From 20a9a17cb0ebc3889d0eda79286bbc9ab5e57e15 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 30 Nov 2018 14:33:50 +0100 Subject: [PATCH] install_postfix_advanced.sh: Adjust smtpd restrictions. Write file '/etc/postfix/header_checks_pcre'. --- install_postfix_advanced.sh | 225 ++++++++++++++++++++++++++++-------- 1 file changed, 178 insertions(+), 47 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index e89687e..ce86ac3 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -814,10 +814,26 @@ mydestination = ## - privileges than "strangers" ## - mynetworks = - 127.0.0.0/8 + # +++++++++++++++++++++++++++++++++++++ + # replace 127.0.0.1/8 with 127.0.0.1/32 + # +++++++++++++++++++++++++++++++++++++ + # So we can use i.e 127.0.0.25 (or any other 127.x.x.x address) + # to bind to hidden tor service on port 25 without having an + # open relay + # + # see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md + # + #127.0.0.0/8 + 127.0.0.1/32 ${IPV4}/32 + # a.mx.oopen.de + #83.223.86.91 + # b.mx.oopen.de + #83.223.86.97 + # d.mx.oopen.de + #83.223.86.92/32 -#smtp_bind_address = $IPV4 +smtp_bind_address = $IPV4 #smtp_bind_address6 = $IPV6 EOF @@ -1004,7 +1020,7 @@ smtp_tls_CAfile = $_TLS_CA_FILE ## - Directory with PEM format certificate authority certificates that the Postfix SMTP ## - client uses to verify a remote SMTP server certificate. Don't forget to create the ## - necessary "hash" links with, for example, " -## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". +## - /usr/bin/c_rehash /etc/postfix/certs". ## - ## - !! Note !! ## - To use this option in chroot mode, this directory (or a copy) must be inside @@ -1226,6 +1242,20 @@ virtual_alias_domains = #======= smtpd Restrictions ============ +# - Order of evaluating smtpd restriction lists: +# - +# - smtpd_client_restrictions +# - smtpd_helo_restrictions +# - smtpd_sender_restrictions +# - smtpd_relay_restrictions +# - smtpd_recipient_restrictions +# - smtpd_data_restrictions +# - smtpd_end_of_data_restrictions +# - +# - Note: +# - all smtpd restrictions are evaluated until one of them +# - results in 'REJECT' + ## --- ## - Define smtpd Restrictions ## --- @@ -1237,25 +1267,104 @@ check_greylist = check_policy_service inet:127.0.0.1:10023 127.0.0.1:10040_time_limit = 3600 +# smtpd_delay_reject (default: yes) +# +# Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions, +# \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the +# ETRN command before evaluating \$smtpd_client_restrictions and \$smtpd_helo_restrictions. +# +# This feature is turned on by default because some clients apparently mis-behave +# when the Postfix SMTP server rejects commands before RCPT TO. +# +# The default setting has one major benefit: it allows Postfix to log recipient address +# information when rejecting a client name/address or sender address, so that it is +# possible to find out whose mail is being rejected. +smtpd_delay_reject = yes + + + +## --- +## smtpd Client Restrictions +## --- + +smtpd_client_restrictions = + permit_sasl_authenticated, + permit_mynetworks, + # Whitelist clients + # + check_client_access btree:/etc/postfix/client_whitelist + # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use + # Whitelist (configured at a.ns.oopen.de) + # + permit_dnswl_client dnswl.oopen.de, + # Blacklists + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + # Greylisting check + # + # check_policy_service inet:127.0.0.1:10023, + # + # + # Using defined restriction class (see smtpd_restriction_classes): + # + # greylist all connections: + # check_greylist, + # + # selctive greylisting: + # check_client_access pcre:/etc/postfix/greylist_client_access_pcre, + # + #warn_if_reject, + check_client_access pcre:/etc/postfix/greylist_client_access_pcre, + #reject_rbl_client bl.spamcop.net, + # Reject the request when + # 1) the client IP address->name mapping fails + # 2) the name->address mapping fails + # 3) the name->address mapping does not match the client IP address. + # + # Note: + # This is a stronger restriction than the reject_unknown_reverse_client_hostname + # feature, which triggers only under condition 1) above. + # + #reject_unknown_client + + ## --- ## smtpd HELO Restrictions ## --- + +smtpd_helo_required = yes smtpd_helo_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + # Whitelist clients + # + check_client_access btree:/etc/postfix/client_whitelist + # Reject the request when the HELO or EHLO hostname is malformed. + # + # Note + # specify "smtpd_helo_required = yes" to fully enforce this restriction + # (without "smtpd_helo_required = yes", a