matching rules
This means that it might be necessary to save them, if you plan to use
these values in later rules:
# set vals
id=RBL01 ; rhsblcount=all ; rblcount=all ; \
rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
# compare
id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
MACROS/ACLS
Multiple use of long items or combinations of them may be abbreviated by
macros. Those must be prefixed by '&&' (two '&' characters). First the
@ -596,18 +641,18 @@ DESCRIPTION
Macros can contain macros, too:
# definition (note the trailing "\" characters)
&&RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
# definition
&&RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&&DYNAMIC { \
client_name=^unknown$ ; \
client_name=(\d+[\.-_]){4} ; \
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&&DYNAMIC{
client_name=^unknown$
client_name=(\d+[\.-_]){4}
client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
};
&&GOAWAY { &&RBLS; &&DYNAMIC; };
# rules
@ -617,7 +662,160 @@ DESCRIPTION
section for more information.
PLUGINS
Please visit <http://www.postfwd.org/postfwd.plugins>
Description
The plugin interface allow you to define your own checks and enhance
postfwd's functionality. Feel free to share useful things!
Warning
Note that the plugin interface is still at devel stage. Please test your
plugins carefully, because errors may cause postfwd to break! It is also
allowed to override attributes or built-in functions, but be sure that
you know what you do because some of them are used internally.
Please keep security in mind, when you access sensible ressources and
never, ever run postfwd as privileged user! Also never trust your input
(especially hostnames, and e-mail addresses).
ITEMS
Item plugins are perl subroutines which integrate additional attributes
to requests before they are evaluated against postfwd's ruleset like any
other item of the policy delegation protocol. This allows you to create
your own checks.
plugin-items can not be used selective. these functions will be executed
for every request postfwd receives, so keep performance in mind.
SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
means that your subroutine, called <name>, has access to a hash called
%request, which contains all request attributes, like
$request{client_name} and must return a value in the following form:
save: $result{<item>} = <value>
this creates the new item <item> containing <value>, which will be
integrated in the policy delegation request and therefore may be used in
postfwd's ruleset.
# do NOT remove the next line
%postfwd_items_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
# allows to check postfwd version in ruleset
"version" => sub {
my(%request) = @_;
my(%result) = (
"version" => $NAME." ".$VERSION,
);
return %result;
},
# sender_domain and recipient_domain
"address_parts" => sub {
my(%request) = @_;
my(%result) = ();
$request{sender} =~ /@([^@]*)$/;
$result{sender_domain} = ($1 || '');
$request{recipient} =~ /@([^@]*)$/;
$result{recipient_domain} = ($1 || '');
return %result;
},
# do NOT remove the next line
);
COMPARE
Compare plugins allow you to define how your new items should be
compared to the ruleset. These are optional. If you don't specify one,
the default (== for exact match, =~ for PCRE, ...) will be used.
SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
# do NOT remove the next line
%postfwd_compare_plugin = (
EXAMPLES - integrated in postfwd. no need to activate them here.
# Simple example
# SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
"client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
"size" => sub { return &{$postfwd_compare{numeric}}(@_); },
"recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
# Complex example
# SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
"numeric" => sub {
my($cmp,$val,$myitem,%request) = @_;
my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
if ($cmp eq '==') {
$myresult = ($myitem == $val);
} elsif ($cmp eq '=<') {
$myresult = ($myitem <= $val);
} elsif ($cmp eq '=>') {
$myresult = ($myitem >= $val);
} elsif ($cmp eq '<') {
$myresult = ($myitem < $val);
} elsif ($cmp eq '>') {
$myresult = ($myitem > $val);
} elsif ($cmp eq '!=') {
$myresult = not($myitem == $val);
} elsif ($cmp eq '!<') {
$myresult = not($myitem <= $val);
} elsif ($cmp eq '!>') {
$myresult = not($myitem >= $val);
} else {
$myresult = ($myitem >= $val);
};
return $myresult;
},
# do NOT remove the next line
);
ACTIONS
Action plugins allow to define new postfwd actions. By setting the
$stop-flag you can decide to continue or to stop parsing the ruleset.
SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
<action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
# do NOT remove the next line
%postfwd_actions_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
# note(<logstring>) command
"note" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
log_info "[RULES] ".$myline." - note: ".$myarg if $myarg;
return ($stop,$index,$myaction,$myline,%request);
},
# skips next <myarg> rules
"skip" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
$index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
return ($stop,$index,$myaction,$myline,%request);
},
# dumps current request contents to syslog
"dumprequest" => sub {
my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
my($myaction) = 'dunno'; my($stop) = 0;
map { log_info "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
return ($stop,$index,$myaction,$myline,%request);
},
# do NOT remove the next line
);
COMMAND LINE
*Ruleset*
@ -634,12 +832,6 @@ DESCRIPTION
Adds <rule> to ruleset. Remember that you might have to quote
strings that contain whitespaces or shell characters.
*Plugins*
--plugins
A file containing plugin routines for postfwd. Please see the
PLUGINS section for more information.
*Scoring*
-s, --scores <val>=<action>
@ -647,7 +839,7 @@ DESCRIPTION
Multiple usage is allowed. Just chain your arguments, like:
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
or
postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ...
@ -662,13 +854,13 @@ DESCRIPTION
-d, --daemon
postfwd2 will run as daemon and listen on the network for incoming
queries (default 127.0.0.1:10040).
queries (default 127.0.0.1:10045).
-i, --interface <dev>
Bind postfwd2 to the specified interface (default 127.0.0.1).
-p, --port <port>
postfwd2 listens on the specified port (default tcp/10040).
postfwd2 listens on the specified port (default tcp/10045).
--proto <type>
The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
@ -694,11 +886,18 @@ DESCRIPTION
-R, --chroot <path>
Chroot the process to the specified path.
Test this before using - you might need some libs there.
Please look at http://postfwd.org/postfwd2-chroot.html before use!
--pidfile <path>
The process id will be saved in the specified file.
--facility <f>
sets the syslog facility, default is 'mail'
--socktype <s>
sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
Default is to auto-detect this depening on module version and os.
-l, --logname <label>
Labels the syslog messages. Useful when running multiple
instances of postfwd.
@ -706,6 +905,12 @@ DESCRIPTION
--loglen <int>
Truncates any syslog message after <int> characters.
*Plugins*
--plugins <file>
Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
or the plugins.postfwd.sample that is available from the tarball for more info.
*Optional arguments*
These parameters influence the way postfwd2 is working. Any of them can
@ -834,6 +1039,25 @@ DESCRIPTION
timeout in seconds to parse a single configuration line. if exceeded, the rule will
