install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_postfix_advanced.sh: add support for Postfix Firewall Daemon 'postfwd'.

Browse Source
This commit is contained in:
Christoph 2018-11-26 00:03:06 +01:00
parent 0b60c881c9
commit 7a769af49e
1 changed files with 187 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

187
install_postfix_advanced.sh
View File

@ -512,6 +512,189 @@ else
fi fi
## - Install Postfix Firewall Daemon from debian packages system
## -
echononl " Install Postfix Firewall Daemon from debian packages system"
_pkg="postfwd"
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Adjust /etc/default/postfwd"
perl -i -n -p -e "s#^(\s*)(STARTUP=.*)#\#\1\2\nSTARTUP=1#" \
/etc/default/postfwd > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
_file="/etc/postfix/postfwd.wl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users whitelisted by postfwd
# ---
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users blocked by postfwd
# ---
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-sender"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Sender addresses blocked by postfwd
# ---
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create configuration file '/etc/postfix/postfwd.cf'.."
if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
cat << EOF > /etc/postfix/postfwd.cf
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^\$
}
# Whitelist users
&&TRUSTED_USERS {
sasl_username=file:/etc/postfix/postfwd.wl-user
}
# Blacklist users
&&BLOCK_USERS {
sasl_username=file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
sender=file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule sets ============
# Whitelists
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Blacklist users
id=BL_USERS
&&SASL_AUTH
&&BLOCK_USERS
action=REJECT User is blocked by so36.NET admins. Error: BL_USERS
id=BL_SENDER
&&BLOCK_SENDER
action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER
# Rate Limits
# Block messages with more than 70 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=70
action=REJECT Too many recipients, please reduce to less than 70 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate(\$\$sasl_username/50/3600/450 4.7.1 Rate limit number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt(\$\$sasl_username/250/3600/450 4.7.1 Rate limit number recipients per hour exceeded. Error:RATE_RCPT)
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Restart Postfix firewall daemon 'postfwd'.."
if $systemd_exists ; then
systemctl restart postfwd > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
/etc/init.d/postfwd restart > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
# - Backup existing postfix configuration file # - Backup existing postfix configuration file
# - # -
echononl " Backup existing postfix configuration file" echononl " Backup existing postfix configuration file"
@ -1056,6 +1239,8 @@ smtpd_recipient_restrictions =
check_recipient_access btree:/etc/postfix/access_recipient, check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork) # permit trusted network (mynetwork)
permit_mynetworks, permit_mynetworks,
# Check Postfix Firewall Daemon
check_policy_service inet:127.0.0.1:10040,
# permit our users # permit our users
permit_sasl_authenticated, permit_sasl_authenticated,
# dont' accept misconfigured Mail # dont' accept misconfigured Mail
@ -1150,6 +1335,8 @@ smtpd_relay_restrictions =
check_recipient_access btree:/etc/postfix/access_recipient, check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork) # permit trusted network (mynetwork)
permit_mynetworks, permit_mynetworks,
# Check Postfix Firewall Daemon
check_policy_service inet:127.0.0.1:10040,
# permit our users # permit our users
permit_sasl_authenticated, permit_sasl_authenticated,
# dont' accept misconfigured Mail # dont' accept misconfigured Mail