install_postfix_advanced.sh: Adjust smtpd restrictions. Write file '/etc/postfix/header_checks_pcre'.

2018-11-30 14:33:50 +01:00 · 2018-11-30 14:33:50 +01:00 · 20a9a17cb0
commit 20a9a17cb0
parent 407afaff26
1 changed files with 178 additions and 47 deletions
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@ -814,10 +814,26 @@ mydestination =
 ## - privileges than "strangers"
 ## -
 mynetworks = 
-   127.0.0.0/8
+   # +++++++++++++++++++++++++++++++++++++
+   # replace 127.0.0.1/8 with 127.0.0.1/32
+   # +++++++++++++++++++++++++++++++++++++
+   # So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
+   # to bind to hidden tor service on port 25 without having an 
+   # open relay
+   #
+   # see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
+   #
+   #127.0.0.0/8
+   127.0.0.1/32
   ${IPV4}/32
+   # a.mx.oopen.de
+   #83.223.86.91
+   # b.mx.oopen.de
+   #83.223.86.97
+   # d.mx.oopen.de
+   #83.223.86.92/32

-#smtp_bind_address = $IPV4
+smtp_bind_address = $IPV4
 #smtp_bind_address6 = $IPV6

 EOF
@ -1004,7 +1020,7 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 ## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
 ## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
 ## - necessary "hash" links with, for example, "
-## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". 
+## - /usr/bin/c_rehash /etc/postfix/certs". 
 ## -
 ## - !! Note !!
 ## - To use this option in chroot mode, this directory (or a copy) must be inside 
@ -1226,6 +1242,20 @@ virtual_alias_domains =

 #======= smtpd Restrictions  ============

+# - Order of evaluating smtpd restriction lists:
+# -
+# -    smtpd_client_restrictions
+# -    smtpd_helo_restrictions
+# -    smtpd_sender_restrictions
+# -    smtpd_relay_restrictions
+# -    smtpd_recipient_restrictions
+# -    smtpd_data_restrictions
+# -    smtpd_end_of_data_restrictions
+# -
+# - Note:
+# -    all smtpd restrictions are evaluated until one of them 
+# -    results in 'REJECT'
+
 ## ---
 ## - Define smtpd Restrictions
 ## ---
@ -1237,25 +1267,104 @@ check_greylist = check_policy_service inet:127.0.0.1:10023
 127.0.0.1:10040_time_limit = 3600


+# smtpd_delay_reject (default: yes)
+# 
+# Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions, 
+# \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the 
+# ETRN command before evaluating \$smtpd_client_restrictions and \$smtpd_helo_restrictions.
+#
+# This feature is turned on by default because some clients apparently mis-behave 
+# when the Postfix SMTP server rejects commands before RCPT TO.
+#
+# The default setting has one major benefit: it allows Postfix to log recipient address 
+# information when rejecting a client name/address or sender address, so that it is 
+# possible to find out whose mail is being rejected.
+smtpd_delay_reject = yes
+
+
+
+## ---
+## smtpd Client Restrictions
+## ---
+
+smtpd_client_restrictions =
+   permit_sasl_authenticated,
+   permit_mynetworks,
+   # Whitelist clients
+   #
+   check_client_access btree:/etc/postfix/client_whitelist
+   # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
+   # Whitelist (configured at a.ns.oopen.de)
+   #
+   permit_dnswl_client dnswl.oopen.de,
+   # Blacklists
+   reject_rbl_client zen.spamhaus.org,
+   reject_rbl_client ix.dnsbl.manitu.net,
+   # Greylisting check
+   #
+   #     check_policy_service inet:127.0.0.1:10023, 
+   #
+   #
+   # Using defined restriction class (see smtpd_restriction_classes):
+   #
+   #  greylist all connections:
+   #     check_greylist,
+   #
+   #  selctive greylisting:
+   #     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
+   #
+   #warn_if_reject,
+   check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
+   #reject_rbl_client bl.spamcop.net,
+   # Reject the request when 
+   #    1) the client IP address->name mapping fails
+   #    2) the name->address mapping fails
+   #    3) the name->address mapping does not match the client IP address. 
+   #
+   # Note:
+   #    This is a stronger restriction than the reject_unknown_reverse_client_hostname 
+   #    feature, which triggers only under condition 1) above. 
+   #
+   #reject_unknown_client
+
+
 ## ---
 ## smtpd HELO Restrictions
 ## ---
+
+smtpd_helo_required = yes
 smtpd_helo_restrictions =
+   permit_mynetworks,
+   permit_sasl_authenticated,
+   # Whitelist clients
+   #
+   check_client_access btree:/etc/postfix/client_whitelist
+   # Reject the request when the HELO or EHLO hostname is malformed. 
+   #
+   # Note
+   #    specify "smtpd_helo_required = yes" to fully enforce this restriction
+   #    (without "smtpd_helo_required = yes", a client can simply skip 
+   #    reject_invalid_helo_hostname by not sending HELO or EHLO). 
+   #
+   reject_invalid_helo_hostname,
+   # Reject the request when the HELO or EHLO hostname is not in fully-qualified 
+   # domain or address literal form, as required by the RFC. 
+   #
+   reject_non_fqdn_helo_hostname
   # Don't talk to mail systems that don't know their own hostname.
+   #
   reject_unknown_helo_hostname


