postfwd quickstart guide


To use postfwd you have to perform the following steps:

  1. Get postfwd or postfwd2
  2. Create your own postfwd ruleset
  3. Optional: Create a dedicated user/group for postfwd
  4. Launch postfwd
  5. Tell postfix to use postfwd
  6. Finished! How to go on?

  1. Get postfwd or postfwd2
    You may skip this step, if your operating system distribution contains a version of postfwd, but it is recommended to use a recent version from postfwd.org. It is also recommended to use recent versions of the perl modules Net::DNS and Net::Server (see required perl modules for more information).


  2. Create your own postfwd ruleset
    postfwd is not a dedicated antispam tool (although it may be used as such). Instead of that it is basically a restriction language for postfix which allows to place complex policy expressions into a simple ruleset. For reasonable operation you have to create your own ruleset, like:

    	# reject @domain.local if request comes from outside 10.0.0.0/8 network
    	id=RULE-01 ;  sender_domain=domain.local ;  client_address=!!(10.0.0.0/8) ;  action=REJECT not allowed
    
    	# reject if sender equals recipient
    	id=RULE-02 ;  sender==$$recipient ;  action=REJECT not allowed
    
    	# check some rbls and reject, if listed on >= 2 of them
    	id=RULE-03 ;  rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ;  rblcount>=2 ;  action=REJECT not allowed 
    Now save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the documentation for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like:

    	# postfwd -f /etc/postfwd.cf -C
    	  Rule   0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)"
    	  Rule   1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient"
    	  Rule   2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net" 
    If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too.


  3. Optional: Create a dedicated user/group for postfwd
    By default postfwd will try to use user 'nobody' and group 'nobody'. So it should be safe to skip this step in most environments. If you run a system that is exposed to dangerous networks and feel paranoid you may want to create a dedicated user and group for the postfwd process. On unix systems enter:

    	# groupadd postfwd
    	# useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd
    	# passwd -l postfwd 

  4. Launch postfwd
    Start postfwd with your ruleset. Leave out the --user and --group options, if you have skipped step 3 and want to run postfwd as nobody/nobody.

    	# postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd 
    Now watch your logs (default facility: mail) for lines like:

    	Jun  8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting
    	Jun  8 12:14:33 jupiter postfwd[20271]: Process Backgrounded
    	Jun  8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271)
    	Jun  8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1
    	Jun  8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003"
    	Jun  8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010"
    	Jun  8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for input 
    To control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the documentation for more information.


  5. Tell postfix to use postfwd
    Open your main.cf (usually located at /etc/postfix) and find or add a line starting with:

    	smtpd_recipient_restrictions = ... 

    To place the postfwd check here, modify this as follows:

    	# note the leading whitespaces from the 2nd line!
    	smtpd_recipient_restrictions = permit_mynetworks,	# recommended
    		...,						# optional
    		reject_unauth_destination,			# recommended
    		check_policy_service inet:127.0.0.1:10040,	# **postfwd integration**
    		...						# optional 
    Please note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the postfix documentation.


  6. Finished! How to go on?
    A good point to start is postfwd's manual. You should be able to view it using the `postfwd -m` command or visit the documentation page. There are also some configuration examples on the webpage. Another very useful source of information is the Postfix SMTP Access Policy Delegation documentation.

http://www.postfwd.org/ 2007 - 2009 by Jan Peter Kessler info (AT) postfwd (DOT) org