#======= Definitions ============ # Match messages with an associated SASL username &&SASL_AUTH { sasl_username!~^$ } # Trusted networks &&TRUSTED_NETS { client_address==file:/etc/postfix/postfwd.wl-nets } # Trusted hostnames # client_name~=.warenform.de$ &&TRUSTED_HOSTS { client_name=~file:/etc/postfix/postfwd.wl-hosts } # Trusted users &&TRUSTED_USERS { sasl_username==file:/etc/postfix/postfwd.wl-user } # Trusted senders &&TRUSTED_SENDERS { sender=~file:/etc/postfix/postfwd.wl-sender } # Blacklist networks &&BLOCK_NETS { client_address==file:/etc/postfix/postfwd.bl-nets } # Blacklist hostnames &&BLOCK_HOSTS { client_name=~file:/etc/postfix/postfwd.bl-hosts } # Blacklist users &&BLOCK_USERS { sasl_username==file:/etc/postfix/postfwd.bl-user } # Blacklist sender adresses &&BLOCK_SENDER { # =~ # using '=~' allows also matching entries for domains (i.e. @acieu.co.uk) sender=~file:/etc/postfix/postfwd.bl-sender } # Inbound emails only &&INCOMING { client_address!=127.0.0.1 } #======= Rule Sets ============ # --- # # Processing of the Rule Sets # # The parser checks the elements of a policy delegation request against the postfwd set # of rules and, if necessary, triggers the configured action (action=). Similar to a # classic firewall, a rule is considered true if every element of the set of rules (or # one from every element list) applies to the comparison. I.e. the following rule: # # client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT # # triggers a REJECT if the # # Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' # # # Note: # If an element occurs more than once, an element list is formed: # # The following rule set is equivalent to the above: # # client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT # # # triggers a REJECT if (as above) the # # Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown' # # --- # Whitelists # Whitelist trusted networks id=WHL_NETS &&TRUSTED_NETS action=DUNNO # Whitelist trusted hostnames id=WHL_HOSTS &&TRUSTED_HOSTS action=DUNNO # Whitelist sasl users id=WHL_USERS &&TRUSTED_USERS action=DUNNO # Whitelist senders id=WHL_SENDERS &&INCOMING &&TRUSTED_SENDERS action=DUNNO # Blacklists # Block networks id=BL_NETS &&BLOCK_NETS action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS # Block hostname id=BL_HOSTS &&BLOCK_HOSTS action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS # Block users id=BL_USERS &&BLOCK_USERS action=REJECT User is blocked by Mailserver admins. Error: BL_USERS # Blacklist sender # # Claim successful delivery and silently discard the message. # id=BL_SENDER &&BLOCK_SENDER #action=DISCARD action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER # Rate Limits # Throttle unknown clients to 5 recipients per 5 minutes: id=RATE_UNKNOWN_CLIENT_ADDR sasl_username =~ /^$/ client_name==unknown action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed) # Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) id=RATE_CLIENT_ADDR &&INCOMING action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address) # Block messages with more than 50 recipients id=BLOCK_MSG_RCPT &&INCOMING &&SASL_AUTH recipient_count=50 action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT # Block users sending more than 50 messages/hour id=RATE_MSG &&INCOMING &&SASL_AUTH action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG) # Block users sending more than 250 recipients total/hour id=RATE_RCPT &&INCOMING &&SASL_AUTH action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)