install/postfix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add some documentations

Browse Source
This commit is contained in:
Christoph
2017-02-21 01:34:42 +01:00
parent 900d14f980
commit 4ab265d48d
6 changed files with 2574 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
DOC/etc_postgrey_whitelist_clients.local Normal file
View File

@@ -0,0 +1,3 @@
# For Office 365 - servers:
##/.*outbound.protection.outlook.com$/
/^mail-.*\.outbound\.protection\.outlook\.com$/

461
DOC/install/postfix_base_mailsystem.install Normal file
View File

@@ -0,0 +1,461 @@
## ------------------------------------ ## ## - - ##
## - install postfix base system - ##
## - - ##
## - supports ipv6 - ##
## - - ##
## ------------------------------------ ##
_TLS_CERT_DIR=/etc/postfix/ssl
_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
_HOSTNAME=<hostname>
_IPV4=<ipv4-address>
## - Leave empty, if no IPv6 should be supported
## -
#_IPV6=<ipv6-address>
_IPV6=
_ADMIN_EMAIL=<admin_email>
_SASL_AUTH=<true|false>
_RELAY_HOST=b.mx.oopen.de
_SASL_USER=<sasl_user>
_SASL_PASS='sasl_password'
## - remove exim4 and related if installed and you plan
## - to install an alternative mailer
## -
apt-get remove --purge bsd-mailx exim4 exim4-base exim4-config \
exim4-daemon-light mailx
apt-get install postfix postfix-pcre libsasl2-modules bsd-mailx haveged
if $_SASL_AUTH ; then
apt-get install libsasl2-modules
fi
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.ORIG
cat <<EOF > /etc/postfix/main.cf
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
if [ -n "$_IPV6" ]; then
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces = 127.0.0.1
$_IPV4
$_IPV6
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
${_IPV4}/32
[${_IPV6}]/128
smtp_bind_address = $_IPV4
smtp_bind_address6 = $_IPV6
EOF
else
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$_IPV4
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
${_IPV4}/32
smtp_bind_address = $_IPV4
#smtp_bind_address6 = $_IPV6
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
EOF
if $_SASL_AUTH ; then
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
EOF
else
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
relayhost =
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=may
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
EOF
if $_SASL_AUTH ; then
echo "[$_RELAY_HOST] ${_SASL_USER}@${_RELAY_HOST}:$_SASL_PASS" > /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
fi
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
mkdir -p /etc/postfix/ssl
cp <zertificates and keys to> /etc/postfix/ssl/
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
openssl gendh -out /etc/postfix/ssl/dh_2048.pem -2 2048
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE
ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE
## - /etc/mailname
## -
echo $_HOSTNAME > /etc/mailname
## - /etc/aliases
## -
cat << EOF > /etc/aliases
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: $_ADMIN_EMAIL
EOF
## - rebuld alias database
## -
newaliases
cat << EOF >> /etc/rsyslog.d/postfix.conf
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
mail.* -/var/log/mail.log
& ~
EOF
/etc/init.d/rsyslog restart

