From e786c78a8bc94d0121f433957c01619c96d95f6f Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 17 Sep 2022 01:05:02 +0200 Subject: [PATCH] install_postfix_advanced.sh, install_postfwd.sh: Add more rules to postfix firewall postfwd config. --- install_postfix_advanced.sh | 259 ++++++++++++++++++++++++++++++++++-- install_postfwd.sh | 242 ++++++++++++++++++++++++++++++++- 2 files changed, 487 insertions(+), 14 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index d769d45..1de075e 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -895,6 +895,64 @@ else error "$(cat $tmp_err_msg)" fi +_file="/etc/postfix/postfwd.wl-nets" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.wl-hosts" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted hosts whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # host a.mx.oopen.de +# a.mx.oopen.de +# +# --- + +# give truested hostnames here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + _file="/etc/postfix/postfwd.wl-user" echononl " Create whitelist file '$_file' for postfwd" if [[ ! -f "$_file" ]]; then @@ -913,6 +971,96 @@ else echo_skipped fi +_file="/etc/postfix/postfwd.wl-sender" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted senders whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ckubu@oopen.de +# +# --- + +# give trusted sender addresses here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.bl-nets" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Networks blocked by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give networks to block here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.bl-hosts" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# hosts blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # block all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # block host a.mx.oopen.de +# a.mx.oopen.de +# +# --- + +# give hostnames to blocke here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + _file="/etc/postfix/postfwd.bl-user" echononl " Create whitelist file '$_file' for postfwd" if [[ ! -f "$_file" ]]; then @@ -955,8 +1103,43 @@ else echo_skipped fi +_file="/etc/postfix/postfwd.bl-sender" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Sender addresses blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ckubu@oopen.de +# +# --- + +# annoying spammer domains +@acieu.co.uk + +# annoying spammer addresses +error@mailfrom.com + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + echononl " Create configuration file '/etc/postfix/postfwd.cf'.." -if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then +#if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then cat << EOF > /etc/postfix/postfwd.cf #======= Definitions ============ @@ -966,11 +1149,37 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then sasl_username!~^\$ } -# Whitelist users +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users &&TRUSTED_USERS { sasl_username==file:/etc/postfix/postfwd.wl-user } +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + # Blacklist users &&BLOCK_USERS { sasl_username==file:/etc/postfix/postfwd.bl-user @@ -993,17 +1202,44 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then # Whitelists +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + # Whitelist sasl users id=WHL_USERS &&TRUSTED_USERS action=DUNNO +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO -# Blacklist users +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address \$\$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT \$\$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users id=BL_USERS &&BLOCK_USERS - action=REJECT User is blocked by so36.NET admins. Error: BL_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS # Blacklist sender # @@ -1011,12 +1247,17 @@ id=BL_USERS # id=BL_SENDER &&BLOCK_SENDER - action=DISCARD - #action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER # Rate Limits +# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate(\$\$client_address/50/60/421 421 4.7.0 Too many connections from \$\$client_address) + # Block messages with more than 50 recipients id=BLOCK_MSG_RCPT &&INCOMING @@ -1042,9 +1283,9 @@ EOF else echo_failed fi -else - echo_skipped -fi +#else +# echo_skipped +#fi echononl " Enable Postfix firewall daemon at boot time .." if $systemd_exists ; then diff --git a/install_postfwd.sh b/install_postfwd.sh index b481820..4e9d7a9 100755 --- a/install_postfwd.sh +++ b/install_postfwd.sh @@ -91,14 +91,170 @@ else error "$(cat $tmp_err_msg)" fi +_file="/etc/postfix/postfwd.wl-nets" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted networks