be skipped. this is used to prevent problems due to large files or loops.
--keep_rates (default=0)
With this option set postfwd2 does not clear the rate limit counters on reload. Please
note that you have to restart (not reload) postfwd with this option if you change
any rate limit rules.
--save_rates (default=none)
With this option postfwd saves existing rate limit counters to disk and reloads them
on program start. This allows persistent rate limits across program restarts or reboots.
Please note that postfwd needs read and write access to the specified file.
--fast_limit_evaluation (default=0)
Once a ratelimit was set by the ruleset, future requests will be evaluated against it
before consulting the ruleset. This mode was the default behaviour until v1.30.
With this mode rate limits will be faster, but also eventually set up
whitelisting-rules within the ruleset might not work as expected.
LIMITATIONS: This option does not allow nested postfwd commands like
action=rate(sender/3/60/wait(3))
This option doe not work with the strict-rfc5321 rate() functions.
*Informational arguments*
These arguments are for command line usage only. Never ever use them
@ -858,6 +1082,26 @@ DESCRIPTION
This option turns of any syslogging and output. It is included
for performance testing.
--dumpstats
Displays program usage statistics.
--dumpcache
Displays cache contents.
--delcache <item>
Removes an item from the request cache. Use --dumpcache to identify objects.
E.g.:
# postfwd --dumpcache
...
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1'
%rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
...
# postfwd --delrate="sender=gmato@jqvo.org"
rate cache item 'sender=gmato@jqvo.org' removed
--delrate <item>
Removes an item from the rate cache. Use --dumpcache to identify objects.
REFRESH
In daemon mode postfwd2 reloads it's ruleset after receiving a HUP
signal. Please see the description of the '-I' switch to have your
@ -894,18 +1138,25 @@ DESCRIPTION
# 1. 30MB for systems in *.customer1.tld
# 2. 20MB for SASL user joejob
# 3. 10MB default
id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000
id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large
id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob
id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000
id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large
## Selective Greylisting
##
## Note that postfwd does not include greylisting. This setup requires a running postgrey service
## at port 10031 and the following postfix restriction class in your main.cf:
##
## smtpd_restriction_classes = check_postgrey, ...
## check_postgrey = check_policy_service inet:127.0.0.1:10031
#
# 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
# 2. Client has no rDNS
# 3. Client comes from several dialin domains
id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=greylisting ; client_name=^unknown$
id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
id=GR002; action=check_postgrey ; client_name=^unknown$
id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$
## Date Time
date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
@ -913,7 +1164,7 @@ DESCRIPTION
time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
months=-Apr ; action=450 4.7.1 see you in may
days=!!Mon-Fri ; action=greylist
days=!!Mon-Fri ; action=check_postgrey
## Usage of jump
# The following allows a message size of 30MB for different
@ -923,8 +1174,8 @@ DESCRIPTION
id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
## Usage of score
# The following rejects a mail, if the client
@ -932,8 +1183,8 @@ DESCRIPTION
# - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
# - other clients without correct rDNS will be greylist-checked
# - some whitelists are used to lower the score
id=S01 ; score=2.6 ; action=greylisting
id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high
id=S01 ; score=2.6 ; action=check_postgrey
id=S02 ; score=5.0 ; action=REJECT postfwd score too high
id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
@ -945,10 +1196,10 @@ DESCRIPTION
# The following temporary rejects requests from "unknown" clients, if they
# 1. exceeded 30 requests per hour or
# 2. tried to send more than 1.5mb within 10 minutes
id=RATE01 ; client_name==unknown ; state==RCPT ; \
action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \
action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
id=RATE01 ; client_name==unknown ; protocol_state==RCPT
action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE
action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
## Macros
# definition
@ -961,34 +1212,34 @@ DESCRIPTION
## Groups
# definition
&&RBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
&&RBLS{
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
};
&&RHSBLS { \
&&RHSBLS{
...
};
&&DYNAMIC { \
client_name==unknown ; \
client_name~=(\d+[\.-_]){4} ; \
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \
&&DYNAMIC{
client_name==unknown
client_name~=(\d+[\.-_]){4}
client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
...
};
&&BAD_HELO { \
helo_name==my.name.tld; \
helo_name~=^([^\.]+)$; \
helo_name~=\.(local|lan)$; \
&&BAD_HELO{
helo_name==my.name.tld
helo_name~=^([^\.]+)$
helo_name~=\.(local|lan)$
...
};
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.07.2007 ; \
date=15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
&&MAINTENANCE{
date=15.01.2007
date=15.04.2007
date=15.07.2007
date=15.10.2007
time=03:00:00 - 04:00:00
};
# rules
id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
@ -1005,7 +1256,7 @@ DESCRIPTION
## combined with enhanced rbl features
#
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
@ -1144,7 +1395,7 @@ DESCRIPTION
postfwd2 in high volume environments. Start postfwd2 with the following
parameters:
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S
postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S
For efficient caching you should check if you can use the options
--cacheid, --cache-rdomain-only, --cache-no-sender and --cache-no-size.
@ -1153,16 +1404,16 @@ DESCRIPTION
Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input
and use `netstat -an|grep 10040` to check for something like
and use `netstat -an|grep 10045` to check for something like
tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN
If everything works, open your postfix main.cf and insert the following
127.0.0.1:10040_time_limit = 3600 <--- integration
127.0.0.1:10045_time_limit = 3600 <--- integration
smtpd_recipient_restrictions = permit_mynetworks <--- recommended
reject_unauth_destination <--- recommended
check_policy_service inet:127.0.0.1:10040 <--- integration
check_policy_service inet:127.0.0.1:10045 <--- integration
Reload your configuration with `postfix reload` and watch your logs. In
it works you should see lines like the following in your mail log:
@ -1183,9 +1434,9 @@ DESCRIPTION
# Restriction Classes
smtpd_restriction_classes = postfwdcheck, <some more>... <--- integration
postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration
postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration
127.0.0.1:10040_time_limit = 3600 <--- integration
127.0.0.1:10045_time_limit = 3600 <--- integration
smtpd_recipient_restrictions = permit_mynetworks, <--- recommended
reject_unauth_destination, <--- recommended
... <--- optional
@ -1211,7 +1462,7 @@ DESCRIPTION
For network tests I use netcat:
nc 127.0.0.1 10040 <request.sample
nc 127.0.0.1 10045 <request.sample
to send a request to postfwd. If you receive nothing, make sure that
postfwd2 is running and listening on the specified network settings.

