update..

2022-09-20 01:23:54 +02:00
parent 68e7e0e174
commit f80772ed42
98 changed files with 4127 additions and 89 deletions
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts
@ -0,0 +1,24 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# hosts blocked by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+# Example:
+#
+#  # block all hosts of domain 'oopen.de'
+#  \.oopen\.de$
+#
+#  # block host a.mx.oopen.de
+#  ^a\.mx\.oopen\.de$
+#
+# ---
+
+# give hostnames to blocke here
+illuminatus\.lionheart\.lovejoy$
+dancortez\.500$
+geplosser\.pl$
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-nets
@ -0,0 +1,20 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Networks blocked by postfwd
+#
+# Example:
+#
+#   # web0.warenform.de
+#   #83.223.86.76
+#   #2a01:30:0:505:286:96ff:fe4a:6ee
+#   #2a01:30:0:13:286:96ff:fe4a:6eee
+#
+# ---
+
+# give networks to block here
+188.214.104.0/24
+91.219.236.254
+85.254.72.106
+103.136.40.0/23
+185.53.170.115
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-sender
@ -0,0 +1,58 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Sender addresses blocked by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+#  @acieu\.co\.uk$
+#  ^error@mailfrom.com$
+#
+# instedt of 
+#
+#  @acieu.co.uk
+#  error@mailfrom.com
+#
+#
+# Example:
+#
+#  #  # annoying spammer domains
+#  # block all senders of maildomaindomain 'oopen.de'
+#  @acieu\.co\.uk$
+#
+#  # annoying spammer addresses
+#  # block sender address 
+#  error@mailfrom.com
+#  sqek@eike\.se$
+#
+# ---
+
+# annoying spammer domains
+@acieu\.co\.uk$
+@sendelope\.eu$
+@growthrecords\.com$
+@videosicherheit.biz$
+@arbeitsschutzmasken.shop$
+@medprodukte.shop$
+@geplosser\.pl$
+@alfasells\.de$
+@news-des-tages\.de$
+
+@inx1and1\..+$
+@ppe-healthcare-europe\.\S+$
+@testbedarf\.shop$
+@acievents\.\S+$
+@dokpotenz\.\S+$
+@doktorapo\.\S+$
+@team-de-luxe\.\S+$
+@klickensiejetzt\.\S+$
+@podiumskate\.\S+$
+@ppe-healthcare-europe\.\S+$
+
+
+# annoying spammer addresses
+^error@mailfrom\.com$
+^sqek@eike\.se$
--- a/roles/common/files/mailserver/etc/postfix/postfwd.bl-user
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.bl-user
@ -0,0 +1,13 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# SASL Users blocked by postfwd
+#
+# Example:
+#
+#   # give SASL usernames to block here
+#   ckubu@oopen.de
+#
+# ---
+
+# give SASL usernames to block here
--- a/roles/common/files/mailserver/etc/postfix/postfwd.cf
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.cf
@ -0,0 +1,173 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+#======= Definitions ============
+
+# Match messages with an associated SASL username
+&&SASL_AUTH {
+    sasl_username!~^$
+}
+
+# Trusted networks
+&&TRUSTED_NETS {
+   client_address==file:/etc/postfix/postfwd.wl-nets
+}
+
+# Trusted hostnames
+#   client_name~=.warenform.de$
+&&TRUSTED_HOSTS {
+   client_name=~file:/etc/postfix/postfwd.wl-hosts
+}
+
+# Trusted users
+&&TRUSTED_USERS {
+    sasl_username==file:/etc/postfix/postfwd.wl-user
+}
+
+# Trusted senders
+&&TRUSTED_SENDERS {
+   sender=~file:/etc/postfix/postfwd.wl-sender
+}
+
+# Blacklist networks
+&&BLOCK_NETS {
+   client_address==file:/etc/postfix/postfwd.bl-nets
+}
+
+# Blacklist hostnames
+&&BLOCK_HOSTS {
+   client_name=~file:/etc/postfix/postfwd.bl-hosts
+}
+
+# Blacklist users
+&&BLOCK_USERS {
+   sasl_username==file:/etc/postfix/postfwd.bl-user
+}
+
+# Blacklist sender adresses
+&&BLOCK_SENDER {
+   # =~
+   # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
+   sender=~file:/etc/postfix/postfwd.bl-sender
+}
+
+# Inbound emails only
+&&INCOMING {
+    client_address!=127.0.0.1
+}
+
+
+#======= Rule Sets ============
+
+# ---
+#
+# Processing of the Rule Sets
+#
+# The parser checks the elements of a policy delegation request against the postfwd set
+# of rules and, if necessary, triggers the configured action (action=). Similar to a
+# classic firewall, a rule is considered true if every element of the set of rules (or
+# one from every element list) applies to the comparison. I.e. the following rule:
