install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_postfix_advanced.sh: change greylisting to selective greylisting.

Browse Source
This commit is contained in:
Christoph 2018-11-25 03:05:00 +01:00
parent 458c5353f0
commit 2201dad20f
1 changed files with 100 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
install_postfix_advanced.sh
View File

@ -1025,6 +1025,19 @@ virtual_alias_domains =
#======= Restrictions ============ #======= Restrictions ============
## ---
## - Define restrictions
## ---
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service inet:127.0.0.1:10023
## ---
## - Recipient restrictions
## ---
smtpd_recipient_restrictions = smtpd_recipient_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts) # only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc, check_recipient_access btree:/etc/postfix/access_recipient-rfc,
@ -1055,8 +1068,20 @@ smtpd_recipient_restrictions =
# Policyd-Weight # Policyd-Weight
#check_policy_service inet:127.0.0.1:12525, #check_policy_service inet:127.0.0.1:12525,
# Greylisting check # Greylisting check
warn_if_reject, #
check_policy_service inet:127.0.0.1:10023, # check_policy_service inet:127.0.0.1:10023,
#
#
# Using defined restriction class (see smtpd_restriction_classes):
#
# greylist all connections:
# check_greylist,
#
# selctive greylisting:
# check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
#
#warn_if_reject,
check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# Reject the request unless one of the following is true: # Reject the request unless one of the following is true:
# #
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
@ -1075,8 +1100,10 @@ smtpd_recipient_restrictions =
permit permit
## - Sinve version 2.11 ## ---
## - ## - Relay Restrictions (since version 2.11)
## ---
smtpd_relay_restrictions = smtpd_relay_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts) # only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc, check_recipient_access btree:/etc/postfix/access_recipient-rfc,
@ -1106,9 +1133,21 @@ smtpd_relay_restrictions =
#reject_rbl_client dnsbl.njabl.org, #reject_rbl_client dnsbl.njabl.org,
# Policyd-Weight # Policyd-Weight
#check_policy_service inet:127.0.0.1:12525, #check_policy_service inet:127.0.0.1:12525,
# Greylisting check # Greylisting with postgrey
warn_if_reject, #
check_policy_service inet:127.0.0.1:10023, # check_policy_service inet:127.0.0.1:10023,
#
#
# Using defined restriction class (see 'smtpd_restriction_classes'):
#
# greylist all connections:
# check_greylist,
#
# selctive greylisting:
# check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
#
#warn_if_reject,
check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# Reject the request unless one of the following is true: # Reject the request unless one of the following is true:
# #
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
@ -1376,6 +1415,60 @@ else
echo_failed echo_failed
fi fi
echononl " Create file \"greylist_client_access_pcre\""
if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then
cat <<EOF > /etc/postfix/greylist_client_access_pcre
# ---
# Check Client Access for greylisting (selective greylisting)
# ---
#
# - Note:
# -
# - Action 'check_greylist' must be defined by 'smtpd_restriction_classes'
# - and also set with an action (check_policy_service inet:127.0.0.1:10023)
# - in file /etc/postfix/ main.cf.
# -
# - Your main.cf may looks like:
# -
# - smtpd_restriction_classes = check_greylist
# - check_greylist = check_policy_service inet:127.0.0.1:10023
# -
# - smtpd_recipient_restrictions =
# - ...
# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# - ...
# -
# - smtpd_relay_restrictions =
# - ...
# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# - ...
# ---
# - For clients matching the following rules greylisting check is applied.
# ---
# unkown clients
/^unknown$/ check_greylist
# everything with 3 or more hyphens in the hostname
/(\\-.+){3}$/ check_greylist
# everything with 4 or more dots in the hostname
/(\\..+){4}$/ check_greylist
# dialups
/(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?|dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?pool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\\.[a-z]{3})?\\.virtua|[1-9]Cust[0-9]+|AC[A-Z][0-9A-F]{5}\\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\\.[a-z]{2})[0-9.x_-]/ check_greylist
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
if ! $IS_RELAY_HOST ; then if ! $IS_RELAY_HOST ; then
## - Create Directory '/var/vmail' for virtual mailboxes ## - Create Directory '/var/vmail' for virtual mailboxes
## - ## -