113
doc/quick.html Normal file
View file

@ -0,0 +1,113 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd - quickstart guide</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="quickstart guid for postfwd a postfix firewall policy daemon">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd usage, postfwd manual, postfwd quickstart, postfwd step-by-step, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body>
<h1>postfwd quickstart guide</h1>
<br>To use postfwd you have to perform the following steps:
<br><br>
<ol>
<li><a href="#step1">Get postfwd or postfwd2
<li><a href="#step2">Create your own postfwd ruleset
<li><a href="#step3"><i>Optional: </i>Create a dedicated user/group for postfwd
<li><a href="#step4">Launch postfwd
<li><a href="#step5">Tell postfix to use postfwd
<li><a href="#step6">Finished! How to go on?
</ol>
<br><ol>
<a name="step1"><li><strong>Get postfwd or postfwd2</strong></a>
<br>You may skip this step, if your operating system distribution contains a version of postfwd, but it is recommended to use a recent version from <a href="index.html">postfwd.org</a>. It is also recommended to use recent versions of the perl modules Net::DNS and Net::Server (see <a href="index.html#REQUIRED">required perl modules</a> for more information).
<br><br><br><a name="step2"><li><strong>Create your own postfwd ruleset</strong></a>
<br>postfwd is not a dedicated antispam tool (although it may be used as such). Instead of that it is basically a restriction language for postfix which allows to place complex policy expressions into a simple ruleset. For reasonable operation you have to create your own ruleset, like:
<p><pre>
# reject @domain.local if request comes from outside 10.0.0.0/8 network
id=RULE-01 ; sender_domain=domain.local ; client_address=!!(10.0.0.0/8) ; action=REJECT not allowed
# reject if sender equals recipient
id=RULE-02 ; sender==$$recipient ; action=REJECT not allowed
# check some rbls and reject, if listed on >= 2 of them
id=RULE-03 ; rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ; rblcount>=2 ; action=REJECT not allowed </tt></pre>
Now save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the <a href="doc.html#configuration">documentation</a> for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like:
<p><pre>
# postfwd -f /etc/postfwd.cf -C
Rule 0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)"
Rule 1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient"
Rule 2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net" </tt></pre>
If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too.
<br><br><br><a name="step3"><li><strong><i>Optional: </i>Create a dedicated user/group for postfwd </strong></a>
<br>By default postfwd will try to use user 'nobody' and group 'nobody'. So it should be safe to skip this step in most environments. If you run a system that is exposed to dangerous networks and feel paranoid you may want to create a dedicated user and group for the postfwd process. On unix systems enter:
<p><pre>
# groupadd postfwd
# useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd
# passwd -l postfwd </tt></pre>
<br><a name="step4"><li><strong>Launch postfwd</strong></a>
<br>Start postfwd with your ruleset. Leave out the --user and --group options, if you have skipped step 3 and want to run postfwd as nobody/nobody.
<p><pre>
# postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd </tt></pre>
Now watch your logs (default facility: mail) for lines like:
<p><pre>
Jun 8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting
Jun 8 12:14:33 jupiter postfwd[20271]: Process Backgrounded
Jun 8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271)
Jun 8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1
Jun 8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003"
Jun 8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010"
Jun 8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for input </tt></pre>
To control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the <a href="doc.html#command_line">documentation</a> for more information.
<br><br><br><a name="step5"><li><strong>Tell postfix to use postfwd</strong></a>
<br>Open your main.cf (usually located at /etc/postfix) and find or add a line starting with:
<p><pre>
smtpd_recipient_restrictions = ... </pre></p>
To place the postfwd check here, modify this as follows:
<p><pre>
# note the leading whitespaces from the 2nd line!
smtpd_recipient_restrictions = permit_mynetworks, # recommended
..., # optional
reject_unauth_destination, # recommended
check_policy_service inet:127.0.0.1:10040, # **postfwd integration**
... # optional </tt></pre>
Please note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the <a href="http://www.postfix.org/SMTPD_POLICY_README.html#protocol">postfix documentation</a>.
<br><br><br><a name="step6"><li><strong>Finished! How to go on?</strong></a>
<br>A good point to start is postfwd's manual. You should be able to view it using the `postfwd -m` command or visit the <a href="doc.html">documentation page</a>. There are also some configuration examples on the <a href="index.html">webpage</a>. Another very useful source of information is the <a href="http://www.postfix.org/SMTPD_POLICY_README.html">Postfix SMTP Access Policy Delegation</a> documentation.
<br>
</ol>
<p>
<center>
<table border="1" color="black" frame="hsides" rules="none" width="100%">
<td width="33%" align="left"><small>http://www.postfwd.org/</small>
<td width="34%" align="center"><small>2007 - 2009 by <a href="http://www.jpkessler.de/">Jan Peter Kessler</a></small>
<td width="33%" align="right"><small>info (AT) postfwd (DOT) org</small>
</table>
</center>
</p>
</body>

82
doc/versions.html Normal file
View file

@ -0,0 +1,82 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>postfwd - version differences</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="postfwd version differences">
<meta name="author" content="jpk">
<meta name="keywords" content="postfwd, postfwd version differences, postfwd usage, postfwd manual, postfix, policy, policy delegation, firewall, postfix acl, postfix acls, pfwpolicy, postfw, restrictions, IT-Security, IT-Consulting, Jan, Peter, Kessler">
</head>
<body>
<p>
<h1>postfwd1 vs postfwd2</h1><br>
As you might have noticed, there are two different versions of postfwd available - postfwd(1) and postfwd2.
Which version fits best for you depends on your setup. Both versions use the same ruleset parser*. They also share the basic command line arguments (use both with --help for details). This allows to switch easily between them.
<br><br>
The following table might help you to decide which version to use. Basically you should stick with postfwd1 for the moment unless you encounter performance issues with dns based checks or very complex rulesets with thousands
of checks. Please note that, due to implementation, rate limits are handled faster by postfwd1 at the moment. If performance really matters and you use a complex ruleset with rate limits and lots of dns based checks you should consider
running two instances at different ports/sockets: postfwd1 for the rate limits and postfwd2 for the rest.
<br><br>
</p>
<table border=1 cellpadding="20">
<tr>
<th align="right">Version
<th align="center">postfwd1
<th align="center">postfwd2
<tr>
<td align="left" valign="top">
<ul>Specs</ul>
<td align="left" valign="top">
<ul>
<li>Single process (Multiplexer)
<li>Default port: tcp/10040
<li>Small memory footprint
</ul>
<td align="left" valign="top">
<ul>
<li>Multiple processes (Preforker)
<li>Default port: tcp/10045
<li>Scales with multiple cpus/cores
<li>Builtin watchdog function
<li>Debug classes
</ul>
<tr>
<td align="left" valign="top">
<ul>Usage</ul>
<td align="left" valign="top">
<ul>
<li>Fits for most setups
<li>Any single core system
<li><i>Rate-limit-only</i> rulesets
</ul>
<td align="left" valign="top">
<ul>
<li>High throughput setups with lots of requests per second and
<br>
<ul>
<li>rulesets that use a lot of dnsbl lookups
<li>really huge rulesets containing tons of checks
</ul>
</ul>
<tr>
<td align="left" valign="top">
<ul>*Issues</ul>
<td align="left" valign="top">
<td align="left" valign="top">
<ul>
<li>postfwd2 versions below 1.30 do not support multiple rate limits for the same item:
<pre>
# reject on 300+ connections/hour, warn at 200+
id=R01; client_address=1.2.3.4; action=rate(client_address/300/3600/REJECT state RED)
id=R02; client_address=1.2.3.4; action=rate(client_address/200/3600/WARN state YELLOW)
</pre>
</ul>
</table>
</p>
</body>
</html>

