1631 lines
65 KiB
Groff
1631 lines
65 KiB
Groff
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
|
||
.\"
|
||
.\" Standard preamble:
|
||
.\" ========================================================================
|
||
.de Sh \" Subsection heading
|
||
.br
|
||
.if t .Sp
|
||
.ne 5
|
||
.PP
|
||
\fB\\$1\fR
|
||
.PP
|
||
..
|
||
.de Sp \" Vertical space (when we can't use .PP)
|
||
.if t .sp .5v
|
||
.if n .sp
|
||
..
|
||
.de Vb \" Begin verbatim text
|
||
.ft CW
|
||
.nf
|
||
.ne \\$1
|
||
..
|
||
.de Ve \" End verbatim text
|
||
.ft R
|
||
.fi
|
||
..
|
||
.\" Set up some character translations and predefined strings. \*(-- will
|
||
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
||
.\" double quote, and \*(R" will give a right double quote. | will give a
|
||
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
|
||
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
|
||
.\" expand to `' in nroff, nothing in troff, for use with C<>.
|
||
.tr \(*W-|\(bv\*(Tr
|
||
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
||
.ie n \{\
|
||
. ds -- \(*W-
|
||
. ds PI pi
|
||
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
||
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
||
. ds L" ""
|
||
. ds R" ""
|
||
. ds C` ""
|
||
. ds C' ""
|
||
'br\}
|
||
.el\{\
|
||
. ds -- \|\(em\|
|
||
. ds PI \(*p
|
||
. ds L" ``
|
||
. ds R" ''
|
||
'br\}
|
||
.\"
|
||
.\" If the F register is turned on, we'll generate index entries on stderr for
|
||
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
|
||
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
||
.\" output yourself in some meaningful fashion.
|
||
.if \nF \{\
|
||
. de IX
|
||
. tm Index:\\$1\t\\n%\t"\\$2"
|
||
..
|
||
. nr % 0
|
||
. rr F
|
||
.\}
|
||
.\"
|
||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||
.\" way too many mistakes in technical documents.
|
||
.hy 0
|
||
.if n .na
|
||
.\"
|
||
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
||
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
||
. \" fudge factors for nroff and troff
|
||
.if n \{\
|
||
. ds #H 0
|
||
. ds #V .8m
|
||
. ds #F .3m
|
||
. ds #[ \f1
|
||
. ds #] \fP
|
||
.\}
|
||
.if t \{\
|
||
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
||
. ds #V .6m
|
||
. ds #F 0
|
||
. ds #[ \&
|
||
. ds #] \&
|
||
.\}
|
||
. \" simple accents for nroff and troff
|
||
.if n \{\
|
||
. ds ' \&
|
||
. ds ` \&
|
||
. ds ^ \&
|
||
. ds , \&
|
||
. ds ~ ~
|
||
. ds /
|
||
.\}
|
||
.if t \{\
|
||
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
||
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
||
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
||
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
||
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
||
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
||
.\}
|
||
. \" troff and (daisy-wheel) nroff accents
|
||
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
||
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
||
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
||
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
||
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
||
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
||
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
||
.ds ae a\h'-(\w'a'u*4/10)'e
|
||
.ds Ae A\h'-(\w'A'u*4/10)'E
|
||
. \" corrections for vroff
|
||
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
||
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
||
. \" for low resolution devices (crt and lpr)
|
||
.if \n(.H>23 .if \n(.V>19 \
|
||
\{\
|
||
. ds : e
|
||
. ds 8 ss
|
||
. ds o a
|
||
. ds d- d\h'-1'\(ga
|
||
. ds D- D\h'-1'\(hy
|
||
. ds th \o'bp'
|
||
. ds Th \o'LP'
|
||
. ds ae ae
|
||
. ds Ae AE
|
||
.\}
|
||
.rm #[ #] #H #V #F C
|
||
.\" ========================================================================
|
||
.\"
|
||
.IX Title "POSTFWD 1"
|
||
.TH POSTFWD 1 "2009-09-03" "perl v5.8.5" "User Contributed Perl Documentation"
|
||
.SH "NAME"
|
||
postfwd \- postfix firewall daemon
|
||
.SH "SYNOPSIS"
|
||
.IX Header "SYNOPSIS"
|
||
postfwd [\s-1OPTIONS\s0] [\s-1SOURCE1\s0, \s-1SOURCE2\s0, ...]
|
||
.PP
|
||
.Vb 3
|
||
\& Ruleset: (at least one, multiple use is allowed):
|
||
\& -f, --file <file> reads rules from <file>
|
||
\& -r, --rule <rule> adds <rule> to config
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& Scoring:
|
||
\& -s, --scores <v>=<r> returns <r> when score exceeds <v>
|
||
.Ve
|
||
.PP
|
||
.Vb 11
|
||
\& Networking:
|
||
\& -d, --daemon run postfwd as daemon
|
||
\& -i, --interface <dev> listen on interface <dev>
|
||
\& -p, --port <port> listen on port <port>
|
||
\& --proto <proto> socket type (tcp or unix)
|
||
\& -u, --user <name> set uid to user <name>
|
||
\& -g, --group <name> set gid to group <name>
|
||
\& -R, --chroot <path> chroot the daemon to <path>
|
||
\& --pidfile <path> create pidfile under <path>
|
||
\& -l, --logname <label> label for syslog messages
|
||
\& --loglen <int> truncates syslogs after <int> chars
|
||
.Ve
|
||
.PP
|
||
.Vb 11
|
||
\& Caching:
|
||
\& -c, --cache <int> sets the request-cache timeout to <int> seconds
|
||
\& --cache-no-size ignores size attribute for caching
|
||
\& --cache-no-sender ignores sender address in cache
|
||
\& --cache-rdomain-only ignores localpart of recipient address in cache
|
||
\& --cache-rbl-timeout default rbl timeout, if not specified in ruleset
|
||
\& --cache-rbl-default default rbl response pattern to match (regexp)
|
||
\& --cacheid <item>, .. list of attributes for request cache identifier
|
||
\& --cleanup-requests cleanup interval in seconds for request cache
|
||
\& --cleanup-rbls cleanup interval in seconds for rbl cache
|
||
\& --cleanup-rates cleanup interval in seconds for rate cache
|
||
.Ve
|
||
.PP
|
||
.Vb 17
|
||
\& Optional:
|
||
\& -t, --test testing, always returns "dunno"
|
||
\& -v, --verbose verbose logging, use twice (-vv) to increase level
|
||
\& -S, --summary <int> show some usage statistics every <int> seconds
|
||
\& --norulelog disbles rule logging
|
||
\& --norulestats disables per rule statistics
|
||
\& --noidlestats disables statistics when idle
|
||
\& -n, --nodns disable dns
|
||
\& --nodnslog disable dns logging
|
||
\& --dns_async_txt perform dnsbl A and TXT lookups simultaneously
|
||
\& --dns_timeout timeout in seconds for asynchonous dns queries
|
||
\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated
|
||
\& --dns_timeout_interval interval in seconds for dns timeout maximum counter
|
||
\& --dns_max_ns_lookups max names to look up with sender_ns_addrs
|
||
\& --dns_max_mx_lookups max names to look up with sender_mx_addrs
|
||
\& -I, --instantcfg re-reads rulefiles for every new request
|
||
\& --config_timeout <i> parser timeout in seconds
|
||
.Ve
|
||
.PP
|
||
.Vb 7
|
||
\& Informational (use only at command-line!):
|
||
\& -C, --showconfig shows ruleset summary, -v for verbose
|
||
\& -L, --stdoutlog redirect syslog messages to stdout
|
||
\& -P, --perfmon no syslogging, no stdout
|
||
\& -V, --version shows program version
|
||
\& -h, --help shows usage
|
||
\& -m, --manual shows program manual
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& Plugins:
|
||
\& --plugins <file> loads plugins from <file>
|
||
.Ve
|
||
.SH "DESCRIPTION"
|
||
.IX Header "DESCRIPTION"
|
||
.Sh "\s-1INTRODUCTION\s0"
|
||
.IX Subsection "INTRODUCTION"
|
||
postfwd is written to combine complex postfix restrictions in a ruleset similar to those of the most firewalls.
|
||
The program uses the postfix policy delegation protocol to control access to the mail system before a message
|
||
has been accepted (please visit <http://www.postfix.org/SMTPD_POLICY_README.html> for more information).
|
||
.PP
|
||
postfwd allows you to choose an action (e.g. reject, dunno) for a combination of several smtp parameters
|
||
(like sender and recipient address, size or the client's \s-1TLS\s0 fingerprint). Also it offers simple macros/acls
|
||
which should allow straightforward and easy-to-read configurations.
