From 7a769af49ebd19172f25d18bc7a2c1108277303c Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Mon, 26 Nov 2018 00:03:06 +0100
Subject: [PATCH] install_postfix_advanced.sh: add support for Postfix Firewall
 Daemon 'postfwd'.

---
 install_postfix_advanced.sh | 187 ++++++++++++++++++++++++++++++++++++
 1 file changed, 187 insertions(+)

diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh
index 05e4733..4f8fee8 100755
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@@ -512,6 +512,189 @@ else
 fi
 
 
+## - Install Postfix Firewall Daemon from debian packages system
+## -
+echononl "   Install Postfix Firewall Daemon from debian packages system"
+_pkg="postfwd"
+if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
+   echo_skipped
+else
+   DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $tmp_err_msg)"
+   fi
+fi
+
+echononl "   Adjust /etc/default/postfwd"
+perl -i -n -p -e "s#^(\s*)(STARTUP=.*)#\#\1\2\nSTARTUP=1#" \
+   /etc/default/postfwd > $tmp_err_msg 2>&1
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   error "$(cat $tmp_err_msg)"
+fi
+
+_file="/etc/postfix/postfwd.wl-user"
+echononl "   Create whitelist file '$_file' for postfwd"
+if [[ ! -f "$_file" ]]; then
+	cat << EOF > "$_file"
+# ---
+# SASL Users whitelisted by postfwd
+# ---
+
+EOF
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+	fi
+else
+	echo_skipped
+fi
+
+_file="/etc/postfix/postfwd.bl-user"
+echononl "   Create whitelist file '$_file' for postfwd"
+if [[ ! -f "$_file" ]]; then
+	cat << EOF > "$_file"
+# ---
+# SASL Users blocked by postfwd
+# ---
+
+EOF
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+	fi
+else
+	echo_skipped
+fi
+
+_file="/etc/postfix/postfwd.bl-sender"
+echononl "   Create whitelist file '$_file' for postfwd"
+if [[ ! -f "$_file" ]]; then
+	cat << EOF > "$_file"
+# ---
+# Sender addresses blocked by postfwd
+# ---
+
+EOF
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+	fi
+else
+	echo_skipped
+fi
+
+echononl "   Create configuration file '/etc/postfix/postfwd.cf'.."
+if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
+	cat << EOF > /etc/postfix/postfwd.cf
+
+#======= Definitions ============
+
+# Match messages with an associated SASL username
+&&SASL_AUTH {
+    sasl_username!~^\$
+}
+
+# Whitelist users
+&&TRUSTED_USERS {
+    sasl_username=file:/etc/postfix/postfwd.wl-user
+}
+
+# Blacklist users
+&&BLOCK_USERS {
+   sasl_username=file:/etc/postfix/postfwd.bl-user
+}
+
+# Blacklist sender adresses
+&&BLOCK_SENDER {
+   sender=file:/etc/postfix/postfwd.bl-sender
+}
+
+# Inbound emails only
+&&INCOMING {
+    client_address!=127.0.0.1
+}
+
+
+#======= Rule sets ============
+
+# Whitelists
+
+id=WHL_USERS
+	&&TRUSTED_USERS
+	action=DUNNO
+
+# Blacklist users
+id=BL_USERS
+   &&SASL_AUTH
+   &&BLOCK_USERS
+   action=REJECT User is blocked by so36.NET admins. Error: BL_USERS
+
+id=BL_SENDER
+   &&BLOCK_SENDER
+   action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER
+
+
+# Rate Limits
+
+# Block messages with more than 70 recipients
+id=BLOCK_MSG_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+	 recipient_count=70
+    action=REJECT Too many recipients, please reduce to less than 70 or consider using a mailing list. Error: BLOCK_MSG_RCPT
+
+# Block users sending more than 50 messages/hour
+id=RATE_MSG
+    &&INCOMING
+    &&SASL_AUTH
+    action=rate(\$\$sasl_username/50/3600/450 4.7.1 Rate limit number messages per hour exceeded. Error:RATE_MSG)
+
+# Block users sending more than 250 recipients total/hour
+id=RATE_RCPT
+    &&INCOMING
+    &&SASL_AUTH
+    action=rcpt(\$\$sasl_username/250/3600/450 4.7.1 Rate limit number recipients per hour exceeded. Error:RATE_RCPT)
+
+EOF
+	if [[ $? -eq 0 ]] ; then
+		echo_ok
+	else
+		echo_failed
+	fi
+else
+	echo_skipped
+fi
+
+echononl "   Restart Postfix firewall daemon 'postfwd'.."
+if $systemd_exists ; then
+   systemctl restart postfwd > /dev/null 2> $tmp_err_msg
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $tmp_err_msg)"
+   fi
+else
+   /etc/init.d/postfwd restart > /dev/null 2> $tmp_err_msg
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $tmp_err_msg)"
+   fi
+fi
+
+
+
 # - Backup existing postfix configuration file
 # -
 echononl "   Backup existing postfix configuration file"
@@ -1056,6 +1239,8 @@ smtpd_recipient_restrictions =
    check_recipient_access btree:/etc/postfix/access_recipient,
 # permit trusted network (mynetwork)
    permit_mynetworks,
+# Check Postfix Firewall Daemon
+   check_policy_service inet:127.0.0.1:10040,
 # permit our users
    permit_sasl_authenticated,
 # dont' accept misconfigured Mail
@@ -1150,6 +1335,8 @@ smtpd_relay_restrictions =
    check_recipient_access btree:/etc/postfix/access_recipient,
 # permit trusted network (mynetwork)
    permit_mynetworks,
+# Check Postfix Firewall Daemon
+   check_policy_service inet:127.0.0.1:10040,
 # permit our users
    permit_sasl_authenticated,
 # dont' accept misconfigured Mail