135
etc/postfwd-old.cf.sample Normal file
View file

@ -0,0 +1,135 @@
###################################################################################################
##
## ATTENTION: This example configuration uses features which require at least postfwd 1.10pre8!
## Please see the manual ('postfwd -m') for example syntax for prior versions.
##
## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without
## modifications to suit your environment!
##
###################################################################################################
##
## Definitions
##
# Maintenance times
&&MAINTENANCE { \
date=15.01.2007 ; \
date=15.04.2007 ; \
date=15.10.2007 - 17.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
# Whitelists
&&TRUSTED_NETS { \
client_address=192.168.1.0/22 ; \
client_address=172.16.128.32/27 ; \
};
&&TRUSTED_HOSTS { \
client_name~=\.domain1\.net$ ; \
client_name~=\.domain2\.de$ ; \
};
&&TRUSTED_USERS { \
sasl_username==bob ; \
sasl_username==alice ; \
};
&&TRUSTED_TLS { \
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
encryption_keysize>=64 ; \
};
&&FREEMAIL { \
client_name~=\.gmx\.net$ ; \
client_name~=\.web\.de$ ; \
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
};
&&STATIC { \
# contains freemailers
&&FREEMAIL ; \
client_name~=[\.\-]static[[\.\-] ; \
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};
&&DNSWLS { \
rbl=list.dnswl.org ; \
rbl=exemptions.ahbl.org ; \
rbl=query.bondedsender.org ; \
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
};
# Spamchecks
&&BADHELO { \
client_name==!!($$(helo_name)) ; \
};
&&DYNAMIC { \
client_name==unknown ; \
client_name~=(\-.+){4} ; \
client_name~=\d{5} ; \
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&DNSBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
rhsbl=rddn.dnsbl.net.au ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
};
##
## Ruleset
##
# temporary reject and drop connection during maintenance window
id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later
# stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS ; stress==yes ; action=dunno
# Whitelists
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
# DNSWL checks - lookup
id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
# DNSWL - whitelisting
id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
# DNSBL checks - lookup
id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
# DNSBL checks - evaluation
id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
# Rate limits
id=RATE_001 ; HIT_dnsbls>=1; \
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
id=RATE_002 ; &&DYNAMIC ; \
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
# Selective greylisting
id=GREY_001 ; action=dunno ; &&STATIC
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_003 ; action=dunno ; HIT_dnswls>=1
id=GREY_004 ; action=greylisting ; &&DYNAMIC
id=GREY_005 ; action=greylisting ; HIT_dnsbls>=1
# Greylisting should be safe during out-of-office times
id=GREY_006 ; action=greylisting ; days=Sat-Sun
id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00

224
etc/postfwd.cf.sample
View file

@ -2,8 +2,11 @@
###################################################################################################
##
## ATTENTION: Do NOT use this configuration without your own customizations!
## Please see the manual ('postfwd -m') for more information.
## ATTENTION: This example configuration uses features which require at least postfwd 1.30!
## Please see the manual ('postfwd -m') for example syntax for prior versions.
##
## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without
## modifications to suit your environment!
##
###################################################################################################
@ -12,77 +15,71 @@
## Definitions
##
# Greylisting with postgrey @ 127.0.0.1:10031
&&GREYLIST { \
action=ask(127.0.0.1:10031); \
};
# Maintenance times
&&MAINTENANCE { \
date=15.01.2007 - 15.01.2007 ; \
date=15.04.2007 - 15.04.2007 ; \
date=15.07.2007 - 15.07.2007 ; \
date=15.10.2007 - 15.10.2007 ; \
time=03:00:00 - 04:00:00 ; \
};
&&MAINTENANCE {
date=15.01.2007
date=15.10.2007 - 17.10.2007
days=Sat-Sun
time=03:00:00 - 04:00:00
}
# Whitelists
&&TRUSTED_NETS { \
client_address=192.168.1.0/22 ; \
client_address=172.16.128.32/27 ; \
};
&&TRUSTED_HOSTS { \
client_name~=\.domain1\.net$ ; \
client_name~=\.domain2\.de$ ; \
};
&&TRUSTED_USERS { \
sasl_username==bob ; \
sasl_username==alice ; \
};
&&TRUSTED_TLS { \
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \
encryption_keysize>=64 ; \
};
&&FREEMAIL { \
client_name~=\.gmx\.net$ ; \
client_name~=\.web\.de$ ; \
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \
};
&&STATIC { \
&&TRUSTED_NETS {
client_address=192.168.1.0/22
client_address=172.16.128.32/27
}
&&TRUSTED_HOSTS {
client_name~=\.domain1\.net$
client_name~=\.domain2\.de$
}
&&TRUSTED_USERS {
sasl_username==bob
sasl_username==alice
}
&&TRUSTED_TLS {
ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF
ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66
encryption_keysize>=64
}
&&FREEMAIL {
client_name~=\.gmx\.net$
client_name~=\.web\.de$
client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$
}
&&STATIC {
# contains freemailers
&&FREEMAIL ; \
client_name~=[\.\-]static[[\.\-] ; \
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \
};
&&DNSWLS { \
rbl=list.dnswl.org ; \
rbl=exemptions.ahbl.org ; \
rbl=query.bondedsender.org ; \
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \
};
&&FREEMAIL
client_name~=[\.\-]static[[\.\-]
client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\.
}
&&DNSWLS {
rbl=list.dnswl.org
rbl=exemptions.ahbl.org
rbl=query.bondedsender.org
rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600
}
# Spamchecks
&&BADHELO { \
client_name==!!($$(helo_name)) ; \
};
&&DYNAMIC { \
client_name==unknown ; \
client_name~=(\-.+){4} ; \
client_name~=\d{5} ; \
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \
};
&&DNSBLS { \
rbl=zen.spamhaus.org ; \
rbl=list.dsbl.org ; \
rbl=bl.spamcop.net ; \
rbl=dnsbl.sorbs.net ; \
rbl=ix.dnsbl.manitu.net ; \
rhsbl=rddn.dnsbl.net.au ; \
rhsbl=rhsbl.ahbl.org ; \
rhsbl=rhsbl.sorbs.net ; \
};
&&BADHELO {
client_name==!!($$(helo_name))
}
&&DYNAMIC {
client_name==unknown
client_name~=(\-.+){4}
client_name~=\d{5}
client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-]
}
&&DNSBLS {
rbl=zen.spamhaus.org
rbl=list.dsbl.org
rbl=bl.spamcop.net
rbl=dnsbl.sorbs.net
rbl=ix.dnsbl.manitu.net
rhsbl=rddn.dnsbl.net.au
rhsbl=rhsbl.ahbl.org
rhsbl=rhsbl.sorbs.net
}
##
@ -90,49 +87,96 @@
##
# temporary reject and drop connection during maintenance window
id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later
id=M_001
&&MAINTENANCE
action=421 maintenance - please try again later
# stress-friendly behaviour (will not match on postfix version pre 2.5)
id=STRESS ; stress==yes ; action=dunno
id=STRESS
stress==yes
action=dunno
# Whitelists
id=WL_001 ; &&TRUSTED_NETS ; action=dunno
id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno
id=WL_003 ; &&TRUSTED_USERS ; action=dunno
id=WL_004 ; &&TRUSTED_TLS ; action=dunno
id=WL_001
&&TRUSTED_NETS
action=dunno
id=WL_002
&&TRUSTED_HOSTS
action=dunno
id=WL_003
&&TRUSTED_USERS
action=dunno
id=WL_004
&&TRUSTED_TLS
action=dunno
# DNSWL checks - lookup
id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \
id=RWL_001
&&DNSWLS
rhsblcount=all ; rblcount=all
action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext)
# DNSWL - whitelisting
id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
id=RWL_002
HIT_dnswls>=2
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text]
id=RWL_003
HIT_dnswls>=1
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC
id=RWL_004
HIT_dnswls>=1
action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$
# DNSBL checks - lookup
id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \
id=RBL_001
&&DNSBLS
rhsblcount=all ; rblcount=all
action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext)
# DNSBL checks - evaluation
id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
id=RBL_002
HIT_dnsbls>=2
action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text]
id=RBL_003
HIT_dnsbls>=1
&&DYNAMIC
action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text]
id=RBL_004
HIT_dnsbls>=1
&&BADHELO
action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text]
# Rate limits
id=RATE_001 ; HIT_dnsbls>=1; \
id=RATE_001
HIT_dnsbls>=1
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
id=RATE_002 ; &&DYNAMIC ; \
id=RATE_002
&&DYNAMIC
action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes)
# Selective greylisting
id=GREY_001 ; action=dunno ; &&STATIC
id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$
id=GREY_003 ; action=dunno ; HIT_dnswls>=1
id=GREY_004 ; action=&&GREYLIST ; &&DYNAMIC
id=GREY_005 ; action=&&GREYLIST ; HIT_dnsbls>=1
id=GREY_001
action=dunno
&&STATIC
id=GREY_002
action=dunno
$$client_name~=$$(sender_domain)$
id=GREY_003
action=dunno
HIT_dnswls>=1
id=GREY_004
action=greylisting
&&DYNAMIC
id=GREY_005
action=greylisting
HIT_dnsbls>=1
# Greylisting should be safe during out-of-office times
id=GREY_006 ; action=&&GREYLIST ; days=Sat-Sun
id=GREY_007 ; action=&&GREYLIST ; days=Mon-Fri ; time=!!06:00:00-20:00:00
id=GREY_006
action=greylisting
days=Sat-Sun
id=GREY_007
action=greylisting
days=Mon-Fri
time=!!06:00:00-20:00:00