|
||
.PP
|
||
\&\fIFeatures:\fR
|
||
.PP
|
||
* Complex combinations of smtp parameters
|
||
.PP
|
||
* Combined \s-1RBL/RHSBL\s0 lookups with arbitrary actions depending on results
|
||
.PP
|
||
* Scoring system
|
||
.PP
|
||
* Date/time based rules
|
||
.PP
|
||
* Macros/ACLs, Groups, Negation
|
||
.PP
|
||
* Compare request attributes (e.g. client_name and helo_name)
|
||
.PP
|
||
* Internal caching for requests and dns lookups
|
||
.PP
|
||
* Built in statistics for rule efficiency analysis
|
||
.Sh "\s-1CONFIGURATION\s0"
|
||
.IX Subsection "CONFIGURATION"
|
||
A configuration line consists of optional item=value pairs, separated by semicolons
|
||
(`;`) and the appropriate desired action:
|
||
.PP
|
||
.Vb 1
|
||
\& [ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
|
||
.Ve
|
||
.PP
|
||
\&\fIExample:\fR
|
||
.PP
|
||
.Vb 1
|
||
\& client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT
|
||
.Ve
|
||
.PP
|
||
This will deny all mail from 192.168.1.1 with envelope sender no@bad.local. The order of the elements
|
||
is not important. So the following would lead to the same result as the previous example:
|
||
.PP
|
||
.Vb 1
|
||
\& action=REJECT ; client_address=192.168.1.1 ; sender==no@bad.local
|
||
.Ve
|
||
.PP
|
||
The way how request items are compared to the ruleset can be influenced in the following way:
|
||
.PP
|
||
.Vb 11
|
||
\& ====================================================================
|
||
\& ITEM == VALUE true if ITEM equals VALUE
|
||
\& ITEM => VALUE true if ITEM >= VALUE
|
||
\& ITEM =< VALUE true if ITEM <= VALUE
|
||
\& ITEM =~ VALUE true if ITEM ~= /^VALUE$/i
|
||
\& ITEM != VALUE false if ITEM equals VALUE
|
||
\& ITEM !> VALUE false if ITEM >= VALUE
|
||
\& ITEM !< VALUE false if ITEM <= VALUE
|
||
\& ITEM !~ VALUE false if ITEM ~= /^VALUE$/i
|
||
\& ITEM = VALUE default behaviour (see ITEMS section)
|
||
\& ====================================================================
|
||
.Ve
|
||
.PP
|
||
To identify single rules in your log files, you may add an unique identifier for each of it:
|
||
.PP
|
||
.Vb 1
|
||
\& id=R_001 ; action=REJECT ; client_address=192.168.1.1 ; sender==no@bad.local
|
||
.Ve
|
||
.PP
|
||
You may use these identifiers as target for the `\fIjump()\fR` command (see \s-1ACTIONS\s0 section below). Leading
|
||
or trailing whitespace characters will be ignored. Use '#' to comment your configuration. Others will
|
||
appreciate.
|
||
.PP
|
||
A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line
|
||
arguments. Please see the \s-1COMMAND\s0 \s-1LINE\s0 section below for more information on this topic.
|
||
.PP
|
||
Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" character:
|
||
.PP
|
||
.Vb 2
|
||
\& id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \e
|
||
\& action=REJECT please use your relay from there
|
||
.Ve
|
||
.Sh "\s-1ITEMS\s0"
|
||
.IX Subsection "ITEMS"
|
||
.Vb 2
|
||
\& id - a unique rule id, which can be used for log analysis
|
||
\& ids also serve as targets for the "jump" command.
|
||
.Ve
|
||
.PP
|
||
.Vb 10
|
||
\& date, time - a time or date range within the specified rule shall hit
|
||
\& # FORMAT:
|
||
\& # Feb, 29th
|
||
\& date=29.02.2008
|
||
\& # Dec, 24th - 26th
|
||
\& date=24.12.2008-26.12.2008
|
||
\& # from today until Nov, 23rd
|
||
\& date=-23.09.2008
|
||
\& # from April, 1st until today
|
||
\& date=01.04.2008-
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& days, months - a range of weekdays (Sun-Sat) or months (Jan-Dec)
|
||
\& within the specified rule shall hit
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& score - when the specified score is hit (see ACTIONS section)
|
||
\& the specified action will be returned to postfix
|
||
\& scores are set global until redefined!
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& request_score - this value allows to access a request's score. it
|
||
\& may be used as variable ($$request_score).
|
||
.Ve
|
||
.PP
|
||
.Vb 5
|
||
\& rbl, rhsbl, - query the specified RBLs/RHSBLs, possible values are:
|
||
\& rhsbl_client, <name>[/<reply>/<maxcache>, <name>/<reply>/<maxcache>]
|
||
\& rhsbl_sender, (defaults: reply=^127\e.0\e.0\e.\ed+$ maxcache=3600)
|
||
\& rhsbl_reverse_client the results of all rhsbl_* queries will be combined
|
||
\& in rhsbl_count (see below).
|
||
.Ve
|
||
.PP
|
||
.Vb 5
|
||
\& rblcount, rhsblcount - minimum RBL/RHSBL hitcounts to match. if not specified
|
||
\& a single RBL/RHSBL hit will match the rbl/rhsbl items.
|
||
\& you may specify 'all' to evaluate all items, and use
|
||
\& it as variable in an action (see ACTIONS section)
|
||
\& (default: 1)
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& sender_localpart, - the local-/domainpart of the sender address
|
||
\& sender_domain
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& recipient_localpart, - the local-/domainpart of the recipient address
|
||
\& recipient_domain
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& helo_address - postfwd tries to look up the helo_name. use
|
||
\& helo_address=!!(0.0.0.0/0) to check for unknown.
|
||
\& Please do not use this for positive access control
|
||
\& (whitelisting), as it might be forged.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& sender_ns_names, - postfwd tries to look up the names/ip addresses
|
||
\& sender_ns_addrs of the nameservers for the sender domain part.
|
||
\& Please do not use this for positive access control
|
||
\& (whitelisting), as it might be forged.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& sender_mx_names, - postfwd tries to look up the names/ip addresses
|
||
\& sender_mx_addrs of the mx records for the sender domain part.
|
||
\& Please do not use this for positive access control
|
||
\& (whitelisting), as it might be forged.
|
||
.Ve
|
||
.PP
|
||
.Vb 6
|
||
\& version - postfwd version, contains "postfwd n.nn"
|
||
\& this enables version based checks in your rulesets
|
||
\& (e.g. for migration). works with old versions too,
|
||
\& because a non-existing item always returns false:
|
||
\& id=R01; version~=1.10; sender_domain==some.org \e
|
||
\& ; action=REJECT sorry no access
|
||
.Ve
|
||
.PP
|
||
Besides these you can specify any attribute of the postfix policy delegation protocol.
|
||
Feel free to combine them the way you need it (have a look at the \s-1EXAMPLES\s0 section below).
|
||
.PP
|
||
Most values can be specified as regular expressions (\s-1PCRE\s0). Please see the table below
|
||
for details:
|
||
.PP
|
||
.Vb 43
|
||
\& # ==========================================================
|
||
\& # ITEM=VALUE TYPE
|
||
\& # ==========================================================
|
||
\& id=something mask = string
|
||
\& date=01.04.2007-22.04.2007 mask = date (DD.MM.YYYY-DD.MM.YYYY)
|
||
\& time=08:30:00-17:00:00 mask = time (HH:MM:SS-HH:MM:SS)
|
||
\& days=Mon-Wed mask = weekdays (Mon-Wed) or numeric (1-3)
|
||
\& months=Feb-Apr mask = months (Feb-Apr) or numeric (1-3)
|
||
\& score=5.0 mask = maximum floating point value
|
||
\& rbl=zen.spamhaus.org mask = <name>/<reply>/<maxcache>[,...]
|
||
\& rblcount=2 mask = numeric, will match if rbl hits >= 2
|
||
\& helo_address=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
|
||
\& sender_ns_names=some.domain.tld mask = PCRE
|
||
\& sender_mx_names=some.domain.tld mask = PCRE
|
||
\& sender_ns_addrs=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
|
||
\& sender_mx_addrs=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
|
||
\& # ------------------------------
|
||
\& # Postfix version 2.1 and later:
|
||
\& # ------------------------------
|
||
\& client_address=<a.b.c.d/nn> mask = CIDR[,CIDR,...]
|
||
\& client_name=another.domain.tld mask = PCRE
|
||
\& reverse_client_name=another.domain.tld mask = PCRE
|
||
\& helo_name=some.domain.tld mask = PCRE
|
||
\& sender=foo@bar.tld mask = PCRE
|
||
\& recipient=bar@foo.tld mask = PCRE
|
||
\& recipient_count=5 mask = numeric, will match if recipients >= 5
|
||
\& # ------------------------------
|
||
\& # Postfix version 2.2 and later:
|
||
\& # ------------------------------
|
||
\& sasl_method=plain mask = PCRE
|
||
\& sasl_username=you mask = PCRE
|
||
\& sasl_sender= mask = PCRE
|
||
\& size=12345 mask = numeric, will match if size >= 12345
|
||
\& ccert_subject=blackhole.nowhere.local mask = PCRE (only if tls verified)
|
||
\& ccert_issuer=John+20Doe mask = PCRE (only if tls verified)
|
||
\& ccert_fingerprint=AA:BB:CC:DD:EE:... mask = PCRE (do NOT use "..." here)
|
||
\& # ------------------------------
|
||
\& # Postfix version 2.3 and later:
|
||
\& # ------------------------------
|
||
\& encryption_protocol=TLSv1/SSLv3 mask = PCRE
|
||
\& encryption_cipher=DHE-RSA-AES256-SHA mask = PCRE
|
||
\& encryption_keysize=256 mask = numeric, will match if keysize >= 256
|
||
\& ...