whitelisted by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give truested networrk adresses here +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.wl-hosts" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted hosts whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # host a.mx.oopen.de +# a.mx.oopen.de +# +# --- + +# give truested hostnames here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + _file="/etc/postfix/postfwd.wl-user" echononl " Create whitelist file '$_file' for postfwd" if [[ ! -f "$_file" ]]; then cat << EOF > "$_file" # --- # SASL Users whitelisted by postfwd +# +# Example: +# +# # give trusted sasl_user here +# admin@warenform.de +# # --- +# give trusted sasl_user here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.wl-sender" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Trusted senders whitelisted by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ckubu@oopen.de +# +# --- + +# give trusted sender addresses here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.bl-nets" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# Networks blocked by postfwd +# +# Example: +# +# # web0.warenform.de +# #83.223.86.76 +# #2a01:30:0:505:286:96ff:fe4a:6ee +# #2a01:30:0:13:286:96ff:fe4a:6eee +# +# --- + +# give networks to block here + +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +_file="/etc/postfix/postfwd.bl-hosts" +echononl " Create whitelist file '$_file' for postfwd" +if [[ ! -f "$_file" ]]; then + cat << EOF > "$_file" +# --- +# hosts blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # block all hosts of domain 'oopen.de' +# \.oopen\.de$ +# +# # block host a.mx.oopen.de +# a.mx.oopen.de +# +# --- + +# give hostnames to blocke here + EOF if [[ $? -eq 0 ]] ; then echo_ok @@ -115,8 +271,15 @@ if [[ ! -f "$_file" ]]; then cat << EOF > "$_file" # --- # SASL Users blocked by postfwd +# +# Example: +# +# # give sasl_user to block here +# ckubu@warenform.de # --- +# give sasl_user to block here + EOF if [[ $? -eq 0 ]] ; then echo_ok @@ -133,6 +296,17 @@ if [[ ! -f "$_file" ]]; then cat << EOF > "$_file" # --- # Sender addresses blocked by postfwd +# +# This file is called with '=~'. This means perl regexp is possible +# +# Example: +# +# # all senders of maildomaindomain 'oopen.de' +# @oopen\.de$ +# +# # sender address ckubu@oopen.de +# ckubu@oopen.de +# # --- # annoying spammer domains @@ -162,11 +336,37 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then sasl_username!~^\$ } -# Whitelist users +# Trusted networks +&&TRUSTED_NETS { + client_address==file:/etc/postfix/postfwd.wl-nets +} + +# Trusted hostnames +# client_name~=.warenform.de$ +&&TRUSTED_HOSTS { + client_name=~file:/etc/postfix/postfwd.wl-hosts +} + +# Trusted users &&TRUSTED_USERS { sasl_username==file:/etc/postfix/postfwd.wl-user } +# Trusted senders +&&TRUSTED_SENDERS { + sender=~file:/etc/postfix/postfwd.wl-sender +} + +# Blacklist networks +&&BLOCK_NETS { + client_address==file:/etc/postfix/postfwd.bl-nets +} + +# Blacklist hostnames +&&BLOCK_HOSTS { + client_name=~file:/etc/postfix/postfwd.bl-hosts +} + # Blacklist users &&BLOCK_USERS { sasl_username==file:/etc/postfix/postfwd.bl-user @@ -189,17 +389,44 @@ if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then # Whitelists +# Whitelist trusted networks +id=WHL_NETS + &&TRUSTED_NETS + action=DUNNO + +# Whitelist trusted hostnames +id=WHL_HOSTS + &&TRUSTED_HOSTS + action=DUNNO + # Whitelist sasl users id=WHL_USERS &&TRUSTED_USERS action=DUNNO +# Whitelist senders +id=WHL_SENDERS + &&INCOMING + &&TRUSTED_SENDERS + action=DUNNO -# Blacklist users +# Blacklists + +# Block networks +id=BL_NETS + &&BLOCK_NETS + action=REJECT Network Address \$\$client_address blocked by Mailserver admins. Error: BL_NETS + +# Block hostname +id=BL_HOSTS + &&BLOCK_HOSTS + action=REJECT \$\$client_name blocked by Mailserver admins. Error: BL_HOSTS + +# Block users id=BL_USERS &&BLOCK_USERS - action=REJECT User is blocked by so36.NET admins. Error: BL_USERS + action=REJECT User is blocked by Mailserver admins. Error: BL_USERS # Blacklist sender # @@ -207,12 +434,17 @@ id=BL_USERS # id=BL_SENDER &&BLOCK_SENDER - action=DISCARD - #action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER + #action=DISCARD + action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER # Rate Limits +# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT) +id=RATE_CLIENT_ADDR + &&INCOMING + action=rate(\$\$client_address/50/60/421 421 4.7.0 Too many connections from \$\$client_address) + # Block messages with more than 50 recipients id=BLOCK_MSG_RCPT &&INCOMING