 ## ---
-## - smtpd DATA Restrictions
+## - smtpd Sender Restrictions
 ## ---

-smtpd_data_restrictions =
-   # Block clients that speak too early.
-   reject_unauth_pipelining
-
-smtpd_end_of_data_restrictions =
-   # Check Postfix Firewall Daemon
-   check_policy_service inet:127.0.0.1:10040
+smtpd_sender_restrictions =
+   permit_mynetworks,
+   permit_sasl_authenticated,
+   reject_unknown_sender_domain,
+   reject_non_fqdn_sender


 ## ---
@ -1275,9 +1384,7 @@ smtpd_recipient_restrictions =
 # permit our users
   permit_sasl_authenticated,
 # dont' accept misconfigured Mail
-   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
-   reject_unknown_sender_domain,
 # don't accept misconfigured recipients
   reject_unknown_recipient_domain,
 # Reject the request when the RCPT TO address is not listed in the list of valid 
@ -1325,29 +1432,8 @@ smtpd_recipient_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
   reject_unverified_recipient,
-# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
-   # Whitelist (configured at a.ns.oopen.de)
-   permit_dnswl_client dnswl.oopen.de,
-   # Blacklists
-   reject_rbl_client zen.spamhaus.org,
-   reject_rbl_client ix.dnsbl.manitu.net,
-   #reject_rbl_client bl.spamcop.net,
 # Policyd-Weight
   #check_policy_service inet:127.0.0.1:12525,
-# Greylisting check
-#
-#     check_policy_service inet:127.0.0.1:10023, 
-#
-#
-# Using defined restriction class (see smtpd_restriction_classes):
-#
-#  greylist all connections:
-#     check_greylist,
-#
-#  selctive greylisting:
-#     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
-   #warn_if_reject,
-   check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
 # permit Backup MX
   permit_mx_backup,
 # permit, if all restrictions so far passed
@ -1372,9 +1458,7 @@ smtpd_relay_restrictions =
 # permit our users
   permit_sasl_authenticated,
 # dont' accept misconfigured Mail
-   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
-   reject_unknown_sender_domain,
 # don't accept misconfigured recipients
   reject_unknown_recipient_domain,
 # Reject the request unless one of the following is true:
@ -1396,6 +1480,21 @@ smtpd_relay_restrictions =
 # permit, if all restrictions so far passed
   permit

+
+## ---
+## - smtpd DATA Restrictions
+## ---
+
+smtpd_data_restrictions =
+   # Block clients that speak too early.
+	#
+   reject_unauth_pipelining
+
+smtpd_end_of_data_restrictions =
+   # Check Postfix Firewall Daemon
+	#
+   check_policy_service inet:127.0.0.1:10040
+
 EOF
 echo_ok

@ -1591,6 +1690,20 @@ else
   echo_failed
 fi

+echononl "   Create file \"client_whitelist\""
+if [[ ! -f "/etc/postfix/client_whitelist" ]]; then
+   cat <<EOF > /etc/postfix/client_whitelist
+# onion - tor hidden service
+127.0.0.25        OK
+EOF
+fi
+postmap btree:/etc/postfix/client_whitelist
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+fi
+
 echononl "   Create file \"sender_canonical\""
 if [[ ! -f /etc/postfix/sender_canonical ]]; then
 	cat <<EOF > /etc/postfix/sender_canonical
@ -1674,17 +1787,6 @@ if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then
 # -          check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
 # -          ...

-# Prevent connections at 127.0.0.25 (onion - tor hidden service) from greylisting
-#
-# Note:
-#    - DUNNO: Pretend, that the lookaup key (127.0.0.25) was not found. No further
-#      evaluation on this access table is done.
-#
-#    - If 'tor hiddenservice' is supported, we bound it to 127.0.0.25 port 25.
-#      Since those connections are also marked as 'unknown', key below would match
-#      and greylisting would be triggered.
-/127\\.0\\.0\\.25/   DUNNO
-
 # ---
 # - For clients matching the following rules greylisting check is applied.
 # ---
@ -1710,6 +1812,35 @@ else
 	echo_skipped
 fi

+_file="/etc/postfix/header_checks_pcre"
+echononl "   Create file '$_file' used for header replacing"
+if [[ ! -f "$_file" ]]; then
+	cat << EOF > "$_file"
+# ---
+# - Replace headers
+# ---
+
+# - Replace recieved from
+/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
+
+# ---
+# - Ignore Headers
+# ---
+
+/^\s*User-Agent/        IGNORE
+/^\s*X-Enigmail/        IGNORE
+/^\s*X-Mailer/          IGNORE
+/^\s*X-Originating-IP/  IGNORE
+EOF
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+	fi
+else
+	echo_skipped
+fi
+

 if ! $IS_RELAY_HOST ; then
   ## - Create Directory '/var/vmail' for virtual mailboxes