|
||
.Ve
|
||
.PP
|
||
the current list can be found at <http://www.postfix.org/SMTPD_POLICY_README.html>. Please read carefully about which
|
||
attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at \s-1END_OF_DATA\s0 level).
|
||
Pattern matching is performed case insensitive.
|
||
.PP
|
||
Multiple use of the same item is allowed and will compared as logical \s-1OR\s0, which means that this will work as expected:
|
||
.PP
|
||
.Vb 5
|
||
\& id=TRUST001; action=OK; encryption_keysize=64; \e
|
||
\& ccert_fingerprint=11:22:33:44:55:66:77:88:99; \e
|
||
\& ccert_fingerprint=22:33:44:55:66:77:88:99:00; \e
|
||
\& ccert_fingerprint=33:44:55:66:77:88:99:00:11; \e
|
||
\& sender=@domain\e.local$
|
||
.Ve
|
||
.PP
|
||
client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:
|
||
.PP
|
||
.Vb 5
|
||
\& id=SKIP01; action=dunno; \e
|
||
\& client_address=192.168.1.0/24, 172.16.254.23
|
||
\& id=SKIP02; action=dunno; \e
|
||
\& client_address= 10.10.3.32 \e
|
||
\& 10.216.222.0/27
|
||
.Ve
|
||
.PP
|
||
The following items currently have to be unique:
|
||
.PP
|
||
.Vb 1
|
||
\& id, minimum and maximum values, rblcount and rhsblcount
|
||
.Ve
|
||
.PP
|
||
Any item can be negated by preceeding '!!' to it, e.g.:
|
||
.PP
|
||
.Vb 1
|
||
\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please
|
||
.Ve
|
||
.PP
|
||
or using the right compare operator:
|
||
.PP
|
||
.Vb 1
|
||
\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that?
|
||
.Ve
|
||
.PP
|
||
To avoid confusion with regexps or simply for better visibility you can use '!!(...)':
|
||
.PP
|
||
.Vb 1
|
||
\& id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that?
|
||
.Ve
|
||
.PP
|
||
Request attributes can be compared by preceeding '$$' characters, e.g.:
|
||
.PP
|
||
.Vb 3
|
||
\& id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS
|
||
\& # or
|
||
\& id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS
|
||
.Ve
|
||
.PP
|
||
This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match.
|
||
Use the '\-vv' option to debug.
|
||
.Sh "\s-1FILES\s0"
|
||
.IX Subsection "FILES"
|
||
Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files:
|
||
.PP
|
||
.Vb 1
|
||
\& id=R001 ; ccert_fingerprint==file:/etc/postfwd/wl_ccerts ; action=DUNNO
|
||
.Ve
|
||
.PP
|
||
postfwd will read a list of items (one item per line) from /etc/postfwd/wl_ccerts. comments are allowed:
|
||
.PP
|
||
.Vb 6
|
||
\& # client1
|
||
\& 11:22:33:44:55:66:77:88:99
|
||
\& # client2
|
||
\& 22:33:44:55:66:77:88:99:00
|
||
\& # client3
|
||
\& 33:44:55:66:77:88:99:00:11
|
||
.Ve
|
||
.PP
|
||
To use existing tables in key=value format, you can use:
|
||
.PP
|
||
.Vb 1
|
||
\& id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO
|
||
.Ve
|
||
.PP
|
||
This will ignore the right-hand value. Items can be mixed:
|
||
.PP
|
||
.Vb 3
|
||
\& id=R002 ; action=REJECT \e
|
||
\& client_name==unknown; \e
|
||
\& client_name==file:/etc/postfwd/blacklisted
|
||
.Ve
|
||
.PP
|
||
and for non pcre (comma separated) items:
|
||
.PP
|
||
.Vb 2
|
||
\& id=R003 ; action=REJECT \e
|
||
\& client_address==10.1.1.1, file:/etc/postfwd/blacklisted
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& id=R004 ; action=REJECT \e
|
||
\& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing
|
||
.Ve
|
||
.PP
|
||
You can check your configuration with the \-\-show_config option at the command line:
|
||
.PP
|
||
.Vb 1
|
||
\& # postfwd --showconfig --rule='action=DUNNO; client_address=10.1.0.0/16, file:/etc/postfwd/wl_clients, 192.168.2.1'
|
||
.Ve
|
||
.PP
|
||
should give something like:
|
||
.PP
|
||
.Vb 1
|
||
\& Rule 0: id->"R-0"; action->"DUNNO"; client_address->"=;10.1.0.0/16, =;194.123.86.10, =;186.4.6.12, =;192.168.2.1"
|
||
.Ve
|
||
.PP
|
||
If a file can not be read, it will be ignored:
|
||
.PP
|
||
.Vb 3
|
||
\& # postfwd --showconfig --rule='action=DUNNO; client_address=10.1.0.0/16, file:/etc/postfwd/wl_clients, 192.168.2.1'
|
||
\& [LOG warning]: error: file /etc/postfwd/wl_clients not found - file will be ignored ?
|
||
\& Rule 0: id->"R-0"; action->"DUNNO"; client_address->"=;10.1.0.0/16, =;192.168.2.1"
|
||
.Ve
|
||
.PP
|
||
File items are evaluated at configuration stage. Therefore postfwd needs to be reloaded if a file has changed.
|
||
.PP
|
||
If you want to specify a file, that will be reloaded for each request, you can use lfile: and ltable:
|
||
.PP
|
||
.Vb 1
|
||
\& id=R001; client_address=lfile:/etc/postfwd/client_whitelist; action=dunno
|
||
.Ve
|
||
.PP
|
||
This will check the modification time of /etc/postfwd/client_whitelist every time the rule is evaluated and reload it as
|
||
necessary. Of course this might increase the system load, so please use it with care.
|
||
.PP
|
||
The \-\-showconfig option illustrates the difference:
|
||
.PP
|
||
.Vb 3
|
||
\& ## evaluated at configuration stage
|
||
\& # postfwd2 --nodaemon -L --rule='client_address=table:/etc/postfwd/clients; action=dunno' -C
|
||
\& Rule 0: id->"R-0"; action->"dunno"; client_address->"=;1.1.1.1, =;1.1.1.2, =;1.1.1.3"
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& ## evaluated for any rulehit
|
||
\& # postfwd2 --nodaemon -L --rule='client_address=ltable:/etc/postfwd/clients; action=dunno' -C
|
||
\& Rule 0: id->"R-0"; action->"dunno"; client_address->"=;ltable:/etc/postfwd/clients"
|
||
.Ve
|
||
.PP
|
||
Files can refer to other files. The following is valid.
|
||
.PP
|
||
.Vb 2
|
||
\& -- FILE /etc/postfwd/rules.cf --
|
||
\& id=R001; client_address=file:/etc/postfwd/clients_master.cf; action=DUNNO
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& -- FILE /etc/postfwd/clients_master.cf --
|
||
\& 192.168.1.0/24
|
||
\& file:/etc/postfwd/clients_east.cf
|
||
\& file:/etc/postfwd/clients_west.cf
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -- FILE /etc/postfwd/clients_east.cf --
|
||
\& 192.168.2.0/24
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -- FILE /etc/postfwd/clients_west.cf --
|
||
\& 192.168.3.0/24
|
||
.Ve
|
||
.PP
|
||
Remind that there is currently no loop detection (/a/file calls /a/file) and that this feature is only available
|
||
with postfwd1 v1.15 and postfwd2 v0.18 and higher.
|
||
.Sh "\s-1ACTIONS\s0"
|
||
.IX Subsection "ACTIONS"
|
||
\&\fIGeneral\fR
|
||
.PP
|
||
Actions will be executed, when all rule items have matched a request (or at least one of any item list). You can refer to
|
||
request attributes by preceeding $$ characters, like:
|
||
.PP
|
||
.Vb 3
|
||
\& id=R-003; client_name = !!$$helo_name; action=WARN helo '$$helo_name' does not match DNS '$$client_name'
|
||
\& # or
|
||
\& id=R-003; client_name = !!$$helo_name; action=WARN helo '$$(helo_name)' does not match DNS '$$(client_name)'
|
||
.Ve
|
||
.PP
|
||
\&\fIpostfix actions\fR
|
||
.PP
|
||
Actions will be replied to postfix as result to policy delegation requests. Any action that postfix understands is allowed \- see
|
||
\&\*(L"man 5 access\*(R" or <http://www.postfix.org/access.5.html> for a description. If no action is specified, the postfix \s-1WARN\s0 action
|
||
which simply logs the event will be used for the corresponding rule.