1445
man/man8/postfwd.8
View file

File diff suppressed because it is too large Load diff

1510
man/man8/postfwd2.8
View file

File diff suppressed because it is too large Load diff

167
plugins/postfwd.plugins.sample Normal file
View file

@ -0,0 +1,167 @@
#
#
# Example plugin file for postfwd - see http://postfwd.org
#
#
# Description:
#
# The plugin interface allow you to define your own checks and enhance postfwd's
# functionality. Feel free to share useful things!
#
#
# Warning:
#
# Check changes carefully, because errors may cause postfwd to break! It is also
# allowed to override attributes or built-in functions, but be sure that you know
# what you do because some of them are used internally.
# Please keep security in mind, when you access sensible ressources and never, ever
# run postfwd as privileged user! Also never trust your input (especially hostnames,
# and e-mail addresses).
#
# ITEMS
# =====
#
# Item plugins are perl subroutines which integrate additional attributes to requests
# before they are evaluated against postfwd's ruleset like any other item of the
# policy delegation protocol. This allows you to create your own checks.
#
# plugin-items can not be used selective. these functions will be executed for every
# request postfwd receives, so keep performance in mind.
#
# SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
#
# means that your subroutine, called <name>, has access to a hash called %request,
# which contains all request attributes, like $request{client_name} and must
# return a value in the following form:
#
# save: $result{<item>} = <value>
#
# this creates the new item <item> containing <value>, which will be integrated in
# the policy delegation request and therefore may be used in postfwd's ruleset.
# do NOT remove the next line
%postfwd_items_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
#
# # allows to check postfwd version in ruleset
# "version" => sub {
# my(%request) = @_;
# my(%result) = (
# "version" => $NAME." ".$VERSION,
# );
# return %result;
# },
#
# # sender_domain and recipient_domain
# "address_parts" => sub {
# my(%request) = @_;
# my(%result) = ();
# $request{sender} =~ /@([^@]*)$/;
# $result{sender_domain} = ($1 || '');
# $request{recipient} =~ /@([^@]*)$/;
# $result{recipient_domain} = ($1 || '');
# return %result;
# },
# },
# do NOT remove the next line
);
#
# COMPARE
# =======
#
# Compare plugins allow you to define how your new items should be compared to the ruleset.
# These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
# will be used.
#
# SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
# do NOT remove the next line
%postfwd_compare_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
#
# # CIDR compare
# "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); },
#
# # Numeric compare
# "size" => sub { return &{$postfwd_compare{numeric}}(@_); },
# "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
#
# # Complex example
# # SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
# "numeric" => sub {
# my($cmp,$val,$myitem,%request) = @_;
# my($myresult) = undef; $myitem ||= "0"; $val ||= "0";
# if ($cmp eq '==') {
# $myresult = ($myitem == $val);
# } elsif ($cmp eq '=<') {
# $myresult = ($myitem <= $val);
# } elsif ($cmp eq '=>') {
# $myresult = ($myitem >= $val);
# } elsif ($cmp eq '!=') {
# $myresult = not($myitem == $val);
# } elsif ($cmp eq '!<') {
# $myresult = not($myitem <= $val);
# } elsif ($cmp eq '!>') {
# $myresult = not($myitem >= $val);
# } else {
# $myresult = ($myitem >= $val);
# };
# return $myresult;
# },
# do NOT remove the next line
);
#
# ACTIONS
# =======
#
# Action plugins allow to define new postfwd actions.
#
# SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
# <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
# do NOT remove the next line
%postfwd_actions_plugin = (
# EXAMPLES - integrated in postfwd. no need to activate them here.
#
# # note(<logstring>) command
# "note" => sub {
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
# my($myaction) = 'dunno'; my($stop) = 0;
# log_info ("[RULES] ".$myline." - note: ".$myarg) if $myarg;
# return ($stop,$index,$myaction,$myline,%request);
# },
#
# # skips next <myarg> rules
# "skip" => sub {
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
# my($myaction) = 'dunno'; my($stop) = 0;
# $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
# return ($stop,$index,$myaction,$myline,%request);
# },
#
# # dumps current request contents to syslog
# "dumprequest" => sub {
# my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
# my($myaction) = 'dunno'; my($stop) = 0;
# map { log_info ("[DUMP] rule=$index, Attribute: $_=$request{$_}") } (keys %request);
# return ($stop,$index,$myaction,$myline,%request);
# },
# do NOT remove the next line
);
# do NOT remove the next line
1;
## EOF postfwd.plugins

1600
sbin/postfwd
View file

File diff suppressed because it is too large Load diff

1471
sbin/postfwd2
View file

File diff suppressed because it is too large Load diff

10
tools/README.txt
View file

@ -1,10 +0,0 @@
Directory contents:
- lograte.sh [OPTIONS] <logfile>
generates per minute stats for generic syslog files
- request.sample
a sample policy delegation request. you may test your postfwd config with
postfwd -f <configfile> request.sample
by JPK

