install_postfix_advanced.sh: Adjust smtpd restrictions. Write file '/etc/postfix/header_checks_pcre'.

2018-11-30 14:33:50 +01:00 · 2018-11-30 14:33:50 +01:00 · 20a9a17cb0
commit 20a9a17cb0
parent 407afaff26
1 changed files with 178 additions and 47 deletions
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@ -814,10 +814,26 @@ mydestination =
 ## - privileges than "strangers"
 ## -
 mynetworks = 
-   127.0.0.0/8
+   # +++++++++++++++++++++++++++++++++++++
   # replace 127.0.0.1/8 with 127.0.0.1/32
   # +++++++++++++++++++++++++++++++++++++
   # So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
   # to bind to hidden tor service on port 25 without having an 
   # open relay
   #
   # see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
   #
   #127.0.0.0/8
   127.0.0.1/32
   ${IPV4}/32
   # a.mx.oopen.de
   #83.223.86.91
   # b.mx.oopen.de
   #83.223.86.97
   # d.mx.oopen.de
   #83.223.86.92/32
-#smtp_bind_address = $IPV4
+smtp_bind_address = $IPV4
 #smtp_bind_address6 = $IPV6
 EOF
@ -1004,7 +1020,7 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 ## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
 ## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
 ## - necessary "hash" links with, for example, "
-## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". 
+## - /usr/bin/c_rehash /etc/postfix/certs". 
 ## -
 ## - !! Note !!
 ## - To use this option in chroot mode, this directory (or a copy) must be inside 
@ -1226,6 +1242,20 @@ virtual_alias_domains =
 #======= smtpd Restrictions  ============
 # - Order of evaluating smtpd restriction lists:
 # -
 # -    smtpd_client_restrictions
 # -    smtpd_helo_restrictions
 # -    smtpd_sender_restrictions
 # -    smtpd_relay_restrictions
 # -    smtpd_recipient_restrictions
 # -    smtpd_data_restrictions
 # -    smtpd_end_of_data_restrictions
 # -
 # - Note:
 # -    all smtpd restrictions are evaluated until one of them 
 # -    results in 'REJECT'
 ## ---
 ## - Define smtpd Restrictions
 ## ---
@ -1237,25 +1267,104 @@ check_greylist = check_policy_service inet:127.0.0.1:10023
 127.0.0.1:10040_time_limit = 3600
 # smtpd_delay_reject (default: yes)
 # 
 # Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions, 
 # \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the 
 # ETRN command before evaluating \$smtpd_client_restrictions and \$smtpd_helo_restrictions.
 #
 # This feature is turned on by default because some clients apparently mis-behave 
 # when the Postfix SMTP server rejects commands before RCPT TO.
 #
 # The default setting has one major benefit: it allows Postfix to log recipient address 
 # information when rejecting a client name/address or sender address, so that it is 
 # possible to find out whose mail is being rejected.
 smtpd_delay_reject = yes
 ## ---
 ## smtpd Client Restrictions
 ## ---
 smtpd_client_restrictions =
   permit_sasl_authenticated,
   permit_mynetworks,
   # Whitelist clients
   #
   check_client_access btree:/etc/postfix/client_whitelist
   # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
   # Whitelist (configured at a.ns.oopen.de)
   #
   permit_dnswl_client dnswl.oopen.de,
   # Blacklists
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   # Greylisting check
   #
   #     check_policy_service inet:127.0.0.1:10023, 
   #
   #
   # Using defined restriction class (see smtpd_restriction_classes):
   #
   #  greylist all connections:
   #     check_greylist,
   #
   #  selctive greylisting:
   #     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
   #
   #warn_if_reject,
   check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
   #reject_rbl_client bl.spamcop.net,
   # Reject the request when 
   #    1) the client IP address->name mapping fails
   #    2) the name->address mapping fails
   #    3) the name->address mapping does not match the client IP address. 
   #
   # Note:
   #    This is a stronger restriction than the reject_unknown_reverse_client_hostname 
   #    feature, which triggers only under condition 1) above. 
   #
   #reject_unknown_client
 ## ---
 ## smtpd HELO Restrictions
 ## ---
 smtpd_helo_required = yes
 smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   # Whitelist clients
   #
   check_client_access btree:/etc/postfix/client_whitelist
   # Reject the request when the HELO or EHLO hostname is malformed. 
   #
   # Note
   #    specify "smtpd_helo_required = yes" to fully enforce this restriction
   #    (without "smtpd_helo_required = yes", a client can simply skip 
   #    reject_invalid_helo_hostname by not sending HELO or EHLO). 
   #
   reject_invalid_helo_hostname,
   # Reject the request when the HELO or EHLO hostname is not in fully-qualified 
   # domain or address literal form, as required by the RFC. 
   #
   reject_non_fqdn_helo_hostname
   # Don't talk to mail systems that don't know their own hostname.
   #
   reject_unknown_helo_hostname
 ## ---
-## - smtpd DATA Restrictions
+## - smtpd Sender Restrictions
 ## ---
-smtpd_data_restrictions =
+smtpd_sender_restrictions =
-   # Block clients that speak too early.