|
||
.PP
|
||
postfwd will return dunno if it has reached the end of the ruleset and no rule has matched. This can be changed by placing a last
|
||
rule containing only an action statement:
|
||
.PP
|
||
.Vb 3
|
||
\& ...
|
||
\& action=dunno ; sender=@domain.local # sender is ok
|
||
\& action=reject # default deny
|
||
.Ve
|
||
.PP
|
||
\&\fIpostfwd actions\fR
|
||
.PP
|
||
postfwd actions control the behaviour of the program. Currently you can specify the following:
|
||
.PP
|
||
.Vb 4
|
||
\& jump (<id>)
|
||
\& jumps to rule with id <id>, use this to skip certain rules.
|
||
\& you can jump backwards - but remember that there is no loop
|
||
\& detection at the moment! jumps to non-existing ids will be skipped.
|
||
.Ve
|
||
.PP
|
||
.Vb 11
|
||
\& score (<score>)
|
||
\& the request's score will be modified by the specified <score>,
|
||
\& which must be a floating point value. the modificator can be either
|
||
\& +n.nn adds n.nn to current score
|
||
\& -n.nn sustracts n.nn from the current score
|
||
\& *n.nn multiplies the current score by n.nn
|
||
\& /n.nn divides the current score through n.nn
|
||
\& =n.nn sets the current score to n.nn
|
||
\& if the score exceeds the maximum set by `--scores` option (see
|
||
\& COMMAND LINE) or the score item (see ITEMS section), the action
|
||
\& defined for this case will be returned (default: 5.0=>"REJECT postfwd score exceeded").
|
||
.Ve
|
||
.PP
|
||
.Vb 5
|
||
\& set (<item>=<value>,<item>=<value>,...)
|
||
\& this command allows you to insert or override request attributes, which then may be
|
||
\& compared to your further ruleset. use this to speed up repeated comparisons to large item lists.
|
||
\& please see the EXAMPLES section for more information. you may separate multiple key=value pairs
|
||
\& by "," characters.
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& rate (<item>/<max>/<time>/<action>)
|
||
\& this command creates a counter for the given <item>, which will be increased any time a request
|
||
\& containing it arrives. if it exceeds <max> within <time> seconds it will return <action> to postfix.
|
||
\& rate counters are very fast as they are executed before the ruleset is parsed.
|
||
\& # no more than 3 requests per 5 minutes
|
||
\& # from the same "unknown" client
|
||
\& id=RATE01 ; client_name==unknown ; \e
|
||
\& action==rate($$client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)
|
||
.Ve
|
||
.PP
|
||
.Vb 7
|
||
\& size (<item>/<max>/<time>/<action>)
|
||
\& this command works similar to the rate() command with the difference, that the rate counter is
|
||
\& increased by the request's size attribute. to do this reliably you should call postfwd from
|
||
\& smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
|
||
\& # size limit 1.5mb per hour per client
|
||
\& id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||
\& action==size($$client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& rcpt (<item>/<max>/<time>/<action>)
|
||
\& this command works similar to the rate() command with the difference, that the rate counter is
|
||
\& increased by the request's recipient_count attribute. to do this reliably you should call postfwd
|
||
\& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
|
||
\& check it within the ruleset:
|
||
\& # recipient count limit 3 per hour per client
|
||
\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e
|
||
\& action==rcpt($$client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)
|
||
.Ve
|
||
.PP
|
||
.Vb 9
|
||
\& ask (<addr>:<port>[:<ignore>])
|
||
\& allows to delegate the policy decision to another policy service (e.g. postgrey). the first
|
||
\& and the second argument (address and port) are mandatory. a third optional argument may be
|
||
\& specified to tell postfwd to ignore certain answers and go on parsing the ruleset:
|
||
\& # example1: query postgrey and return it's answer to postfix
|
||
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031)
|
||
\& # example2: query postgrey but ignore it's answer, if it matches 'DUNNO'
|
||
\& # and continue parsing postfwd's ruleset
|
||
\& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& wait (<delay>)
|
||
\& pauses the program execution for <delay> seconds. use this for
|
||
\& delaying or throtteling connections.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& note (<string>)
|
||
\& just logs the given string and continues parsing the ruleset.
|
||
\& if the string is empty, nothing will be logged.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& quit (<code>)
|
||
\& terminates the program with the given exit-code. postfix doesn`t
|
||
\& like that too much, so use it with care.
|
||
.Ve
|
||
.PP
|
||
You can reference to request attributes, like
|
||
.PP
|
||
.Vb 1
|
||
\& id=R-HELO ; helo_name=^[^\e.]+$ ; action=REJECT invalid helo '$$helo_name'
|
||
.Ve
|
||
.PP
|
||
These special attributes will be reset for any new rule:
|
||
.PP
|
||
.Vb 5
|
||
\& rblcount - contains the number of RBL answers
|
||
\& rhsblcount - contains the number of RHSBL answers
|
||
\& matches - contains the number of matched items
|
||
\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form
|
||
\& rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
|
||
.Ve
|
||
.PP
|
||
These special attributes will be changed for any matching rule:
|
||
.PP
|
||
.Vb 1
|
||
\& request_hits - contains ids of all matching rules
|
||
.Ve
|
||
.PP
|
||
This means that it might be necessary to save them, if you plan to use these values in later rules:
|
||
.PP
|
||
.Vb 6
|
||
\& # set vals
|
||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; \e
|
||
\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e
|
||
\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||
\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e
|
||
\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& # compare
|
||
\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||
\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
|
||
\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
|
||
.Ve
|
||
.Sh "\s-1MACROS/ACLS\s0"
|
||
.IX Subsection "MACROS/ACLS"
|
||
Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters).
|
||
First the macros have to be defined as follows:
|
||
.PP
|
||
.Vb 1
|
||
\& &&RBLS { rbl=zen.spamhaus.org,list.dsbl.org,bl.spamcop.net,dnsbl.sorbs.net,ix.dnsbl.manitu.net; };
|
||
.Ve
|
||
.PP
|
||
Then these may be used in your rules, like:
|
||
.PP
|
||
.Vb 3
|
||
\& &&RBLS ; client_name=^unknown$ ; action=REJECT
|
||
\& &&RBLS ; client_name=(\ed+[\e.-_]){4} ; action=REJECT
|
||
\& &&RBLS ; client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; action=REJECT
|
||
.Ve
|
||
.PP
|
||
Macros can contain actions, too:
|
||
.PP
|
||
.Vb 6
|
||
\& # definition
|
||
\& &&GONOW { action=REJECT your request caused our spam detection policy to reject this message. More info at http://www.domain.local; };
|
||
\& # rules
|
||
\& &&GONOW ; &&RBLS ; client_name=^unknown$
|
||
\& &&GONOW ; &&RBLS ; client_name=(\ed+[\e.-_]){4}
|
||
\& &&GONOW ; &&RBLS ; client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||
.Ve
|
||
.PP
|
||
Macros can contain macros, too:
|
||
.PP
|
||
.Vb 16
|
||
\& # definition (note the trailing "\e" characters)
|
||
\& &&RBLS { \e
|
||
\& rbl=zen.spamhaus.org ; \e
|
||
\& rbl=list.dsbl.org ; \e
|
||
\& rbl=bl.spamcop.net ; \e
|
||
\& rbl=dnsbl.sorbs.net ; \e
|
||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||
\& };
|
||
\& &&DYNAMIC { \e
|
||
\& client_name=^unknown$ ; \e
|
||
\& client_name=(\ed+[\e.-_]){4} ; \e
|
||
\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||
\& };
|
||
\& &&GOAWAY { &&RBLS; &&DYNAMIC; };
|
||
\& # rules
|
||
\& &&GOAWAY ; action=REJECT dynamic client and listed on RBL
|
||
.Ve
|
||
.PP
|
||
Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information.
|
||
.Sh "\s-1PLUGINS\s0"
|
||
.IX Subsection "PLUGINS"
|
||
Please visit <http://www.postfwd.org/postfwd.plugins>
|
||
.Sh "\s-1COMMAND\s0 \s-1LINE\s0"
|
||
.IX Subsection "COMMAND LINE"
|
||
\&\fIRuleset\fR
|
||
.PP
|
||
The following arguments are used to specify the source of the postfwd ruleset. This means
|
||
that at least one of the following is required for postfwd to work.
|
||
.PP
|
||
.Vb 3
|
||
\& -f, --file <file>
|
||
\& Reads rules from <file>. Please see the CONFIGURATION section
|
||
\& below for more information.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -r, --rule <rule>
|
||
\& Adds <rule> to ruleset. Remember that you might have to quote
|
||
\& strings that contain whitespaces or shell characters.
|
||
.Ve
|
||
.PP
|
||
\&\fIPlugins\fR
|
||
.PP
|
||
.Vb 3
|
||
\& --plugins
|
||
\& A file containing plugin routines for postfwd. Please see the
|
||
\& PLUGINS section for more information.
|
||
.Ve
|
||
.PP
|
||
\&\fIScoring\fR
|
||
.PP
|
||
.Vb 2
|
||
\& -s, --scores <val>=<action>
|
||
\& Returns <action> to postfix, when the request's score exceeds <val>
|
||
.Ve
|
||
.PP
|
||
Multiple usage is allowed. Just chain your arguments, like:
|
||
.PP
|
||
.Vb 3
|
||
\& postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
|
||
\& or
|
||
\& postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ...
|
||
.Ve
|
||
.PP
|
||
In case of multiple scores, the highest match will count. The order of the arguments will be
|
||
reflected in the postfwd ruleset.
|
||
.PP
|
||
\&\fINetworking\fR
|
||
.PP
|
||
postfwd can be run as daemon so that it listens on the network for incoming requests.
|
||
The following arguments will control it's behaviour in this case.
|
||
.PP
|
||
.Vb 3
|
||
\& -d, --daemon
|
||
\& postfwd will run as daemon and listen on the network for incoming
|
||
\& queries (default 127.0.0.1:10040).
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -i, --interface <dev>
|
||
\& Bind postfwd to the specified interface (default 127.0.0.1).
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -p, --port <port>
|
||
\& postfwd listens on the specified port (default tcp/10040).
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --proto <type>
|
||
\& The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
|
||
\& To use postfwd with a unix domain socket, run it as follows:
|
||
\& postfwd --proto=unix --port=/somewhere/postfwd.socket
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -u, --user <name>
|
||
\& Changes real and effective user to <name>.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -g, --group <name>
|
||
\& Changes real and effective group to <name>.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -R, --chroot <path>
|
||
\& Chroot the process to the specified path.
|
||
\& Test this before using - you might need some libs there.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& --pidfile <path>
|
||
\& The process id will be saved in the specified file.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -l, --logname <label>
|
||
\& Labels the syslog messages. Useful when running multiple
|
||
\& instances of postfwd.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& --loglen <int>
|
||
\& Truncates any syslog message after <int> characters.
|
||
.Ve
|
||
.PP
|
||
\&\fIOptional arguments\fR
|
||
.PP
|
||
These parameters influence the way postfwd is working. Any of them can be combined.
|
||
.PP
|
||
.Vb 4
|
||
\& -v, --verbose
|
||
\& Verbose logging displays a lot of useful information but can cause
|
||
\& your logfiles to grow noticeably. So use it with caution. Set the option
|
||
\& twice (-vv) to get more information (logs all request attributes).
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& -c, --cache <int> (default=600)
|
||
\& Timeout for request cache, results for identical requests will be
|
||
\& cached until config is reloaded or this time (in seconds) expired.
|
||
\& A setting of 0 disables this feature.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --cache-no-size
|
||
\& Ignores size attribute for cache comparisons which will lead to better
|
||
\& cache-hit rates. You should set this option, if you don't use the size
|
||
\& item in your ruleset.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --cache-no-sender
|
||
\& Ignores sender address for cache comparisons which will lead to better
|
||
\& cache-hit rates. You should set this option, if you don't use the sender
|
||
\& item in your ruleset.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --cache-rdomain-only
|
||
\& This will strip the localpart of the recipient's address before filling the
|
||
\& cache. This may considerably increase cache-hit rates.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --cache-rbl-timeout <timeout> (default=3600)
|
||
\& This default value will be used as timeout in seconds for rbl cache items,
|
||
\& if not specified in the ruleset.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& --cache-rbl-default <pattern> (default=^127\e.0\e.0\e.\ed+$)
|
||
\& Matches <pattern> to rbl/rhsbl answers (regexp) if not specified in the ruleset.
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& --cacheid <item>, <item>, ...
|
||
\& This csv-separated list of request attributes will be used to construct
|
||
\& the request cache identifier. Use this only, if you know exactly what you
|
||
\& are doing. If you, for example, use postfwd only for RBL/RHSBL control,
|
||
\& you may set this to
|
||
\& postfwd --cache=3600 --cacheid=client_name,client_address
|
||
\& This increases efficiency of caching and improves postfwd's performance.
|
||
\& Warning: You should list all items here, which are used in your ruleset!
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --cleanup-requests <interval> (default=600)
|
||
\& The request cache will be searched for timed out items after this <interval> in
|
||
\& seconds. It is a minimum value. The cleanup process will only take place, when
|
||
\& a new request arrives.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --cleanup-rbls <interval> (default=600)
|
||
\& The rbl cache will be searched for timed out items after this <interval> in
|
||
\& seconds. It is a minimum value. The cleanup process will only take place, when
|
||
\& a new request arrives.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --cleanup-rates <interval> (default=600)
|
||
\& The rate cache will be searched for timed out items after this <interval> in
|
||
\& seconds. It is a minimum value. The cleanup process will only take place, when
|
||
\& a new request arrives.
|
||
.Ve
|
||
.PP
|
||
.Vb 5
|
||
\& -S, --summary <int> (default=600)
|
||
\& Shows some usage statistics (program uptime, request counter, matching rules)
|
||
\& every <int> seconds. This option is included by the -v switch.
|
||
\& This feature uses the alarm signal, so you can force postfwd to dump the stats
|
||
\& using `kill -ALRM <pid>` (where <pid> is the process id of postfwd).
|
||
.Ve
|
||
.PP
|
||
.Vb 9
|
||
\& Example:
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Counters: 213000 seconds uptime, 39 rules
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Requests: 71643 overall, 49 last interval, 62.88% cache hits
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Averages: 20.18 overall, 4.90 last interval, 557.30 top
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Contents: 44 cached requests, 239 cached dnsbl results
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-001 matched: 2704 times
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-002 matched: 9351 times
|
||
\& Aug 19 12:39:45 mail1 postfwd[666]: [STATS] Rule ID: R-003 matched: 3116 times
|
||
\& ...
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --no-rulestats
|
||
\& Disables per rule statistics. Keeps your log clean, if you do not use them.
|
||
\& This option has no effect without --summary or --verbose set.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -L, --stdoutlog
|
||
\& Redirects all syslog messages to stdout for debugging. Never use this with postfix!
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -t, --test
|
||
\& In test mode postfwd always returns "dunno", but logs according
|
||
\& to it`s ruleset. -v will be set automatically with this option.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -n, --nodns
|
||
\& Disables all DNS based checks like RBL checks. Rules containing
|
||
\& such elements will be ignored.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -n, --nodnslog
|
||
\& Disables logging of dns events.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --dns_timeout (default: 14)
|
||
\& Sets the timeout for asynchonous dns queries in seconds. This value will apply to
|
||
\& all dns items in a rule.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --dns_timeout_max (default: 10)
|
||
\& Sets the maximum timeout counter for dnsbl lookups. If the timeouts exceed this value
|
||
\& the corresponding dnsbl will be deactivated for a while (see --dns_timeout_interval).
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --dns_timeout_interval (default=1200)
|
||
\& The dnsbl timeout counter will be cleaned after this interval in seconds. Use this
|
||
\& in conjunction with the --dns_timeout_max parameter.
|
||
.Ve
|
||
.PP
|
||
.Vb 4
|
||
\& --dns_async_txt
|
||
\& Perform dnsbl A and TXT lookups simultaneously (otherwise only for listings with at
|
||
\& least one A record). This needs more network bandwidth due to increased queries but
|
||
\& might increase throughput because the lookups can be parallelized.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& --dns_max_ns_lookups (default=0)
|
||
\& maximum ns names to lookup up with sender_ns_addrs item. use 0 for no maximum.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& --dns_max_mx_lookups (default=0)
|
||
\& maximum mx names to lookup up with sender_mx_addrs item. use 0 for no maximum.
|
||
.Ve
|
||
.PP
|
||
.Vb 6
|
||
\& -I, --instantcfg
|
||
\& The config files, specified by -f will be re-read for every request
|
||
\& postfwd receives. This enables on-the-fly configuration changes
|
||
\& without restarting. Though files will be read only if necessary
|
||
\& (which means their access times changed since last read) this might
|
||
\& significantly increase system load.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& --config_timeout (default=3)
|
||
\& timeout in seconds to parse a single configuration line. if exceeded, the rule will
|
||
\& be skipped. this is used to prevent problems due to large files or loops.
|
||
.Ve
|
||
.PP
|
||
\&\fIInformational arguments\fR
|
||
.PP
|
||
These arguments are for command line usage only. Never ever use them with postfix spawn!
|
||
.PP
|
||
.Vb 2
|
||
\& -C, --showconfig
|
||
\& Displays the current ruleset. Use -v for verbose output.
|
||
.Ve
|
||
.PP
|
||
.Vb 3
|
||
\& -P, --perfmon
|
||
\& This option turns of any syslogging and output. It is included
|
||
\& for performance testing.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -V, --version
|
||
\& Displays the program version.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -h, --help
|
||
\& Shows program usage.
|
||
.Ve
|
||
.PP
|
||
.Vb 2
|
||
\& -m, --manual
|
||
\& Displays the program manual.