1706
DOC/install/postfix_mailsystem.install Normal file
View File

File diff suppressed because it is too large Load Diff

190
DOC/postfix_sasl_cyrus_on_relayhost.txt Normal file
View File

@@ -0,0 +1,190 @@
## - Configure a postfix server to act as relay host for
## - AUTENTiCATED clients
## -
## - see also Postfix SASL Howto:
## - http://www.postfix.org/SASL_README.html
## - http://www.synology-wiki.de/index.php/Mail-Relay_mit_Postfix
## -
## - Todo:
## - 1.) Configuring SASL authentication in the Postfix SMTP server
## - - Configuring Cyrus SASL - using accounts are stored stored in a Cyrus SASL
## - Berkeley DB database
## - 2.) Configuring SASL authentication in the Postfix SMTP/LMTP client
## - ------------------------------------------------------------- - ##
## - 1. Configuring SASL authentication at the Postfix SMTP server - ##
## - ------------------------------------------------------------- - ##
## -----------------------------
## - Create the sasldb2 Database
## -
## - To create and maintain the database, we will user the
## - command-line utility "saslpasswd2". So, we have to install
## - the packages sasl2-bin
## -
apt-get install sasl2-bin
## - The sasldb auxprop plugin authenticates SASL clients against credentials
## - that are stored in a Berkeley DB database. The database schema is specific
## - to Cyrus SASL. The database is usually located at /etc/sasldb2
## -
## - !!!!
## - NOTE: in chrooted postfix, thats if chroot in master.cf is not set (have
## - "-") or is set to yes (have "y"), the database "sasdb2" ist
## - searched in the chrooted path. In debian it is file
## - /var/spool/postfix/etc/sasldb2
## - !!!!
## -
## - Create a new account
## -
## - Note:
## - 1.) usernames of accounts are of the Form:
## - <username>@<domain> and NOT <username>
## -
## - 2.) The database-file defaults to "/etc/sasldb2". But on chrooted
## - postfix (as we have), the database file must placed to
## - /var/spool/postfix/etc/sasldb2 - on default debian postfix
## - install. So use flag "-f"
## -
saslpasswd2 -c -u b.mx.oopen.de <username> -f /var/spool/postfix/etc/sasldb2
## - Check with command-line utility "sasldblistusers2"
## -
sasldblistusers2 -f /var/spool/postfix/etc/sasldb2
## ------------------------------------------------
## - Configure and Enable Cyrus SASL authentication
## - in /etc/postfix/main.cf set:
## -
## - smtpd_sasl_type = cyrus
## -
## - # Define the name of the configuration file. Cyrus SASL add's the
## - # suffix ".conf". The location where Cyrus SASL searches for the named
## - # file depends on the Cyrus SASL version and the OS/distribution used.
## - # For debian it is: /etc/postfix/sasl/
## - smtpd_sasl_path = smtpd
## -
## - # enable SASL authentication
## - smtpd_sasl_auth_enable = yes
## -
## - # Disallow methods that allow anonymous authentication.
## - smtpd_sasl_security_options = noanonymous
## - smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
## -
## - # Do not accept SASL authentication over unencrypted connections
## - smtpd_tls_auth_only = yes
## -
vim /etc/postfix/main.cf
## - create /etc/postfix/sasl/smtpd.conf
## -
## - pwcheck_method: auxprop
## - auxprop_plugin: sasldb
## - mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
## -
## - Take care only to use provided login mechanisms
## - # saslpluginviewer -x AUXPROP_MECHS
## -
vim /etc/postfix/sasl/smtpd.conf
## - To allow (dynamic) ip-adresses to relay, even if they ar blacklistet
## - you can use permit_sasl_authenticated in postfix smtpd_relay_restrictions
## - BEFOR checking against blacklists
## -
## - in /etc/postfix/main.cf set:
## -
## - smtpd_recipient_restrictions =
## - ...
## - # permit trusted network mynetwork
## - permit_mynetworks,
## - # sasl authenticated user (we work as relayhost for some office networks)
## - permit_sasl_authenticated,
## - # dont' accept misconfigured Mail
## - reject_non_fqdn_recipient,
## - reject_unknown_sender_domain,
## - reject_unknown_recipient_domain,
## - reject_unlisted_recipient,
## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
## - permit_dnswl_client dnswl.oopen.de,
## - #reject_rbl_client zen.spamhaus.org,
## - reject_rbl_client ix.dnsbl.manitu.net,
## - reject_rbl_client bl.spamcop.net,
## - reject_rbl_client dnsbl.njabl.org,
## - # Policyd-Weight
## - ...
## -
vim /etc/postfix/main.cf
## - --------------------------------------------------------------- - ##
## - Configuring SASL authentication in the Postfix SMTP/LMTP client - ##
## - --------------------------------------------------------------- - ##
## - Notice: you have to install Pluggable Authentication Modules for SASL
## - for debian: install package libsasl2-modules
## -
apt-get install libsasl2-modules
## - Edit file /etc/postfix/main.cf and set:
## -
## - # Enable SASL authentication
## - smtp_sasl_auth_enable = yes
## -
## - # Forwarding to the ip-adress of host b.mx.oopen.de
## - relayhost = [b.mx.oopen.de]
## -
## - # File including login data
## - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
## -
## - # Force using a (TLS) security connection
## - # obsulete - use smtp_tls_security_level instead
## - #smtp_use_tls = yes
## - #smtp_tls_enforce_peername = no
## - smtp_tls_security_level = encrypt
## -
## - # Disallow methods that allow anonymous authentication.
## - smtp_sasl_security_options = noanonymous
## -
vim /etc/postfix/main.cf
## - Enter SASL account data into file /etc/postfix/sasl_passwd
## -
## - <relayhost> <username>:<password>
## -
## - Note: if relayhost is configured as above, username is of the form
## - <username>@<domain>
## -
vim /etc/postfix/sasl_passwd
## - Important
## -
## - Keep the SASL client password file in /etc/postfix, and make the file
## - read+write only for root to protect the username/password combinations against
## - other users. The Postfix SMTP client will still be able to read the SASL
## - client passwords. It opens the file as user root before it drops privileges,
## - and before entering an optional chroot jail.
## -
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
## - Create databasefile of /etc/postfix/sasl_passwd
## -
postmap /etc/postfix/sasl_passwd
## - Reload postfix
## -
/etc/init.d/postfix reload