+   permit_mynetworks,
-   reject_unauth_pipelining
+   permit_sasl_authenticated,
-
+   reject_unknown_sender_domain,
-smtpd_end_of_data_restrictions =
+   reject_non_fqdn_sender
   # Check Postfix Firewall Daemon
   check_policy_service inet:127.0.0.1:10040
 ## ---
@ -1275,9 +1384,7 @@ smtpd_recipient_restrictions =
 # permit our users
   permit_sasl_authenticated,
 # dont' accept misconfigured Mail
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
 # don't accept misconfigured recipients
   reject_unknown_recipient_domain,
 # Reject the request when the RCPT TO address is not listed in the list of valid 
@ -1325,29 +1432,8 @@ smtpd_recipient_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
   reject_unverified_recipient,
 # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
   # Whitelist (configured at a.ns.oopen.de)
   permit_dnswl_client dnswl.oopen.de,
   # Blacklists
   reject_rbl_client zen.spamhaus.org,
   reject_rbl_client ix.dnsbl.manitu.net,
   #reject_rbl_client bl.spamcop.net,
 # Policyd-Weight
   #check_policy_service inet:127.0.0.1:12525,
 # Greylisting check
 #
 #     check_policy_service inet:127.0.0.1:10023, 
 #
 #
 # Using defined restriction class (see smtpd_restriction_classes):
 #
 #  greylist all connections:
 #     check_greylist,
 #
 #  selctive greylisting:
 #     check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
   #warn_if_reject,
   check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
 # permit Backup MX
   permit_mx_backup,
 # permit, if all restrictions so far passed
@ -1372,9 +1458,7 @@ smtpd_relay_restrictions =
 # permit our users
   permit_sasl_authenticated,
 # dont' accept misconfigured Mail
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
 # don't accept misconfigured recipients
   reject_unknown_recipient_domain,
 # Reject the request unless one of the following is true:
@ -1396,6 +1480,21 @@ smtpd_relay_restrictions =
 # permit, if all restrictions so far passed
   permit
 ## ---
 ## - smtpd DATA Restrictions
 ## ---
 smtpd_data_restrictions =
   # Block clients that speak too early.
 	#
   reject_unauth_pipelining
 smtpd_end_of_data_restrictions =
   # Check Postfix Firewall Daemon
 	#
   check_policy_service inet:127.0.0.1:10040
 EOF
 echo_ok
@ -1591,6 +1690,20 @@ else
   echo_failed
 fi
 echononl "   Create file \"client_whitelist\""
 if [[ ! -f "/etc/postfix/client_whitelist" ]]; then
   cat <<EOF > /etc/postfix/client_whitelist
 # onion - tor hidden service
 127.0.0.25        OK
 EOF
 fi
 postmap btree:/etc/postfix/client_whitelist
 if [[ $? -eq 0 ]] ; then
   echo_ok
 else
   echo_failed
 fi
 echononl "   Create file \"sender_canonical\""
 if [[ ! -f /etc/postfix/sender_canonical ]]; then
 	cat <<EOF > /etc/postfix/sender_canonical
@ -1674,17 +1787,6 @@ if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then
 # -          check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
 # -          ...
 # Prevent connections at 127.0.0.25 (onion - tor hidden service) from greylisting
 #
 # Note:
 #    - DUNNO: Pretend, that the lookaup key (127.0.0.25) was not found. No further
 #      evaluation on this access table is done.
 #
 #    - If 'tor hiddenservice' is supported, we bound it to 127.0.0.25 port 25.
 #      Since those connections are also marked as 'unknown', key below would match
 #      and greylisting would be triggered.
 /127\\.0\\.0\\.25/   DUNNO
 # ---
 # - For clients matching the following rules greylisting check is applied.
 # ---
@ -1710,6 +1812,35 @@ else
 	echo_skipped
 fi
 _file="/etc/postfix/header_checks_pcre"
 echononl "   Create file '$_file' used for header replacing"
 if [[ ! -f "$_file" ]]; then
 	cat << EOF > "$_file"
 # ---
 # - Replace headers
 # ---
 # - Replace recieved from
 /^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
 # ---
 # - Ignore Headers
 # ---
 /^\s*User-Agent/        IGNORE
 /^\s*X-Enigmail/        IGNORE
 /^\s*X-Mailer/          IGNORE
 /^\s*X-Originating-IP/  IGNORE
 EOF
 	if [[ $? -eq 0 ]] ; then
 		echo_ok
 	else
 		echo_failed
 	fi
 else
 	echo_skipped
 fi
 if ! $IS_RELAY_HOST ; then
   ## - Create Directory '/var/vmail' for virtual mailboxes