|
||
.Ve
|
||
.Sh "\s-1REFRESH\s0"
|
||
.IX Subsection "REFRESH"
|
||
In daemon mode postfwd reloads it's ruleset after receiving a \s-1HUP\s0 signal. Please see the description of
|
||
the '\-I' switch to have your configuration refreshed for every request postfwd receives.
|
||
.Sh "\s-1EXAMPLES\s0"
|
||
.IX Subsection "EXAMPLES"
|
||
.Vb 7
|
||
\& ## whitelisting
|
||
\& # 1. networks 192.168.1.0/24, 192.168.2.4
|
||
\& # 2. client_names *.gmx.net and *.gmx.de
|
||
\& # 3. sender *@someshop.tld from 11.22.33.44
|
||
\& id=WL001; action=dunno ; client_address=192.168.1.0/24, 192.168.2.4
|
||
\& id=WL002; action=dunno ; client_name=\e.gmx\e.(net|de)$
|
||
\& id=WL003; action=dunno ; sender=@someshop\e.tld$ ; client_address=11.22.33.44
|
||
.Ve
|
||
.PP
|
||
.Vb 6
|
||
\& ## TLS control
|
||
\& # 1. *@authority.tld only with correct TLS fingerprint
|
||
\& # 2. *@secret.tld only with keysizes >=64
|
||
\& id=TL001; action=dunno ; sender=@authority\e.tld$ ; ccert_fingerprint=AA:BB:CC..
|
||
\& id=TL002; action=REJECT wrong TLS fingerprint ; sender=@authority\e.tld$
|
||
\& id=TL003; action=REJECT tls keylength < 64 ; sender=@secret\e.tld$ ; encryption_keysize=64
|
||
.Ve
|
||
.PP
|
||
.Vb 10
|
||
\& ## Combined RBL checks
|
||
\& # This will reject mail if
|
||
\& # 1. listed on ix.dnsbl.manitu.net
|
||
\& # 2. listed on zen.spamhaus.org (sbl and xbl, dns cache timeout 1200s instead of 3600s)
|
||
\& # 3. listed on min 2 of bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||
\& # 4. listed on bl.spamcop.net and one of rhsbl.ahbl.org, rhsbl.sorbs.net
|
||
\& id=RBL01 ; action=REJECT listed on ix.dnsbl.manitu.net ; rbl=ix.dnsbl.manitu.net
|
||
\& id=RBL02 ; action=REJECT listed on zen.spamhaus.org ; rbl=zen.spamhaus.org/127.0.0.[2-8]/1200
|
||
\& id=RBL03 ; action=REJECT listed on too many RBLs ; rblcount=2 ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||
\& id=RBL04 ; action=REJECT combined RBL+RHSBL check ; rbl=bl.spamcop.net ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
|
||
.Ve
|
||
.PP
|
||
.Vb 7
|
||
\& ## Message size (requires message_size_limit to be set to 30000000)
|
||
\& # 1. 30MB for systems in *.customer1.tld
|
||
\& # 2. 20MB for SASL user joejob
|
||
\& # 3. 10MB default
|
||
\& id=SZ001; state==END-OF-MESSAGE; action=REJECT message too large; size=30000000 ; client_name=\e.customer1.tld$
|
||
\& id=SZ002; state==END-OF-MESSAGE; action=REJECT message too large; size=20000000 ; sasl_username==joejob
|
||
\& id=SZ003; state==END-OF-MESSAGE; action=REJECT message too large; size=10000000
|
||
.Ve
|
||
.PP
|
||
.Vb 7
|
||
\& ## Selective Greylisting
|
||
\& # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
|
||
\& # 2. Client has no rDNS
|
||
\& # 3. Client comes from several dialin domains
|
||
\& id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
|
||
\& id=GR002; action=greylisting ; client_name=^unknown$
|
||
\& id=GR003; action=greylisting ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$
|
||
.Ve
|
||
.PP
|
||
.Vb 7
|
||
\& ## Date Time
|
||
\& date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas
|
||
\& time=04:00:00-05:00:00 ; action=450 4.7.1 maintenance ongoing, try again later
|
||
\& time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim
|
||
\& time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim
|
||
\& months=-Apr ; action=450 4.7.1 see you in may
|
||
\& days=!!Mon-Fri ; action=greylist
|
||
.Ve
|
||
.PP
|
||
.Vb 10
|
||
\& ## Usage of jump
|
||
\& # The following allows a message size of 30MB for different
|
||
\& # users/clients while others will only have 10MB.
|
||
\& id=R001 ; action=jump(R100) ; sasl_username=^(Alice|Bob|Jane)$
|
||
\& id=R002 ; action=jump(R100) ; client_address=192.168.1.0/24
|
||
\& id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
|
||
\& id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
|
||
\& id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
|
||
\& id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
|
||
\& id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000
|
||
.Ve
|
||
.PP
|
||
.Vb 14
|
||
\& ## Usage of score
|
||
\& # The following rejects a mail, if the client
|
||
\& # - is listed on 1 RBL and 1 RHSBL
|
||
\& # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
|
||
\& # - other clients without correct rDNS will be greylist-checked
|
||
\& # - some whitelists are used to lower the score
|
||
\& id=S01 ; score=2.6 ; action=greylisting
|
||
\& id=S02 ; score=5.0 ; action=REJECT postfwd score too high
|
||
\& id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
|
||
\& id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
|
||
\& id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
|
||
\& id=N01 ; action=score(-0.2) ; client_name==$$helo_name
|
||
\& id=N02 ; action=score(2.7) ; client_name=^unknown$
|
||
\& ...
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& ## Usage of rate and size
|
||
\& # The following temporary rejects requests from "unknown" clients, if they
|
||
\& # 1. exceeded 30 requests per hour or
|
||
\& # 2. tried to send more than 1.5mb within 10 minutes
|
||
\& id=RATE01 ; client_name==unknown ; state==RCPT ; \e
|
||
\& action==rate($$client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
|
||
\& id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \e
|
||
\& action==size($$client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& ## Macros
|
||
\& # definition
|
||
\& &&RBLS { rbl=zen.spamhaus.org,list.dsbl.org,bl.spamcop.net,dnsbl.sorbs.net,ix.dnsbl.manitu.net; };
|
||
\& &&GONOW { action=REJECT your request caused our spam detection policy to reject this message. More info at http://www.domain.local; };
|
||
\& # rules
|
||
\& &&GONOW ; &&RBLS ; client_name=^unknown$
|
||
\& &&GONOW ; &&RBLS ; client_name=(\ed+[\e.-_]){4}
|
||
\& &&GONOW ; &&RBLS ; client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_]
|
||
.Ve
|
||
.PP
|
||
.Vb 34
|
||
\& ## Groups
|
||
\& # definition
|
||
\& &&RBLS { \e
|
||
\& rbl=zen.spamhaus.org ; \e
|
||
\& rbl=list.dsbl.org ; \e
|
||
\& rbl=bl.spamcop.net ; \e
|
||
\& rbl=dnsbl.sorbs.net ; \e
|
||
\& rbl=ix.dnsbl.manitu.net ; \e
|
||
\& };
|
||
\& &&RHSBLS { \e
|
||
\& ...
|
||
\& };
|
||
\& &&DYNAMIC { \e
|
||
\& client_name==unknown ; \e
|
||
\& client_name~=(\ed+[\e.-_]){4} ; \e
|
||
\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e
|
||
\& ...
|
||
\& };
|
||
\& &&BAD_HELO { \e
|
||
\& helo_name==my.name.tld; \e
|
||
\& helo_name~=^([^\e.]+)$; \e
|
||
\& helo_name~=\e.(local|lan)$; \e
|
||
\& ...
|
||
\& };
|
||
\& &&MAINTENANCE { \e
|
||
\& date=15.01.2007 ; \e
|
||
\& date=15.04.2007 ; \e
|
||
\& date=15.07.2007 ; \e
|
||
\& date=15.10.2007 ; \e
|
||
\& time=03:00:00 - 04:00:00 ; \e
|
||
\& };
|
||
\& # rules
|
||
\& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL
|
||
\& id=MAINTENANCE ; &&MAINTENANCE ; action=DEFER maintenance time - please try again later
|
||
.Ve
|
||
.PP
|
||
.Vb 8
|
||
\& # now with the set() command, note that long item
|
||
\& # lists don't have to be compared twice
|
||
\& id=RBL01 ; &&RBLS ; action=set(HIT_rbls=1)
|
||
\& id=HELO01 ; &&BAD_HELO ; action=set(HIT_helo=1)
|
||
\& id=DYNA01 ; &&DYNAMIC ; action=set(HIT_dyna=1)
|
||
\& id=REJECT01 ; HIT_rbls==1 ; HIT_helo==1 ; action=REJECT please see http://some.org/info?reject=01 for more info
|
||
\& id=REJECT02 ; HIT_rbls==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=02 for more info
|
||
\& id=REJECT03 ; HIT_helo==1 ; HIT_dyna==1 ; action=REJECT please see http://some.org/info?reject=03 for more info
|
||
.Ve
|
||
.PP
|
||
.Vb 5
|
||
\& ## combined with enhanced rbl features
|
||
\& #
|
||
\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e
|
||
\& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
|
||
\& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
|
||
.Ve
|
||
.Sh "\s-1PARSER\s0"
|
||
.IX Subsection "PARSER"
|
||
\&\fIConfiguration\fR
|
||
.PP
|
||
The postfwd ruleset can be specified at the commandline (\-r option) or be read from files (\-f). The order of your arguments will be kept. You should
|
||
check the parser with the \-C | \-\-showconfig switch at the command line before applying a new config. The following call:
|
||
.PP
|
||
.Vb 4
|
||
\& postfwd --showconfig \e
|
||
\& -r "id=TEST; recipient_count=100; action=WARN mail with 100+ recipients" \e
|
||
\& -f /etc/postfwd.cf \e
|
||
\& -r "id=DEFAULT; action=dunno";
|
||
.Ve
|
||
.PP
|
||
will produce the following output:
|
||
.PP
|
||
.Vb 5
|
||
\& Rule 0: id->"TEST" action->"WARN mail with 100+ recipients"; recipient_count->"100"
|
||
\& ...
