update..
This commit is contained in:
177
roles/common/files/ga-st-mail/etc/postfix/postfwd.cf
Normal file
177
roles/common/files/ga-st-mail/etc/postfix/postfwd.cf
Normal file
@@ -0,0 +1,177 @@
|
||||
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
|
||||
|
||||
#======= Definitions ============
|
||||
|
||||
# Match messages with an associated SASL username
|
||||
&&SASL_AUTH {
|
||||
sasl_username!~^$
|
||||
}
|
||||
|
||||
# Trusted networks
|
||||
&&TRUSTED_NETS {
|
||||
client_address==file:/etc/postfix/postfwd.wl-nets
|
||||
}
|
||||
|
||||
# Trusted hostnames
|
||||
# client_name~=.warenform.de$
|
||||
&&TRUSTED_HOSTS {
|
||||
client_name=~file:/etc/postfix/postfwd.wl-hosts
|
||||
}
|
||||
|
||||
# Trusted users
|
||||
&&TRUSTED_USERS {
|
||||
sasl_username==file:/etc/postfix/postfwd.wl-user
|
||||
}
|
||||
|
||||
# Trusted senders
|
||||
&&TRUSTED_SENDERS {
|
||||
sender=~file:/etc/postfix/postfwd.wl-sender
|
||||
}
|
||||
|
||||
# Blacklist networks
|
||||
&&BLOCK_NETS {
|
||||
client_address==file:/etc/postfix/postfwd.bl-nets
|
||||
}
|
||||
|
||||
# Blacklist hostnames
|
||||
&&BLOCK_HOSTS {
|
||||
client_name=~file:/etc/postfix/postfwd.bl-hosts
|
||||
}
|
||||
|
||||
# Blacklist users
|
||||
&&BLOCK_USERS {
|
||||
sasl_username==file:/etc/postfix/postfwd.bl-user
|
||||
}
|
||||
|
||||
# Blacklist sender adresses
|
||||
&&BLOCK_SENDER {
|
||||
# =~
|
||||
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
|
||||
sender=~file:/etc/postfix/postfwd.bl-sender
|
||||
}
|
||||
|
||||
# Inbound emails only
|
||||
&&INCOMING {
|
||||
client_address!=127.0.0.1
|
||||
}
|
||||
|
||||
|
||||
#======= Rule Sets ============
|
||||
|
||||
# ---
|
||||
#
|
||||
# Processing of the Rule Sets
|
||||
#
|
||||
# The parser checks the elements of a policy delegation request against the postfwd set
|
||||
# of rules and, if necessary, triggers the configured action (action=). Similar to a
|
||||
# classic firewall, a rule is considered true if every element of the set of rules (or
|
||||
# one from every element list) applies to the comparison. I.e. the following rule:
|
||||
#
|
||||
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
|
||||
#
|
||||
# triggers a REJECT if the
|
||||
#
|
||||
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
|
||||
#
|
||||
#
|
||||
# Note:
|
||||
# If an element occurs more than once, an element list is formed:
|
||||
#
|
||||
# The following rule set is equivalent to the above:
|
||||
#
|
||||
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
|
||||
#
|
||||
#
|
||||
# triggers a REJECT if (as above) the
|
||||
#
|
||||
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
|
||||
#
|
||||
# ---
|
||||
|
||||
# Whitelists
|
||||
|
||||
# Whitelist trusted networks
|
||||
id=WHL_NETS
|
||||
&&TRUSTED_NETS
|
||||
action=DUNNO
|
||||
|
||||
# Whitelist trusted hostnames
|
||||
id=WHL_HOSTS
|
||||
&&TRUSTED_HOSTS
|
||||
action=DUNNO
|
||||
|
||||
# Whitelist sasl users
|
||||
id=WHL_USERS
|
||||
&&TRUSTED_USERS
|
||||
action=DUNNO
|
||||
|
||||
# Whitelist senders
|
||||
id=WHL_SENDERS
|
||||
&&INCOMING
|
||||
&&TRUSTED_SENDERS
|
||||
action=DUNNO
|
||||
|
||||
|
||||
# Blacklists
|
||||
|
||||
# Block networks
|
||||
id=BL_NETS
|
||||
&&BLOCK_NETS
|
||||
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
|
||||
|
||||
# Block hostname
|
||||
id=BL_HOSTS
|
||||
&&BLOCK_HOSTS
|
||||
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
|
||||
|
||||
# Block users
|
||||
id=BL_USERS
|
||||
&&BLOCK_USERS
|
||||
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
|
||||
|
||||
# Blacklist sender
|
||||
#
|
||||
# Claim successful delivery and silently discard the message.
|
||||
#
|
||||
id=BL_SENDER
|
||||
&&BLOCK_SENDER
|
||||
#action=DISCARD
|
||||
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
|
||||
|
||||
|
||||
# Rate Limits
|
||||
|
||||
# Throttle unknown clients to 5 recipients per 5 minutes:
|
||||
id=RATE_UNKNOWN_CLIENT_ADDR
|
||||
sasl_username =~ /^$/
|
||||
client_name==unknown
|
||||
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
|
||||
|
||||
# Changed from default 'more than 50 messages per minute' (/50/60/421 421)
|
||||
#
|
||||
# Block clients (ip-addresses) sending more than 150 messages per minute exceeded. Error:RATE_CLIENT)
|
||||
id=RATE_CLIENT_ADDR
|
||||
&&INCOMING
|
||||
action=rate($$client_address/150/60/421 421 4.7.0 Too many connections from $$client_address)
|
||||
|
||||
# Block messages with more than 50 recipients
|
||||
id=BLOCK_MSG_RCPT
|
||||
&&INCOMING
|
||||
&&SASL_AUTH
|
||||
recipient_count=50
|
||||
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
|
||||
|
||||
# Changed from default '50 messages/hour' (/50/3600/450)
|
||||
#
|
||||
# Block users sending more than 200 messages/hour
|
||||
id=RATE_MSG
|
||||
&&INCOMING
|
||||
&&SASL_AUTH
|
||||
action=rate($$sasl_username/200/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
|
||||
|
||||
# Block users sending more than 250 recipients total/hour
|
||||
id=RATE_RCPT
|
||||
&&INCOMING
|
||||
&&SASL_AUTH
|
||||
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
|
||||
|
||||
Reference in New Issue
Block a user