- Get postfwd or postfwd2
You may skip this step, if your operating system distribution contains a version of postfwd, but it is recommended to use a recent version from postfwd.org. It is also recommended to use recent versions of the perl modules Net::DNS and Net::Server (see required perl modules for more information).
- Create your own postfwd ruleset
postfwd is not a dedicated antispam tool (although it may be used as such). Instead of that it is basically a restriction language for postfix which allows to place complex policy expressions into a simple ruleset. For reasonable operation you have to create your own ruleset, like:
# reject @domain.local if request comes from outside 10.0.0.0/8 network
id=RULE-01 ; sender_domain=domain.local ; client_address=!!(10.0.0.0/8) ; action=REJECT not allowed
# reject if sender equals recipient
id=RULE-02 ; sender==$$recipient ; action=REJECT not allowed
# check some rbls and reject, if listed on >= 2 of them
id=RULE-03 ; rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ; rblcount>=2 ; action=REJECT not allowed
Now save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the documentation for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like:
# postfwd -f /etc/postfwd.cf -C
Rule 0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)"
Rule 1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient"
Rule 2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net"
If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too.
- Optional: Create a dedicated user/group for postfwd
By default postfwd will try to use user 'nobody' and group 'nobody'. So it should be safe to skip this step in most environments. If you run a system that is exposed to dangerous networks and feel paranoid you may want to create a dedicated user and group for the postfwd process. On unix systems enter:
# groupadd postfwd
# useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd
# passwd -l postfwd
- Launch postfwd
Start postfwd with your ruleset. Leave out the --user and --group options, if you have skipped step 3 and want to run postfwd as nobody/nobody.
# postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd
Now watch your logs (default facility: mail) for lines like:
Jun 8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting
Jun 8 12:14:33 jupiter postfwd[20271]: Process Backgrounded
Jun 8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271)
Jun 8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1
Jun 8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003"
Jun 8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010"
Jun 8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for input
To control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the documentation for more information.
- Tell postfix to use postfwd
Open your main.cf (usually located at /etc/postfix) and find or add a line starting with:
smtpd_recipient_restrictions = ...
To place the postfwd check here, modify this as follows:
# note the leading whitespaces from the 2nd line!
smtpd_recipient_restrictions = permit_mynetworks, # recommended
..., # optional
reject_unauth_destination, # recommended
check_policy_service inet:127.0.0.1:10040, # **postfwd integration**
... # optional
Please note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the postfix documentation.
- Finished! How to go on?
A good point to start is postfwd's manual. You should be able to view it using the `postfwd -m` command or visit the documentation page. There are also some configuration examples on the webpage. Another very useful source of information is the Postfix SMTP Access Policy Delegation documentation.