install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_postfix_advanced.sh, install_postfwd.sh: Add more rules to postfix firewall postfwd config.

Browse Source
This commit is contained in:
Christoph 2022-09-17 01:05:02 +02:00
parent a230c6add0
commit e786c78a8b
2 changed files with 487 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

259
install_postfix_advanced.sh
View File

@ -895,6 +895,64 @@ else
error "$(cat $tmp_err_msg)"
fi
_file="/etc/postfix/postfwd.wl-nets"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-hosts"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# a.mx.oopen.de
#
# ---
# give truested hostnames here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
@ -913,6 +971,96 @@ else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-sender"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ckubu@oopen.de
#
# ---
# give trusted sender addresses here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-nets"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-hosts"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# a.mx.oopen.de
#
# ---
# give hostnames to blocke here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
@ -955,8 +1103,43 @@ else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-sender"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ckubu@oopen.de
#
# ---
# annoying spammer domains
@acieu.co.uk
# annoying spammer addresses
error@mailfrom.com
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create configuration file '/etc/postfix/postfwd.cf'.."
if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
#if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
cat << EOF > /etc/postfix/postfwd.cf
#======= Definitions ============
@ -966,11 +1149,37 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
sasl_username!~^\$
}
# Whitelist users
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
@ -993,17 +1202,44 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklist users
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address \$\$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT \$\$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by so36.NET admins. Error: BL_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
@ -1011,12 +1247,17 @@ id=BL_USERS
#
id=BL_SENDER
&&BLOCK_SENDER
action=DISCARD
#action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate(\$\$client_address/50/60/421 421 4.7.0 Too many connections from \$\$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
@ -1042,9 +1283,9 @@ EOF
else
echo_failed
fi
else
echo_skipped
fi
#else
# echo_skipped
#fi
echononl " Enable Postfix firewall daemon at boot time .."
if $systemd_exists ; then

242
install_postfwd.sh
View File

@ -91,14 +91,170 @@ else
error "$(cat $tmp_err_msg)"
fi
_file="/etc/postfix/postfwd.wl-nets"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-hosts"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# a.mx.oopen.de
#
# ---
# give truested hostnames here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users whitelisted by postfwd
#
# Example:
#
# # give trusted sasl_user here
# admin@warenform.de
#
# ---
# give trusted sasl_user here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.wl-sender"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ckubu@oopen.de
#
# ---
# give trusted sender addresses here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-nets"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-hosts"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# a.mx.oopen.de
#
# ---
# give hostnames to blocke here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@ -115,8 +271,15 @@ if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give sasl_user to block here
# ckubu@warenform.de
# ---
# give sasl_user to block here
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@ -133,6 +296,17 @@ if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ckubu@oopen.de
#
# ---
# annoying spammer domains
@ -162,11 +336,37 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
sasl_username!~^\$
}
# Whitelist users
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
@ -189,17 +389,44 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklist users
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address \$\$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT \$\$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by so36.NET admins. Error: BL_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
@ -207,12 +434,17 @@ id=BL_USERS
#
id=BL_SENDER
&&BLOCK_SENDER
action=DISCARD
#action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate(\$\$client_address/50/60/421 421 4.7.0 Too many connections from \$\$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING