187 lines
4.4 KiB
CFEngine3
187 lines
4.4 KiB
CFEngine3
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
|
|
|
|
#======= Definitions ============
|
|
|
|
# Match messages with an associated SASL username
|
|
&&SASL_AUTH {
|
|
sasl_username!~^$
|
|
}
|
|
|
|
# Trusted networks
|
|
&&TRUSTED_NETS {
|
|
client_address==file:/etc/postfix/postfwd.wl-nets
|
|
}
|
|
|
|
# Trusted hostnames
|
|
# client_name~=.warenform.de$
|
|
&&TRUSTED_HOSTS {
|
|
client_name=~file:/etc/postfix/postfwd.wl-hosts
|
|
}
|
|
|
|
# Trusted users
|
|
&&TRUSTED_USERS {
|
|
sasl_username==file:/etc/postfix/postfwd.wl-user
|
|
}
|
|
|
|
# Trusted senders
|
|
&&TRUSTED_SENDERS {
|
|
sender=~file:/etc/postfix/postfwd.wl-sender
|
|
}
|
|
|
|
# Blacklist networks
|
|
&&BLOCK_NETS {
|
|
client_address==file:/etc/postfix/postfwd.bl-nets
|
|
}
|
|
|
|
# Blacklist hostnames
|
|
&&BLOCK_HOSTS {
|
|
client_name=~file:/etc/postfix/postfwd.bl-hosts
|
|
}
|
|
|
|
# Blacklist users
|
|
&&BLOCK_USERS {
|
|
sasl_username==file:/etc/postfix/postfwd.bl-user
|
|
}
|
|
|
|
# Blacklist sender adresses
|
|
&&BLOCK_SENDER {
|
|
# =~
|
|
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
|
|
sender=~file:/etc/postfix/postfwd.bl-sender
|
|
}
|
|
|
|
# Block messages exceedds size of 20MB
|
|
&&BLOCK_CLIENT_NAME_MSG_SIZE_20MB {
|
|
protocol_state==END-OF-MESSAGE
|
|
recipient=~file:/etc/postfix/postfwd.bl-recipient-exeeds-msg-size-20mb
|
|
size=20971520
|
|
}
|
|
|
|
# Inbound emails only
|
|
&&INCOMING {
|
|
client_address!=127.0.0.1
|
|
}
|
|
|
|
|
|
#======= Rule Sets ============
|
|
|
|
# ---
|
|
#
|
|
# Processing of the Rule Sets
|
|
#
|
|
# The parser checks the elements of a policy delegation request against the postfwd set
|
|
# of rules and, if necessary, triggers the configured action (action=). Similar to a
|
|
# classic firewall, a rule is considered true if every element of the set of rules (or
|
|
# one from every element list) applies to the comparison. I.e. the following rule:
|
|
#
|
|
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
|
|
#
|
|
# triggers a REJECT if the
|
|
#
|
|
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
|
|
#
|
|
#
|
|
# Note:
|
|
# If an element occurs more than once, an element list is formed:
|
|
#
|
|
# The following rule set is equivalent to the above:
|
|
#
|
|
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
|
|
#
|
|
#
|
|
# triggers a REJECT if (as above) the
|
|
#
|
|
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
|
|
#
|
|
# ---
|
|
|
|
# Whitelists
|
|
|
|
# Whitelist trusted networks
|
|
id=WHL_NETS
|
|
&&TRUSTED_NETS
|
|
action=DUNNO
|
|
|
|
# Whitelist trusted hostnames
|
|
id=WHL_HOSTS
|
|
&&TRUSTED_HOSTS
|
|
action=DUNNO
|
|
|
|
# Whitelist sasl users
|
|
id=WHL_USERS
|
|
&&TRUSTED_USERS
|
|
action=DUNNO
|
|
|
|
# Whitelist senders
|
|
id=WHL_SENDERS
|
|
&&INCOMING
|
|
&&TRUSTED_SENDERS
|
|
action=DUNNO
|
|
|
|
|
|
# Blacklists
|
|
|
|
# Block networks
|
|
id=BL_NETS
|
|
&&BLOCK_NETS
|
|
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
|
|
|
|
# Block hostname
|
|
id=BL_HOSTS
|
|
&&BLOCK_HOSTS
|
|
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
|
|
|
|
# Block users
|
|
id=BL_USERS
|
|
&&BLOCK_USERS
|
|
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
|
|
|
|
# Blacklist sender
|
|
#
|
|
# Claim successful delivery and silently discard the message.
|
|
#
|
|
id=BL_SENDER
|
|
&&BLOCK_SENDER
|
|
#action=DISCARD
|
|
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
|
|
|
|
|
|
# Block messages for given recipients exceeds size of 20 MB
|
|
id=BLOCK_MSG_SIZE_20MB
|
|
&&BLOCK_CLIENT_NAME_MSG_SIZE_20MB
|
|
action=REJECT message exceeds the size of 20 MB ($$size). Error: BLOCK_MSG_SIZE_20MB
|
|
|
|
|
|
# Rate Limits
|
|
|
|
# Throttle unknown clients to 5 recipients per 5 minutes:
|
|
id=RATE_UNKNOWN_CLIENT_ADDR
|
|
sasl_username =~ /^$/
|
|
client_name==unknown
|
|
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
|
|
|
|
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
|
|
id=RATE_CLIENT_ADDR
|
|
&&INCOMING
|
|
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
|
|
|
|
# Block messages with more than 50 recipients
|
|
id=BLOCK_MSG_RCPT
|
|
&&INCOMING
|
|
&&SASL_AUTH
|
|
recipient_count=50
|
|
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
|
|
|
|
# Block users sending more than 50 messages/hour
|
|
id=RATE_MSG
|
|
&&INCOMING
|
|
&&SASL_AUTH
|
|
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
|
|
|
|
# Block users sending more than 250 recipients total/hour
|
|
id=RATE_RCPT
|
|
&&INCOMING
|
|
&&SASL_AUTH
|
|
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
|
|
|