From 2201dad20f3dad40009a402e157c93cfb1156108 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 25 Nov 2018 03:05:00 +0100 Subject: [PATCH] install_postfix_advanced.sh: change greylisting to selective greylisting. --- install_postfix_advanced.sh | 107 +++++++++++++++++++++++++++++++++--- 1 file changed, 100 insertions(+), 7 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index ee45fdf..b92e18c 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -1025,6 +1025,19 @@ virtual_alias_domains = #======= Restrictions ============ + +## --- +## - Define restrictions +## --- + +smtpd_restriction_classes = check_greylist +check_greylist = check_policy_service inet:127.0.0.1:10023 + + +## --- +## - Recipient restrictions +## --- + smtpd_recipient_restrictions = # only special accounts (postmaster, abuse and other rolr accounts) check_recipient_access btree:/etc/postfix/access_recipient-rfc, @@ -1055,8 +1068,20 @@ smtpd_recipient_restrictions = # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, # Greylisting check - warn_if_reject, - check_policy_service inet:127.0.0.1:10023, +# +# check_policy_service inet:127.0.0.1:10023, +# +# +# Using defined restriction class (see smtpd_restriction_classes): +# +# greylist all connections: +# check_greylist, +# +# selctive greylisting: +# check_client_access pcre:/etc/postfix/greylist_client_access_pcre, +# + #warn_if_reject, + check_client_access pcre:/etc/postfix/greylist_client_access_pcre, # Reject the request unless one of the following is true: # # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains @@ -1075,8 +1100,10 @@ smtpd_recipient_restrictions = permit -## - Sinve version 2.11 -## - +## --- +## - Relay Restrictions (since version 2.11) +## --- + smtpd_relay_restrictions = # only special accounts (postmaster, abuse and other rolr accounts) check_recipient_access btree:/etc/postfix/access_recipient-rfc, @@ -1106,9 +1133,21 @@ smtpd_relay_restrictions = #reject_rbl_client dnsbl.njabl.org, # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, -# Greylisting check - warn_if_reject, - check_policy_service inet:127.0.0.1:10023, +# Greylisting with postgrey +# +# check_policy_service inet:127.0.0.1:10023, +# +# +# Using defined restriction class (see 'smtpd_restriction_classes'): +# +# greylist all connections: +# check_greylist, +# +# selctive greylisting: +# check_client_access pcre:/etc/postfix/greylist_client_access_pcre, +# + #warn_if_reject, + check_client_access pcre:/etc/postfix/greylist_client_access_pcre, # Reject the request unless one of the following is true: # # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains @@ -1376,6 +1415,60 @@ else echo_failed fi +echononl " Create file \"greylist_client_access_pcre\"" +if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then + cat < /etc/postfix/greylist_client_access_pcre +# --- +# Check Client Access for greylisting (selective greylisting) +# --- +# +# - Note: +# - +# - Action 'check_greylist' must be defined by 'smtpd_restriction_classes' +# - and also set with an action (check_policy_service inet:127.0.0.1:10023) +# - in file /etc/postfix/ main.cf. +# - +# - Your main.cf may looks like: +# - +# - smtpd_restriction_classes = check_greylist +# - check_greylist = check_policy_service inet:127.0.0.1:10023 +# - +# - smtpd_recipient_restrictions = +# - ... +# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre, +# - ... +# - +# - smtpd_relay_restrictions = +# - ... +# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre, +# - ... + +# --- +# - For clients matching the following rules greylisting check is applied. +# --- + +# unkown clients +/^unknown$/ check_greylist + +# everything with 3 or more hyphens in the hostname +/(\\-.+){3}$/ check_greylist +# everything with 4 or more dots in the hostname +/(\\..+){4}$/ check_greylist + +# dialups +/(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?|dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?pool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\\.[a-z]{3})?\\.virtua|[1-9]Cust[0-9]+|AC[A-Z][0-9A-F]{5}\\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\\.[a-z]{2})[0-9.x_-]/ check_greylist + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + + if ! $IS_RELAY_HOST ; then ## - Create Directory '/var/vmail' for virtual mailboxes ## -