342
tools/hapolicy/hapolicy Executable file
View file

@ -0,0 +1,342 @@
#!/usr/bin/perl -T -w
package hapolicy;
use strict;
use warnings;
use IO::Socket;
use Pod::Usage;
use Sys::Syslog qw(:DEFAULT setlogsock);
use Getopt::Long 2.25 qw(:config no_ignore_case bundling);
### PARAMETERS ###
# Program settings
our($NAME) = 'hapolicy';
our($VERSION) = '1.00';
our($DEFAULT) = 'dunno'; # default action if no service available
our($TIMEOUT) = '30'; # default service timeout
# remote server settings
# command-line: -s <name>=<ip>:<port>:<prio>:<weight>:<timeout>
our(%Servers) = (
# "GREY1" => {
# ip => '10.0.0.1', # ip address
# port => '10031', # tcp port
# prio => '10', # optional, lower wins
# weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
# timeout => '30', # optional, query timeout in seconds
# },
);
# Environment
$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin';
$ENV{ENV} = '';
# Syslog options
our($syslog_name) = $NAME;
our($syslog_facility) = 'mail';
our($syslog_options) = 'pid';
our($syslog_socktype) = ( (defined $sys::Syslog::VERSION) and ($Sys::Syslog::VERSION ge '0.15') )
? 'native'
: (($^O eq 'solaris') ? 'inet' : 'unix');
use vars qw(%opt);
### MAIN ###
# get command-line
GetOptions (
\%opt, 'service|s=s@', 'verbose|v', 'stdout|L', 'logging|l', 'default|d=s'
) or pod2usage (-msg => "\nPlease see \"pod2text ".$NAME."\" for detailed instructions.\n", -verbose => 1);
setlogsock $syslog_socktype;
openlog $syslog_name, $syslog_options, $syslog_facility;
# check command-line
$DEFAULT = $opt{default} if defined $opt{default};
foreach (@{$opt{service}}) {
if (/^([^=]+)=([^:]+):([^:]+):(.*)$/) {
$Servers{$1}{ip} = $2; $Servers{$1}{port} = $3;
($Servers{$1}{prio},$Servers{$1}{weight},$Servers{$1}{timeout}) = split ':', $4 if $4;
} else {
mylogs ('warning', "ignoring invalid service '$_'");
};
};
# sort servers by prio
my %ServerPrioHash = ();
foreach (keys %Servers) {
unless ($Servers{$_}{ip} and $Servers{$_}{port}) {
mylogs ('warning', "No address or port for '$_'");
next;
};
$Servers{$_}{prio} ||= 10; $Servers{$_}{timeout} ||= $TIMEOUT;
$Servers{$_}{weight} = ($Servers{$_}{weight}) ? (1/$Servers{$_}{weight}) : 1;
$Servers{$_}{questions} = $Servers{$_}{answers} = $Servers{$_}{failed} = 0;
push @{$ServerPrioHash{$Servers{$_}{prio}}}, $_;
};
# run main loop
select((select(STDOUT), $| = 1)[0]);
hapolicy::main();
# end program
exit;
### FUNCTIONS ###
# send log message
sub mylogs {
my($prio,$msg) = @_;
unless ($opt{stdout}) {
# escape '%' characters
$msg =~ s/\%/%%/g;
# Sys::Syslog < 0.15 dies when syslog daemon is temporarily not
# present (for example on syslog rotation)
if ( (defined $Sys::Syslog::VERSION) or ($Sys::Syslog::VERSION lt '0.15') ) {
eval {
local $SIG{__DIE__} = sub { };
syslog ($prio,$msg);
};
} else { syslog ($prio,$msg); };
} else { printf "[LOG $prio]: $msg\n"; };
};
# ask remote server
sub ask {
my($srv,$sendstr) = @_;
my($action) = '';
eval {
# handle timeout
local $SIG{__DIE__} = sub { };
local $SIG{'ALRM'} = sub { mylogs ('warning',"Timeout for '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})"); die };
my $prevaltert = alarm($Servers{$srv}{timeout});
# increase server request-counter and try to open socket
$Servers{$srv}{questions}+=$Servers{$srv}{weight};
mylogs ('info', "Opening socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose};
unless ( my $socket = new IO::Socket::INET (
PeerAddr => $Servers{$srv}{ip},
PeerPort => $Servers{$srv}{port},
Proto => 'tcp',
Type => SOCK_STREAM ) ) {
mylogs ('warning', "Could not open socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})");
} else {
# print request and get answer
mylogs ('info', "Connection established to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose};
print $socket "$sendstr";
$sendstr = <$socket>;
chomp($sendstr);
# check answer
$sendstr =~ s/^(action=)//;
if ($1 and $sendstr) {
$Servers{$srv}{answers}++;
mylogs ('info', "Answer from '$srv' -> '$sendstr'") if $opt{verbose};
$action = $sendstr;
} else {
mylogs ('warning', "Invalid answer from '$srv' -> '$sendstr'");
};
};
# restore old sig
alarm ($prevaltert);
};
$Servers{$srv}{failed}++ unless ($Servers{$srv}{last} = $action);
# return action
return $action;
};
# process policy delegation request
sub smtpd_access_policy {
my(%attr) = @_;
my($sendstr,$action,$srv) = '';
my $t1 = time();
# request to str
map { $sendstr .= $_."=".$attr{$_}."\n" } (keys %attr); $sendstr .= "\n";
# loop serverlist until someone answers
PRIO: foreach my $prio (sort keys %ServerPrioHash) {
foreach my $srv ( sort { $Servers{$a}{questions}<=>$Servers{$b}{questions} } @{$ServerPrioHash{$prio}} ) {
$action = ask ($srv, $sendstr) || '';
mylogs ('info', "[$srv]"
." (".$Servers{$srv}{ip}.":".$Servers{$srv}{port}.")"
.", prio: $prio, weight: ".(1/$Servers{$srv}{weight})
.", queries: ".($Servers{$srv}{questions} * (1/$Servers{$srv}{weight}))
.", answers: ".$Servers{$srv}{answers}
.", failed: ".$Servers{$srv}{failed}
.", delay: ".(time() - $t1)."s"
.", client: ".$attr{client_name}."[".$attr{client_address}."]"
.", helo: <".$attr{helo_name}.">"
.", from: <".$attr{sender}.">"
.", to: <".$attr{recipient}.">"
.", action: '".$action."'"
) if ($opt{verbose} or $opt{logging});
last PRIO if $action;
};
};
# return action
return $action;
};
# main loop
sub main {
my($request,$action) = undef;
my (%attr) = ();
while (<>) {
next unless /^([^\r\n]*)\r?\n/;
$request = $1;
if ($request =~ /([^=]+)=(.*)/) {
$attr{substr($1, 0, 512)} = substr($2, 0, 512);
} elsif ($request eq '') {
map { mylogs ('info', "Attribute: $_=$attr{$_}") } (keys %attr) if $opt{verbose};
unless ((defined $attr{request}) and ($attr{request} eq 'smtpd_access_policy')) {
$attr{request} ||='<undef>';
mylogs ('notice', "ignoring unrecognized request type: '$attr{request}'");
} else {
my($action) = smtpd_access_policy(%attr);
$action ||= $DEFAULT; %attr = ();
mylogs('info', "Action: $action") if $opt{verbose};
print "action=$action\n\n";
};
} else {
chop;
mylogs ('notice', "error: ignoring garbage \"".$request."\"");
};
};
};
__END__
=head1 NAME
hapolicy - policy delegation high availability script
=head1 SYNOPSIS
B<hapolicy> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
Services:
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
Options:
-d, --default <action> returns <action> if no service was available (default: 'dunno')
-l, --logging log requests
-v, --verbose increase logging verbosity
-L, --stdout log to stdout, for debugging, do NOT use with postfix
=head1 DESCRIPTION
=head2 INTRODUCTION
B<hapolicy> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, B<hapolicy> returns a default action (e.g. dunno) to postfix.
With version 1.00 B<hapolicy> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
user account. This should allow fast and reliable operation.
=head2 CONFIGURATION
A service has the following attributes
"servicename" => {
ip => '127.0.0.1', # ip address
port => '10040', # tcp port
prio => '10', # optional, lower wins
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
timeout => '30', # optional, query timeout in seconds
},
You may define multiple services at the command line. Which means that
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
will always try first service I<grey1> at ip 10.0.0.1 port 10031 and if that service is not available or
does not answer within the default of 30 seconds the next service I<grey2> at ip 10.0.0.2 port 10031 will
be queried.
If you want to load balance connections you may define
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
which queries service I<polw1> at ip 10.0.0.1 twice as much as service I<polw2> at ip 10.0.0.2. Note that this
setup also ensures high availability for both services. If I<polw1> is not available or does not answer
within the default of 30 seconds I<polw2> will be queried and vice versa. There is no reason to define a service twice.
=head2 INTEGRATION
Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):
# service description, note the leading blanks at the second line
127.0.0.1:10060 inet n n n - 0 spawn
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
save the file and open postfix main.cf. Modify it as follows:
127.0.0.1:10060_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
... other authed permits ...
reject_unauth_destination,
... other restrictions ...
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
using postfix restriction classes. Please see L</LINKS> for further options.
=head1 LINKS
[1] Postfix SMTP Access Policy Delegation
L<http://www.postfix.org/SMTPD_POLICY_README.html>
[2] Postfix Per-Client/User/etc. Access Control
L<http://www.postfix.org/RESTRICTION_CLASS_README.html>
=head1 LICENSE
hapolicy is free software and released under BSD license, which basically means
that you can do what you want as long as you keep the copyright notice:
Copyright (c) 2008, Jan Peter Kessler
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of the authors nor the names of his contributors
may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
=head1 AUTHOR
S<Jan Peter Kessler E<lt>info (AT) postfwd (DOT) orgE<gt>>. Let me know, if you have any suggestions.
=cut