+#
+#    client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
+#
+# triggers a REJECT if the
+#
+#    Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
+#
+#
+# Note:
+#    If an element occurs more than once, an element list is formed:
+#
+# The following rule set is equivalent to the above:
+#
+#    client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
+#
+#
+# triggers a REJECT if (as above) the
+#
+#    Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
+#
+# ---
+
+# Whitelists
+
+# Whitelist trusted networks
+id=WHL_NETS
+   &&TRUSTED_NETS
+   action=DUNNO
+
+# Whitelist trusted hostnames
+id=WHL_HOSTS
+   &&TRUSTED_HOSTS
+   action=DUNNO
+
+# Whitelist sasl users
+id=WHL_USERS
+	&&TRUSTED_USERS
+	action=DUNNO
+
+# Whitelist senders
+id=WHL_SENDERS
+   &&INCOMING
+   &&TRUSTED_SENDERS
+   action=DUNNO
+
+
+# Blacklists
+
+# Block networks
+id=BL_NETS
+   &&BLOCK_NETS
+   action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
+
+# Block hostname
+id=BL_HOSTS
+   &&BLOCK_HOSTS
+   action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
+
+# Block users
+id=BL_USERS
+   &&BLOCK_USERS
+   action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
+
+# Blacklist sender
+#
+#    Claim successful delivery and silently discard the message.
+#
+id=BL_SENDER
+   &&BLOCK_SENDER
+   #action=DISCARD
+   action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
+
+
+# Rate Limits
+
+# Throttle unknown clients to 5 recipients per 5 minutes:
+id=RATE_UNKNOWN_CLIENT_ADDR
+   sasl_username =~ /^$/
+	client_name==unknown
+	action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
+
+# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
+id=RATE_CLIENT_ADDR
+    &&INCOMING
+    action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
+
+# Block messages with more than 50 recipients
+id=BLOCK_MSG_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+	 recipient_count=50
+    action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
+
+# Block users sending more than 50 messages/hour
+id=RATE_MSG
+    &&INCOMING
+    &&SASL_AUTH
+    action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
+
+# Block users sending more than 250 recipients total/hour
+id=RATE_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+    action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
+
--- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts
@ -0,0 +1,22 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted hosts whitelisted by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+# Example:
+#
+#  # all hosts of domain 'oopen.de'
+#  \.oopen\.de$
+#
+#  # host a.mx.oopen.de
+#  ^a\.mx\.oopen\.de$
+#
+# ---
+
+# give truested hostnames here
+
--- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-nets
@ -0,0 +1,15 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted networks whitelisted by postfwd
+#
+# Example:
+#
+#   # web0.warenform.de
+#   #83.223.86.76
+#   #2a01:30:0:505:286:96ff:fe4a:6ee
+#   #2a01:30:0:13:286:96ff:fe4a:6eee
+#
+# ---
+
+# give truested networrk adresses here
--- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-sender
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-sender
@ -0,0 +1,22 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# Trusted senders whitelisted by postfwd
+#
+#    This file is called with '=~'. This means perl regexp is possible
+#
+#
+# To increase performance use ^ and/or $ in regular expressions
+#
+# Example:
+#
+#  # all senders of maildomaindomain 'oopen.de'
+#  @oopen\.de$
+#
+#  # sender address ckubu@oopen.de
+#  ^ckubu@oopen\.de$
+#
+# ---
+
+# give trusted sender addresses here
+
--- a/roles/common/files/mailserver/etc/postfix/postfwd.wl-user
+++ b/roles/common/files/mailserver/etc/postfix/postfwd.wl-user
@ -0,0 +1,15 @@
+# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
+
+# ---
+# SASL Users whitelisted by postfwd
+#
+# example:
+#
+#    # give trusted sasl usernames here
+#    ckubu@oopen.de
+#    vertrieb@akweb.de
+#
+# ---
+
+# give trusted sasl usernames here
+