|
||
\& ... <content of /etc/postfwd.cf> ...
|
||
\& ...
|
||
\& Rule <n>: id->"DEFAULT" action->"dunno"
|
||
.Ve
|
||
.PP
|
||
Multiple items of the same type will be added to lists (see the \*(L"\s-1ITEMS\s0\*(R" section for more info):
|
||
.PP
|
||
.Vb 2
|
||
\& postfwd --showconfig \e
|
||
\& -r "client_address=192.168.1.0/24; client_address=172.16.26.32; action=dunno"
|
||
.Ve
|
||
.PP
|
||
will result in:
|
||
.PP
|
||
.Vb 1
|
||
\& Rule 0: id->"R-0"; action->"dunno"; client_address->"192.168.1.0/24, 172.16.26.32"
|
||
.Ve
|
||
.PP
|
||
Macros are evaluated at configuration stage, which means that
|
||
.PP
|
||
.Vb 3
|
||
\& postfwd --showconfig \e
|
||
\& -r "&&RBLS { rbl=bl.spamcop.net; client_name=^unknown$; };" \e
|
||
\& -r "id=RBL001; &&RBLS; action=REJECT listed on spamcop and bad rdns";
|
||
.Ve
|
||
.PP
|
||
will result in:
|
||
.PP
|
||
.Vb 1
|
||
\& Rule 0: id->"RBL001"; action->"REJECT listed on spamcop and bad rdns"; rbl->"bl.spamcop.net"; client_name->"^unknown$"
|
||
.Ve
|
||
.PP
|
||
\&\fIRequest processing\fR
|
||
.PP
|
||
When a policy delegation request arrives it will be compared against postfwd`s ruleset. To inspect the processing in detail you should increase
|
||
verbority using use the \*(L"\-v\*(R" or \*(L"\-vv\*(R" switch. \*(L"\-L\*(R" redirects log messages to stdout.
|
||
.PP
|
||
Keeping the order of the ruleset in general, items will be compared in random order, which basically means that
|
||
.PP
|
||
.Vb 1
|
||
\& id=R001; action=dunno; client_address=192.168.1.1; sender=bob@alice.local
|
||
.Ve
|
||
.PP
|
||
equals to
|
||
.PP
|
||
.Vb 1
|
||
\& id=R001; sender=bob@alice.local; client_address=192.168.1.1; action=dunno
|
||
.Ve
|
||
.PP
|
||
Lists will be evaluated in the specified order. This allows to place faster expressions at first:
|
||
.PP
|
||
.Vb 1
|
||
\& postfwd -vv -L -r "id=RBL001; rbl=localrbl.local zen.spamhaus.org; action=REJECT" /some/where/request.sample
|
||
.Ve
|
||
.PP
|
||
produces the following
|
||
.PP
|
||
.Vb 11
|
||
\& [LOGS info]: compare rbl: "remotehost.remote.net[68.10.1.7]" -> "localrbl.local"
|
||
\& [LOGS info]: count1 rbl: "2" -> "0"
|
||
\& [LOGS info]: query rbl: localrbl.local 7.1.10.68 (7.1.10.68.localrbl.local)
|
||
\& [LOGS info]: count2 rbl: "2" -> "0"
|
||
\& [LOGS info]: match rbl: FALSE
|
||
\& [LOGS info]: compare rbl: "remotehost.remote.net[68.10.1.7]" -> "zen.spamhaus.org"
|
||
\& [LOGS info]: count1 rbl: "2" -> "0"
|
||
\& [LOGS info]: query rbl: zen.spamhaus.org 7.1.10.68 (7.1.10.68.zen.spamhaus.org)
|
||
\& [LOGS info]: count2 rbl: "2" -> "0"
|
||
\& [LOGS info]: match rbl: FALSE
|
||
\& [LOGS info]: Action: dunno
|
||
.Ve
|
||
.PP
|
||
The negation operator !!(<value>) has the highest priority and therefore will be evaluated first. Then variable substitutions are performed:
|
||
.PP
|
||
.Vb 1
|
||
\& postfwd -vv -L -r "id=TEST; action=REJECT; client_name=!!($$heloname)" /some/where/request.sample
|
||
.Ve
|
||
.PP
|
||
will give
|
||
.PP
|
||
.Vb 5
|
||
\& [LOGS info]: compare client_name: "unknown" -> "!!($$helo_name)"
|
||
\& [LOGS info]: negate client_name: "unknown" -> "$$helo_name"
|
||
\& [LOGS info]: substitute client_name: "unknown" -> "english-breakfast.cloud8.net"
|
||
\& [LOGS info]: match client_name: TRUE
|
||
\& [LOGS info]: Action: REJECT
|
||
.Ve
|
||
.PP
|
||
\&\fIRuleset evaluation\fR
|
||
.PP
|
||
A rule hits when all items (or at least one element of a list for each item) have matched. As soon as one item (or all elements of a list) fails
|
||
to compare against the request attribute the parser will jump to the next rule in the postfwd ruleset.
|
||
.PP
|
||
If a rule matches, there are two options:
|
||
.PP
|
||
* Rule returns postfix action (dunno, reject, ...)
|
||
The parser stops rule processing and returns the action to postfix. Other rules will not be evaluated.
|
||
.PP
|
||
* Rule returns postfwd action (\fIjump()\fR, \fInote()\fR, ...)
|
||
The parser evaluates the given action and continues with the next rule (except for the \fIjump()\fR or \fIquit()\fR actions \- please see the \*(L"\s-1ACTIONS\s0\*(R" section
|
||
for more information). Nothing will be sent to postfix.
|
||
.PP
|
||
If no rule has matched and the end of the ruleset is reached postfwd will return dunno without logging anything unless in verbose mode. You may
|
||
simply place a last `catch\-all´ rule to change that behaviour:
|
||
.PP
|
||
.Vb 2
|
||
\& ... <your rules> ...
|
||
\& id=DEFAULT ; action=dunno
|
||
.Ve
|
||
.PP
|
||
will log any request that passes the ruleset without having hit a prior rule.
|
||
.Sh "\s-1INTEGRATION\s0"
|
||
.IX Subsection "INTEGRATION"
|
||
\&\fIIntegration via daemon mode\fR
|
||
.PP
|
||
The common way to use postfwd is to start it as daemon, listening at a specified tcp port.
|
||
As postfwd will run in a single instance (multiplexing mode), it will take most benefit of
|
||
it`s internal caching in that case. Start postfwd with the following parameters:
|
||
.PP
|
||
.Vb 1
|
||
\& postfwd -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S
|
||
.Ve
|
||
.PP
|
||
For efficient caching you should check if you can use the options \-\-cache\-rdomain\-only, \-\-cache\-no\-sender
|
||
and \-\-cache\-no\-size.
|
||
.PP
|
||
Now check your syslogs (default facility \*(L"mail\*(R") for a line like:
|
||
.PP
|
||
.Vb 1
|
||
\& Aug 9 23:00:24 mail postfwd[5158]: postfwd n.nn ready for input
|
||
.Ve
|
||
.PP
|
||
and use `netstat \-an|grep 10040` to check for something like
|
||
.PP
|
||
.Vb 1
|
||
\& tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN
|
||
.Ve
|
||
.PP
|
||
If everything works, open your postfix main.cf and insert the following
|
||
.PP
|
||
.Vb 4
|
||
\& 127.0.0.1:10040_time_limit = 3600 <--- integration
|
||
\& smtpd_recipient_restrictions = permit_mynetworks <--- recommended
|
||
\& reject_unauth_destination <--- recommended
|
||
\& check_policy_service inet:127.0.0.1:10040 <--- integration
|
||
.Ve
|
||
.PP
|
||
Reload your configuration with `postfix reload` and watch your logs. In it works you should see
|
||
lines like the following in your mail log:
|
||
.PP
|
||
.Vb 1
|
||
\& Aug 9 23:01:24 mail postfwd[5158]: rule=22, id=ML_POSTFIX, client=english-breakfast.cloud9.net[168.100.1.7], sender=owner-postfix-users@postfix.tld, recipient=someone@domain.local, helo=english-breakfast.cloud9.net, proto=ESMTP, state=RCPT, action=dunno
|
||
.Ve
|
||
.PP
|
||
If you want to check for size or rcpt_count items you must integrate postfwd in smtp_data_restrictions or
|
||
smtpd_end_of_data_restrictions. Of course you can also specify a restriction class and use it in your access
|
||
tables. First create a file /etc/postfix/policy containing:
|
||
.PP
|
||
.Vb 3
|
||
\& domain1.local postfwdcheck
|
||
\& domain2.local postfwdcheck
|
||
\& ...
