From 69165d9e0762e9624950895ce3b303588d897285 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 2 Jan 2023 13:27:26 +0100 Subject: [PATCH] Add 'README.postfwd-example.conf', a slightly more extensive configuration for the Postfix firewall. --- DOC/postfwd/README.postfwd-example.conf | 120 ++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 DOC/postfwd/README.postfwd-example.conf diff --git a/DOC/postfwd/README.postfwd-example.conf b/DOC/postfwd/README.postfwd-example.conf new file mode 100644 index 0000000..6b7ed59 --- /dev/null +++ b/DOC/postfwd/README.postfwd-example.conf @@ -0,0 +1,120 @@ +## ---------------------------------- +# Trusted networks (internal usually) +&&TRUSTED_NETS { + client_address=192.168.0.0/16 ; +}; + +# Trusted hostnames +&&TRUSTED_HOSTS { + client_name~=.nooblet.org$ ; +}; + +# Trusted sasl usernames +&&TRUSTED_USERS { + sasl_username==stalks ; +}; + +# Free mailers we don't need to greylist +&&FREEMAIL { + client_name~=.gmx.net$ ; + client_name~=.web.de$ ; + client_name~=.(aol|yahoo|h(ush|ot)mail).co(.uk|m)$ ; +}; + +# Static IPs, no need to greylist +# contains freemailers +&&STATIC { + &&FREEMAIL ; + client_name~=[.-]static[[.-] ; + client_name~=^(mail|smtp|mout|mx)[-]*[0-9]*. ; +}; + +# Client reverse != smtp helo +&&BADHELO { + client_name==!!($$(helo_name)) ; +}; + +&&NORDNS { + client_name==unknown ; +}; + +&&DYNAMIC { + &&NORDNS ; + client_name~=(-.+){4} ; + client_name~=d{5} ; + client_name~=[_.-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|adsl|dial(up|in)|pool|dhcp|leased)[_.-] ; +}; +&&DYNL { + rbl=zen.spamhaus.org/^127.0.0.1[0-1]$/3600 ; + rbl=dul.dnsbl.sorbs.net ; +}; + +&&RWL { + rbl=list.dnswl.org ; + rbl=hostkarma.junkemailfilter.com/^127.0.0.1$/3600 ; + rhsbl_client=hostkarma.junkemailfilter.com/^127.0.0.1$/3600 ; +}; + +&&RBL { + rbl=zen.spamhaus.org/^127.0.0.[2-8]$/3600 ; + rbl=hostkarma.junkemailfilter.com/^127.0.0.(2|4)$/3600 ; + rbl=bl.spamcop.net ; + rbl=problems.dnsbl.sorbs.net ; + rhsbl_client=hostkarma.junkemailfilter.com/^127.0.0.(2|4)$/3600 ; + rhsbl=rhsbl.ahbl.org ; + rhsbl=rhsbl.sorbs.net ; +}; + +## +## Ruleset +## + +# stress-friendly behaviour (will not match on postfix version pre 2.5) +id=STRESS ; stress==yes ; action=dunno + +# Whitelists (fixed) +id=WL_001 ; &&TRUSTED_NETS ; action=dunno +id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno +id=WL_003 ; &&TRUSTED_USERS ; action=dunno + +# Dynamic Counter +id=DYNL_001 ; &&DYNL ; rblcount=all ; action=set(HIT_dynls=$$rblcount, DYNL_text=$$dnsbltext) + +# DNS Block Lists +id=RBL_001 ; &&RBL ; + rhsblcount=all ; rblcount=all ; + action=set( + HIT_rbls=$$rblcount, + HIT_rbls+=$$rhsblcount, + RBL_text=$$dnsbltext) +id=RBL_002 ; HIT_rbls>=2 ; action=REJECT You are listed on $$HIT_rbls RBLs. [$$RBL_text] +id=RBL_003 ; HIT_rbls>=1 ; HIT_dynls>=1 ; action=REJECT Host listed as dynamic and listed on RBL. [$$RBL_text] +id=RBL_004 ; HIT_rbls>=1 ; &&NORDNS ; action=REJECT No reverse DNS and listed on RBL. [$$RBL_text] +id=RBL_005 ; HIT_rbls>=1 ; &&DYNAMIC ; action=REJECT Host looks dynamic and listed on RBL. [$$RBL_text] +id=RBL_006 ; HIT_rbls>=1 ; &&BADHELO ; action=REJECT (helo $$helo_name) != ($$client_name) and listed on RBL. [$$RBL_text] + +# Whitelists (rwl) +id=RWL_001 ; &&RWL ; + rhsblcount=all ; rblcount=all ; + action=set( + HIT_rwls=$$rblcount, + HIT_rwls+=$$rhsblcount, + RWL_text=$$dnsbltext) +id=RWL_002 ; HIT_rwls>=1 ; action=PREPEND X-POSTFWD: Listed on $$HIT_rwls whitelists. [$$RWL_text] + +# Rate limits +id=RATE_001 ; HIT_rbls>=1 ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Listed on RBL. Limited to 1 message every 5 minutes. [$$RBL_text]) +id=RATE_002 ; HIT_dynls>=1 ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Listed as dynamic. Limited to 1 message every 5 minutes.) +id=RATE_003 ; &&NORDNS ; action=rate($$client_address/1/300/450 4.7.1 Throttled. No reverse DNS. Limited to 1 message every 5 minutes.) +id=RATE_004 ; &&DYNAMIC ; action=rate($$client_address/1/300/450 4.7.1 Throttled. Host is probably dynamic. Limited to 1 message every 5 minutes.) + +# Selective greylist +id=GREY_001 ; action=greylist ; HIT_rbls>=1 +id=GREY_002 ; action=dunno ; &&STATIC +id=GREY_003 ; action=dunno ; $$client_name~=$$(sender_domain)$ +id=GREY_004 ; action=dunno ; HIT_rwls>=1 +id=GREY_005 ; action=greylist ; HIT_dynls>=1 +id=GREY_006 ; action=greylist ; &&DYNAMIC +## greylist should be safe during out-of-office-hours +# id=GREY_007 ; action=greylist ; days=Sat-Sun +# id=GREY_008 ; action=greylist ; days=Mon-Fri ; time=!!06:00:00-20:00:0