162
tools/hapolicy/hapolicy.html Normal file
View file

@ -0,0 +1,162 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>hapoliy - HA and LB for policy servers</title>
<link rel="stylesheet" type="text/css" href="http://www.jpkessler.de/css/postfwd.css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<meta name="description" content="hapolicy loadbalancing and high availability for postfix policy servers">
<meta name="author" content="jpk">
<meta name="keywords" content="hapolicy, policy server loadbalancing, policy server high availability, policy server failure, policy delegation, postfix, Jan, Peter, Kessler">
</head>
<body>
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<ul>
<li><a href="#name">NAME</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<ul>
<li><a href="#introduction">INTRODUCTION</a></li>
<li><a href="#configuration">CONFIGURATION</a></li>
<li><a href="#integration">INTEGRATION</a></li>
</ul>
<li><a href="#links">LINKS</a></li>
<li><a href="#license">LICENSE</a></li>
<li><a href="#author">AUTHOR</a></li>
</ul>
<!-- INDEX END -->
<hr />
<p>
</p>
<h1><a name="name">NAME</a></h1>
<p>hapolicy - policy delegation high availability script</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<p><strong>hapolicy</strong> [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]</p>
<pre>
Services:
-s, --service &lt;name&gt;=&lt;address&gt;:&lt;port&gt;[:&lt;prio&gt;:&lt;weight&gt;:&lt;timeout&gt;]</pre>
<pre>
Options:
-d, --default &lt;action&gt; returns &lt;action&gt; if no service was available (default: 'dunno')
-l, --logging log requests
-v, --verbose increase logging verbosity
-L, --stdout log to stdout, for debugging, do NOT use with postfix</pre>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p>
</p>
<h2><a name="introduction">INTRODUCTION</a></h2>
<p><strong>hapolicy</strong> enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries
other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing',
if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, <strong>hapolicy</strong> returns a default action (e.g. dunno) to postfix.</p>
<p>With version 1.00 <strong>hapolicy</strong> has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged
user account. This should allow fast and reliable operation.</p>
<p>
</p>
<h2><a name="configuration">CONFIGURATION</a></h2>
<p>A service has the following attributes</p>
<pre>
&quot;servicename&quot; =&gt; {
ip =&gt; '127.0.0.1', # ip address
port =&gt; '10040', # tcp port
prio =&gt; '10', # optional, lower wins
weight =&gt; '1', # optional, for items with same prio (weighted round-robin), higher is better
timeout =&gt; '30', # optional, query timeout in seconds
},</pre>
<p>You may define multiple services at the command line. Which means that</p>
<pre>
hapolicy -s &quot;grey1=10.0.0.1:10031:10&quot; -s &quot;grey2=10.0.0.2:10031:20&quot;</pre>
<p>will always try first service <em>grey1</em> at ip 10.0.0.1 port 10031 and if that service is not available or
does not answer within the default of 30 seconds the next service <em>grey2</em> at ip 10.0.0.2 port 10031 will
be queried.<br><br>
<img src="hapolicy01.png"><br>
</p>
<p>If you want to load balance connections you may define</p>
<pre>
hapolicy -s &quot;polw1=10.0.0.1:12525:10:2&quot; -s &quot;polw2=10.0.0.2:12525:10:1&quot;</pre>
<p>which queries service <em>polw1</em> at ip 10.0.0.1 twice as much as service <em>polw2</em> at ip 10.0.0.2.<br><br>
<img src="hapolicy02.png">
<br><br>
Note that this
setup also ensures high availability for both services. If <em>polw1</em> is not available or does not answer
within the default of 30 seconds <em>polw2</em> will be queried and vice versa. There is no reason to define a service twice.</p>
<p>
</p>
<h2><a name="integration">INTEGRATION</a></h2>
<p>Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):</p>
<pre>
# service description, note the leading blanks at the second line
127.0.0.1:10061 inet n n n - 0 spawn
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10</pre>
<p>save the file and open postfix main.cf. Modify it as follows:</p>
<pre>
127.0.0.1:10061_time_limit = 3600</pre>
<pre>
smtpd_recipient_restrictions =
permit_mynetworks,
... other authed permits ...
reject_unauth_destination,
... other restrictions ...
check_policy_service inet:127.0.0.1:10061 # &lt;- hapolicy query</pre>
<p>Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups
using postfix restriction classes. Please see <a href="#links">LINKS</a> for further options.</p>
<p>
</p>
<hr />
<h1><a name="links">LINKS</a></h1>
<p>[1] Get hapolicy<br>
<a href="http://www.postfwd.org/hapolicy/hapolicy">http://www.postfwd.org/hapolicy/hapolicy</a></p>
<p>[2] Postfix SMTP Access Policy Delegation<br>
<a href="http://www.postfix.org/SMTPD_POLICY_README.html">http://www.postfix.org/SMTPD_POLICY_README.html</a></p>
<p>[3] Postfix Per-Client/User/etc. Access Control<br>
<a href="http://www.postfix.org/RESTRICTION_CLASS_README.html">http://www.postfix.org/RESTRICTION_CLASS_README.html</a></p>
<p>
</p>
<hr />
<h1><a name="license">LICENSE</a></h1>
<p>hapolicy is free software and released under BSD license, which basically means
that you can do what you want as long as you keep the copyright notice:</p>
<p>Copyright (c) 2008, Jan Peter Kessler
All rights reserved.</p>
<p>Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:</p>
<pre>
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of the authors nor the names of his contributors
may be used to endorse or promote products derived from this
software without specific prior written permission.</pre>
<p>THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.</p>
<p>
</p>
<hr />
<h1><a name="author">AUTHOR</a></h1>
<p>Jan&nbsp;Peter&nbsp;Kessler&nbsp;&lt;info&nbsp;(AT)&nbsp;postfwd&nbsp;(DOT)&nbsp;org&gt;. Let me know, if you have any suggestions.</p>
</body>
</html>