|
||
.Ve
|
||
.PP
|
||
Then postmap that file (`postmap hash:/etc/postfix/policy`), open your main.cf and enter
|
||
.PP
|
||
.Vb 3
|
||
\& # Restriction Classes
|
||
\& smtpd_restriction_classes = postfwdcheck, <some more>... <--- integration
|
||
\& postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration
|
||
.Ve
|
||
.PP
|
||
.Vb 6
|
||
\& 127.0.0.1:10040_time_limit = 3600 <--- integration
|
||
\& smtpd_recipient_restrictions = permit_mynetworks, <--- recommended
|
||
\& reject_unauth_destination, <--- recommended
|
||
\& ... <--- optional
|
||
\& check_recipient_access hash:/etc/postfix/policy, <--- integration
|
||
\& ... <--- optional
|
||
.Ve
|
||
.PP
|
||
Reload postfix and watch your logs.
|
||
.PP
|
||
\&\fIIntegration via xinetd\fR
|
||
.PP
|
||
There might be several reasons for you to use postfwd via a tcp wrapper package like xinetd (see <http://www.xinetd.org/>).
|
||
I won`t discuss that here. If you plan to do so, just add the following line to your /etc/services file:
|
||
.PP
|
||
.Vb 2
|
||
\& # postfwd port
|
||
\& postfwd 10040/tcp
|
||
.Ve
|
||
.PP
|
||
Then create a file '/etc/xinetd.d/postfwd':
|
||
.PP
|
||
.Vb 10
|
||
\& {
|
||
\& interface = 127.0.0.1
|
||
\& socket_type = stream
|
||
\& protocol = tcp
|
||
\& wait = no
|
||
\& user = nobody
|
||
\& server = /usr/local/bin/postfwd
|
||
\& server_args = -f /etc/postfwd.cf
|
||
\& disable = no
|
||
\& }
|
||
.Ve
|
||
.PP
|
||
and restart the xinetd daemon (usually a \s-1SIGHUP\s0 should be fine). If you experience problems
|
||
you might want to check your system's log for xinetd errors like \*(L"socket already in use\*(R".
|
||
.PP
|
||
The integration with postfix is similar to the \fIIntegration via daemon mode\fR section above.
|
||
Reload postfix and watch your logs to see if everything works.
|
||
.Sh "\s-1TESTING\s0"
|
||
.IX Subsection "TESTING"
|
||
First you have to create a ruleset (see Configuration section). Check it with
|
||
.PP
|
||
.Vb 1
|
||
\& postfwd -f /etc/postfwd.cf -C
|
||
.Ve
|
||
.PP
|
||
There is an example policy request distributed with postfwd, called 'request.sample'.
|
||
Simply change it to meet your requirements and use
|
||
.PP
|
||
.Vb 1
|
||
\& postfwd -f /etc/postfwd.cf <request.sample
|
||
.Ve
|
||
.PP
|
||
You should get an answer like
|
||
.PP
|
||
.Vb 1
|
||
\& action=<whateveryouconfigured>
|
||
.Ve
|
||
.PP
|
||
For network tests I use netcat:
|
||
.PP
|
||
.Vb 1
|
||
\& nc 127.0.0.1 10040 <request.sample
|
||
.Ve
|
||
.PP
|
||
to send a request to postfwd. If you receive nothing, make sure that postfwd is running and
|
||
listening on the specified network settings.
|
||
.Sh "\s-1PERFORMANCE\s0"
|
||
.IX Subsection "PERFORMANCE"
|
||
Some of these proposals might not match your environment. Please check your requirements and test new options carefully!
|
||
.PP
|
||
.Vb 7
|
||
\& - use caching options
|
||
\& - use the correct match operator ==, <=, >=
|
||
\& - use ^ and/or $ in regular expressions
|
||
\& - use item lists (faster than single rules)
|
||
\& - use set() action on repeated item lists
|
||
\& - use jumps and rate limits
|
||
\& - use a pre-lookup rule for rbl/rhsbls with empty note() action
|
||
.Ve
|
||
.Sh "\s-1SEE\s0 \s-1ALSO\s0"
|
||
.IX Subsection "SEE ALSO"
|
||
See <http://www.postfix.org/SMTPD_POLICY_README.html> for a description
|
||
of how Postfix policy servers work.
|
||
.SH "LICENSE"
|
||
.IX Header "LICENSE"
|
||
postfwd is free software and released under \s-1BSD\s0 license, which basically means
|
||
that you can do what you want as long as you keep the copyright notice:
|
||
.PP
|
||
Copyright (c) 2007, Jan Peter Kessler
|
||
All rights reserved.
|
||
.PP
|
||
Redistribution and use in source and binary forms, with or without modification,
|
||
are permitted provided that the following conditions are met:
|
||
.PP
|
||
.Vb 9
|
||
\& * Redistributions of source code must retain the above copyright
|
||
\& notice, this list of conditions and the following disclaimer.
|
||
\& * Redistributions in binary form must reproduce the above copyright
|
||
\& notice, this list of conditions and the following disclaimer in
|
||
\& the documentation and/or other materials provided with the
|
||
\& distribution.
|
||
\& * Neither the name of the authors nor the names of his contributors
|
||
\& may be used to endorse or promote products derived from this
|
||
\& software without specific prior written permission.
|
||
.Ve
|
||
.PP
|
||
\&\s-1THIS\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \s-1BY\s0 \s-1ME\s0 ``\s-1AS\s0 \s-1IS\s0'' \s-1AND\s0 \s-1ANY\s0 \s-1EXPRESS\s0 \s-1OR\s0 \s-1IMPLIED\s0 \s-1WARRANTIES\s0,
|
||
\&\s-1INCLUDING\s0, \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0, \s-1THE\s0 \s-1IMPLIED\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0 \s-1AND\s0 \s-1FITNESS\s0
|
||
\&\s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1ARE\s0 \s-1DISCLAIMED\s0. \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1DIRECT\s0,
|
||
\&\s-1INDIRECT\s0, \s-1INCIDENTAL\s0, \s-1SPECIAL\s0, \s-1EXEMPLARY\s0, \s-1OR\s0 \s-1CONSEQUENTIAL\s0 \s-1DAMAGES\s0 (\s-1INCLUDING\s0, \s-1BUT\s0
|
||
\&\s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0, \s-1PROCUREMENT\s0 \s-1OF\s0 \s-1SUBSTITUTE\s0 \s-1GOODS\s0 \s-1OR\s0 \s-1SERVICES\s0; \s-1LOSS\s0 \s-1OF\s0 \s-1USE\s0, \s-1DATA\s0, \s-1OR\s0
|
||
\&\s-1PROFITS\s0; \s-1OR\s0 \s-1BUSINESS\s0 \s-1INTERRUPTION\s0) \s-1HOWEVER\s0 \s-1CAUSED\s0 \s-1AND\s0 \s-1ON\s0 \s-1ANY\s0 \s-1THEORY\s0 \s-1OF\s0 \s-1LIABILITY\s0,
|
||
\&\s-1WHETHER\s0 \s-1IN\s0 \s-1CONTRACT\s0, \s-1STRICT\s0 \s-1LIABILITY\s0, \s-1OR\s0 \s-1TORT\s0 (\s-1INCLUDING\s0 \s-1NEGLIGENCE\s0 \s-1OR\s0 \s-1OTHERWISE\s0)
|
||
\&\s-1ARISING\s0 \s-1IN\s0 \s-1ANY\s0 \s-1WAY\s0 \s-1OUT\s0 \s-1OF\s0 \s-1THE\s0 \s-1USE\s0 \s-1OF\s0 \s-1THIS\s0 \s-1SOFTWARE\s0, \s-1EVEN\s0 \s-1IF\s0 \s-1ADVISED\s0 \s-1OF\s0 \s-1THE\s0
|
||
\&\s-1POSSIBILITY\s0 \s-1OF\s0 \s-1SUCH\s0 \s-1DAMAGE\s0.
|
||
.SH "AUTHOR"
|
||
.IX Header "AUTHOR"
|
||
Jan\ Peter\ Kessler\ <info\ (\s-1AT\s0)\ postfwd\ (\s-1DOT\s0)\ org>. Let me know, if you have any suggestions.
|