client can simply skip + # reject_invalid_helo_hostname by not sending HELO or EHLO). + # + reject_invalid_helo_hostname, + # Reject the request when the HELO or EHLO hostname is not in fully-qualified + # domain or address literal form, as required by the RFC. + # + reject_non_fqdn_helo_hostname # Don't talk to mail systems that don't know their own hostname. + # reject_unknown_helo_hostname ## --- -## - smtpd DATA Restrictions +## - smtpd Sender Restrictions ## --- -smtpd_data_restrictions = - # Block clients that speak too early. - reject_unauth_pipelining - -smtpd_end_of_data_restrictions = - # Check Postfix Firewall Daemon - check_policy_service inet:127.0.0.1:10040 +smtpd_sender_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unknown_sender_domain, + reject_non_fqdn_sender ## --- @@ -1275,9 +1384,7 @@ smtpd_recipient_restrictions = # permit our users permit_sasl_authenticated, # dont' accept misconfigured Mail - reject_non_fqdn_sender, reject_non_fqdn_recipient, - reject_unknown_sender_domain, # don't accept misconfigured recipients reject_unknown_recipient_domain, # Reject the request when the RCPT TO address is not listed in the list of valid @@ -1325,29 +1432,8 @@ smtpd_recipient_restrictions = # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html # for more details reject_unverified_recipient, -# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use - # Whitelist (configured at a.ns.oopen.de) - permit_dnswl_client dnswl.oopen.de, - # Blacklists - reject_rbl_client zen.spamhaus.org, - reject_rbl_client ix.dnsbl.manitu.net, - #reject_rbl_client bl.spamcop.net, # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, -# Greylisting check -# -# check_policy_service inet:127.0.0.1:10023, -# -# -# Using defined restriction class (see smtpd_restriction_classes): -# -# greylist all connections: -# check_greylist, -# -# selctive greylisting: -# check_client_access pcre:/etc/postfix/greylist_client_access_pcre, - #warn_if_reject, - check_client_access pcre:/etc/postfix/greylist_client_access_pcre, # permit Backup MX permit_mx_backup, # permit, if all restrictions so far passed @@ -1372,9 +1458,7 @@ smtpd_relay_restrictions = # permit our users permit_sasl_authenticated, # dont' accept misconfigured Mail - reject_non_fqdn_sender, reject_non_fqdn_recipient, - reject_unknown_sender_domain, # don't accept misconfigured recipients reject_unknown_recipient_domain, # Reject the request unless one of the following is true: @@ -1396,6 +1480,21 @@ smtpd_relay_restrictions = # permit, if all restrictions so far passed permit + +## --- +## - smtpd DATA Restrictions +## --- + +smtpd_data_restrictions = + # Block clients that speak too early. + # + reject_unauth_pipelining + +smtpd_end_of_data_restrictions = + # Check Postfix Firewall Daemon + # + check_policy_service inet:127.0.0.1:10040 + EOF echo_ok @@ -1591,6 +1690,20 @@ else echo_failed fi +echononl " Create file \"client_whitelist\"" +if [[ ! -f "/etc/postfix/client_whitelist" ]]; then + cat < /etc/postfix/client_whitelist +# onion - tor hidden service +127.0.0.25 OK +EOF +fi +postmap btree:/etc/postfix/client_whitelist +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + echononl " Create file \"sender_canonical\"" if [[ ! -f /etc/postfix/sender_canonical ]]; then cat < /etc/postfix/sender_canonical @@ -1674,17 +1787,6 @@ if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then # - check_client_access pcre:/etc/postfix/greylist_client_access_pcre, # - ... -# Prevent connections at 127.0.0.25 (onion - tor hidden service) from greylisting -# -# Note: -# - DUNNO: Pretend, that the lookaup key (127.0.0.25) was not found. No further -# evaluation on this access table is done. -# -# - If 'tor hiddenservice' is supported, we bound it to 127.0.0.25 port 25. -# Since those connections are also marked as 'unknown', key below would match -# and greylisting would be triggered. -/127\\.0\\.0\\.25/ DUNNO - # --- # - For clients matching the following rules greylisting check is applied. # --- @@ -1710,6 +1812,35 @@ else echo_skipped fi +_file="/etc/postfix/header_checks_pcre" +echononl " Create file '$_file' used for header replacing" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# - Replace headers +# --- + +# - Replace recieved from +/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4 + +# --- +# - Ignore Headers +# --- + +/^\s*User-Agent/ IGNORE +/^\s*X-Enigmail/ IGNORE +/^\s*X-Mailer/ IGNORE +/^\s*X-Originating-IP/ IGNORE +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + if ! $IS_RELAY_HOST ; then ## - Create Directory '/var/vmail' for virtual mailboxes