127
tools/hapolicy/hapolicy.txt Normal file
View file

@ -0,0 +1,127 @@
NAME
hapolicy - policy delegation high availability script
SYNOPSIS
hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]
Services:
-s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]
Options:
-d, --default <action> returns <action> if no service was available (default: 'dunno')
-l, --logging log requests
-v, --verbose increase logging verbosity
-L, --stdout log to stdout, for debugging, do NOT use with postfix
DESCRIPTION
INTRODUCTION
hapolicy enables high availability, weighted loadbalancing and a
fallback action for postfix policy delegation services. Invoked via
postfix spawn it acts as a wrapper that queries other policy servers via
tcp connection. The order of the service queries can be influenced by
assigning a specific priority and weight to each service. A service is
considered 'failing', if the connection is refused or the specified
service timeout is reached. If all of the configured policy services
were failing, hapolicy returns a default action (e.g. dunno) to postfix.
With version 1.00 hapolicy has less than 200 lines of perl code using
only standard perl modules. It does not require any disk access nor
configuration files and runs under an unpriviledged user account. This
should allow fast and reliable operation.
CONFIGURATION
A service has the following attributes
"servicename" => {
ip => '127.0.0.1', # ip address
port => '10040', # tcp port
prio => '10', # optional, lower wins
weight => '1', # optional, for items with same prio (weighted round-robin), higher is better
timeout => '30', # optional, query timeout in seconds
},
You may define multiple services at the command line. Which means that
hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"
will always try first service *grey1* at ip 10.0.0.1 port 10031 and if
that service is not available or does not answer within the default of
30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be
queried.
If you want to load balance connections you may define
hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"
which queries service *polw1* at ip 10.0.0.1 twice as much as service
*polw2* at ip 10.0.0.2. Note that this setup also ensures high
availability for both services. If *polw1* is not available or does not
answer within the default of 30 seconds *polw2* will be queried and vice
versa. There is no reason to define a service twice.
INTEGRATION
Enter the following at the bottom of your postfix master.cf (usually
located at /etc/postfix):
# service description, note the leading blanks at the second line
127.0.0.1:10060 inet n n n - 0 spawn
user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10
save the file and open postfix main.cf. Modify it as follows:
127.0.0.1:10060_time_limit = 3600
smtpd_recipient_restrictions =
permit_mynetworks,
... other authed permits ...
reject_unauth_destination,
... other restrictions ...
check_policy_service inet:127.0.0.1:10060 # <- hapolicy query
Now issue 'postfix reload' at the command line. Of course you can have
more enhanced setups using postfix restriction classes. Please see
"LINKS" for further options.
LINKS
[1] Postfix SMTP Access Policy Delegation
<http://www.postfix.org/SMTPD_POLICY_README.html>
[2] Postfix Per-Client/User/etc. Access Control
<http://www.postfix.org/RESTRICTION_CLASS_README.html>
LICENSE
hapolicy is free software and released under BSD license, which
basically means that you can do what you want as long as you keep the
copyright notice:
Copyright (c) 2008, Jan Peter Kessler All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
* Neither the name of the authors nor the names of his contributors
may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
AUTHOR
Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you
have any suggestions.

BIN
tools/hapolicy/hapolicy01.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
tools/hapolicy/hapolicy02.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 30 KiB

90
tools/lograte.sh
View file

@ -1,90 +0,0 @@
#!/bin/sh
#
# generates per minute stats for generic syslog files
# call it:
#
# lograte.sh [OPTIONS] <logfile>
#
# or for online monitoring
#
# tail -f <logfile> | lograte.sh [OPTIONS]
#
# by JPK
PATH=/usr/local/bin:/bin:/usr/bin
# default values
PATTERN=".*"
MINIMUM=1
TOPLIST=10
# show usage
Usage () {
{
echo "Usage: `basename $0` -m <mincount> -t <topcount> -s <filter> <file> <file> ...";
echo " -m minimum events to display"
echo " -t how many rankings?"
echo " -T print rankings only"
echo " -s filter input through this regexp"
echo "Example: `basename $0` -m 10 -t 5 -s \"(panic|error)\" /var/log/messages"
} >&2
}
# parse arguments
while getopts Tt:m:s: o
do case "$o" in
s) PATTERN="$OPTARG";;
m) MINIMUM="$OPTARG";;
t) TOPLIST="$OPTARG";;
T) TOPONLY=1;;
*) Usage;
exit 1;;
esac
done
shift `expr $OPTIND - 1`
# a single awk
awk ' ($0 ~ PATTERN) {
split($3,TIME,":");
CURRTIME=$1 " " $2 " " TIME[1] ":" TIME[2];
if (LASTTIME != CURRTIME) {
if (COUNT >= MINIMUM) {
if (!(TOPONLY == 1)) {
printf ( "%s %7d events, %8.2f per sec\n", LASTTIME, COUNT, ( COUNT / 60 ) );
};
for (i=1;i<=TOPLIST;i++) {
if (COUNT > MAXCOUNT[i]) {
MAXCOUNT[i+1]=MAXCOUNT[i];
MAXCOUNT[i]=COUNT;
MAXTIME[i+1]=MAXTIME[i];
MAXTIME[i]=LASTTIME;
break;
};
};
};
COUNT=1;
} else {
COUNT++;
};
LASTTIME=CURRTIME;
}
END {
if (CURRTIME != "") {
if ( (COUNT >= MINIMUM) && (!(TOPONLY == 1)) ) {
printf ( "%s %7d events, %8.2f per sec\n\n", LASTTIME, COUNT, ( COUNT / 60 ) );
};
print "###########";
printf ("# TOP %3d #\n",TOPLIST);
print "###########";
for (i=1;i<=TOPLIST;i++) {
printf ( "# TOP %3d:\t%s %7d events, %8.2f per sec\n", i, MAXTIME[i], MAXCOUNT[i], ( MAXCOUNT[i] / 60 ) );;
};
exit 0;
} else {
exit 1;
};
}' PATTERN="${PATTERN}" MINIMUM="${MINIMUM}" TOPLIST="${TOPLIST}" TOPONLY="${TOPONLY}" $*
# set exitcode=1 if no matching lines found
exit $?