From ae2b6540afe77cf7b24e8d0c10da0eaff4be1ed4 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 2 Mar 2025 02:17:25 +0100 Subject: [PATCH] install_postfix_advanced.sh: add support for postfix-policyd-spf-python . --- install_postfix_advanced.sh | 191 ++++++++++++++++++++++++++++++++++-- 1 file changed, 185 insertions(+), 6 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index c1be5ad..ba23f54 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -984,6 +984,116 @@ EOF fi +# - Install SPF-Policy-Tools +# - +echononl " Install Postfix SPF-Policy-Tools 'postfix-policyd-spf-python'" +_pkg=postfix-policyd-spf-python +if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + echo_skipped +else + DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $log_file + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + + +# - Backup existing configuration file for policyd-spf daemon +# - +_file="/etc/postfix-policyd-spf-python/policyd-spf.conf" +echononl " Backup configuration file '${_file}'." +if [[ -f "${_file}" ]]; then + cp -a "${_file}" "${_file}.${backup_date}" > /dev/null 2> $log_file + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +echononl " Creeate new configuration '${_file}'.." +cat < "${_file}" +# For a fully commented sample config file see policyd-spf.conf.commented + +# Reject and deferred reason +Reason_Message = Message {rejectdefer} due to: {spf}. + +# Amount of debugging information logged. 0 logs no debugging messages +# 5 includes all debug messages. +debugLevel = 1 + +# HELO check rejection policy. Options are: +# HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail. +# HELO_reject = Softfail - Reject if result Softfail and Fail +# HELO_reject = Fail - Reject on HELO Fail +# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic) +# HELO_reject = False - Never reject/defer on HELO, append header only. +# HELO_reject = No_Check - Never check HELO. +HELO_reject = SPF_Not_Pass + +# Mail From rejection policy. Options are: +# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail. +# Mail_From_reject = Softfail - Reject if result Softfail and Fail +# Mail_From_reject = Fail - Reject on Mail From Fail (default) +# Mail_From_reject = False - Never reject/defer on Mail From, append header only +# Mail_From_reject = No_Check - Never check Mail From/Return Path. +# +# Dieser Parameter steuert, wie der SPF-Check auf Fehler bei der Überprüfung der +# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden +# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht. +# +Mail_From_reject = Fail + +# Policy for rejecting due to SPF PermError. Options are: +# PermError_reject = True +# PermError_reject = False +# +# Wirkung: Dieser Parameter bestimmt, wie der SPF-Check auf permanente Fehler (PermError) +# reagiert. Ein permanenter Fehler tritt auf, wenn die SPF-DNS-Einträge ungültig oder +# fehlerhaft sind (z. B. syntaktische Fehler oder ungültige Mechanismen). +# +# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected), +# +PermError_reject = True + +# Policy for deferring messages due to SPF TempError. Options are: +# TempError_Defer = True +# TempError_Defer = False +# +# Wirkung: Dieser Parameter bestimmt das Verhalten bei temporären SPF-Fehlern (TempError). +# Ein temporärer Fehler tritt auf, wenn der SPF-Check aufgrund von vorübergehenden +# Problemen (z. B. DNS-Auflösungsfehler oder Netzwerkprobleme) nicht durchgeführt werden kann. +# +# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen +# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle +# +TempError_Defer = Defer + +# Type of header to insert to document SPF result. Can be Received-SPF (SPF) +# or Authentication Results (AR). It cannot be both. +# Examples: (default is Received-SPF): +# Header_Type = AR +# Header_Type = SPF +Header_Type = SPF + +# Do not check SPF for localhost addresses - add to skip addresses to +# skip SPF for internal networks if desired. Defaults are standard IPv4 and +# IPv6 localhost addresses. +skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + + ## - Install Postfix Firewall Daemon from debian packages system ## - echononl " Install Postfix Firewall Daemon from debian packages system" @@ -2498,6 +2608,20 @@ else EOF fi +if [[ -n "$(which policyd-spf)" ]] ; then + cat <> /etc/postfix/main.cf + +# The time limit for delivery to '/usr/bin/policyd-spf' +# +# An entry in '/etc/postfix/master.cf' is needed: +# +# policyd-spf unix - n n - 0 spawn +# user=policyd-spf argv=/usr/bin/policyd-spf +# +policyd-spf_time_limit = 3600 +EOF +fi + cat <> /etc/postfix/main.cf @@ -2688,6 +2812,17 @@ smtpd_recipient_restrictions = # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html # for more details reject_unverified_recipient, +EOF + +if [[ -n "$(which policyd-spf)" ]] ; then + cat <> /etc/postfix/main.cf +# Check Postfix policy service .. +# + check_policy_service unix:private/policy-spf +EOF +fi + +cat <> /etc/postfix/main.cf # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, # permit Backup MX @@ -2743,18 +2878,32 @@ smtpd_relay_restrictions = ## --- smtpd_data_restrictions = - # Block clients that speak too early. - # +# Block clients that speak too early. +# reject_unauth_pipelining + +## --- +## - smtpd END OF ATA Restrictions +## --- + smtpd_end_of_data_restrictions = - # Check Postfix Firewall Daemon - # +EOF + +if [[ -n "$(which postfwd)" ]] ; then + cat <> /etc/postfix/main.cf +# Check Postfix Firewall Daemon +# check_policy_service inet:127.0.0.1:10040 EOF +else + cat <> /etc/postfix/main.cf -if [[ -n "$(which opendkim)" ]] ; then +EOF +fi + +if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then cat <> /etc/postfix/main.cf # ======= Milter configuration ======= @@ -2775,10 +2924,23 @@ milter_protocol = 6 # 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to # localhost:10025 section in master.cf: 'smtpd_milters=' # -#smtpd_milters = local:/opendkim/opendkim.sock smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map smtpd_milters = +EOF +fi +if [[ -n "$(which opendkim)" ]] ; then + if [[ -n "$(which opendmarc)" ]] ; then + cat <> /etc/postfix/main.cf +non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock +EOF + else + cat <> /etc/postfix/main.cf non_smtpd_milters = local:/opendkim/opendkim.sock +EOF + fi +elif [[ -n "$(which opendmarc)" ]] ; then + cat <> /etc/postfix/main.cf +non_smtpd_milters = local:/opendmarc/opendmarc.sock EOF fi @@ -3568,6 +3730,12 @@ else smtps_present=false fi +if grep -iq -E "^policyd-spf\s+" $postfix_master_cf > /dev/null 2>&1 ; then + policyd_spf_present=true +else + policyd_spf_present=false +fi + _found=false echononl " Create new file \"${postfix_master_cf}\"" if [[ -f "${postfix_master_cf}.$backup_date" ]]; then @@ -3649,6 +3817,17 @@ EOF done < "${postfix_master_cf}.$backup_date" + # - Add support for policyd-spf service + # - + if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then + cat <> $postfix_master_cf + +policyd-spf unix - n n - 0 spawn + user=policyd-spf argv=/usr/bin/policyd-spf +EOF + fi + + # - Add transport definitions for only sending over IPv4/IPv6 # - if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then