29
DOC/whitelist_email_domain_postgrey.txt Normal file
View File

@@ -0,0 +1,29 @@
## - Empfänger Domains oder E-Mailadressen vom Greylisting
## -ausschliessen
## - Dazu zu sind Einträge in der whitelist_recipients nötig.
## - Das ist die Whitelist für die Empfänger, die dort eingetragenen
## - Domains, Postfächer oder E-Mail-Adressen werden vom Greylisting
## - ausgeschlossen.
## -
## - Die whitelist_recipients sind unter /etc/postgrey zu finden.
## -
vim /etc/postgrey/whitelist_recipients
## - Beispiel /etc/postgrey/whitelist_recipients:
## -
## - # postgrey whitelist for mail recipients
## - # --------------------------------------
## - # put this file in /etc/postgrey or specify its path
## - # with --whitelist-recipients=xxx
## -
## - postmaster@
## - abuse@
## -
## - # Domain und E-Mail-Adresse vom Greylisting ausschließen
## - oopen.de
## - wolle@k8h.de
## -
## - # Diese Einträge wären ueberflüssig
## - #ckubu-adm@oopen.de
## - #argus@oopen.de

185
DOC/whitelist_host_ip_address.txt Normal file
View File

@@ -0,0 +1,185 @@
## - To whitelist a server ther a multiple possibilities
## -
## -----
## - 1.)
## -
## - To whitelist a server (name or ip-adress) or network , create the file
## - /etc/postfix/rbl_override
## - where you list all IP addresses or host names
## - (one per line!) that you want to whitelist:
## -
## - 1.2.3.4 OK
## - mail.freemailer.tld OK
## - 194.25.134/24 OK
## - ...
## -
vim /etc/postfix/rbl_override
## - After you've created/modified that file, you must run:
## -
postmap btree:/etc/postfix/rbl_override
#postmap /etc/postfix/rbl_override
## - Next open
## - /etc/postfix/main.cf
## - and search for the smtpd_recipient_restrictions parameter.
## - Add check_client_access hash:/etc/postfix/rbl_override to
## - that parameter, after reject_unauth_destination, but before
## - the first blacklist.
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - check_client_access btree:/etc/postfix/rbl_override,
## - #check_client_access hash:/etc/postfix/rbl_override,
## - reject_rbl_client zen.spamhaus.org,
## - ...
## - Now restart postfix:
## -
/etc/init.d/postfix restart
## ----
## - Notice:
## - there are also whitelist dns service, like list.dnswl.org
## - see: http://www.dnswl.org/
## - requesting such a service works the same as requesting a
## - blacklist server like
## -
## - for example the server 194.25.134.17 (one mailserver from t-online)
## - is blacklisted at bl.spamcop.net. that means the request
## -
## - chris@sol:~$ dig 17.134.25.194.bl.spamcop.net
## -
## - results in an ANSWER SECTION like
## -
## - 17.134.25.194.bl.spamcop.net. 2100 IN A 127.0.0.2
## -
## - ( or using host command:
## - chris@sol:~$ host 17.134.25.194.bl.spamcop.net
## - 17.134.25.194.bl.spamcop.net has address 127.0.0.2 )
## -
## - in contrast to "not found: 3(NXDOMAIN)" in case of a not blacklistet one
## -
## -
## - That t-online server is also (white-)listed at the at list.dnswl.org and
## - so, the request
## -
## - chris@sol:~$ dig 17.134.25.194.list.dnswl.org
## -
## - results in an ANSWER SECTION like:
## -
## - 17.134.25.194.list.dnswl.org. 12506 IN A 127.0.5.0
## -
## - or rather
## - chris@sol:~$ host 17.134.25.194.list.dnswl.org
## - 17.134.25.194.list.dnswl.org has address 127.0.5.0
## -
## -
## -----
## -----
## - 2.)
## -
## - You can question more than one blacklist server an also whitelist server,
## - weight the single result and make a decision after getting the all-overresult
## -
## - Do so, use parameters "postscreen_dnsbl_sites and"
## - "postscreen_dnsbl_threshold".
## -
## -
## - Example configuration:
## -
## - postscreen_dnsbl_sites =
## - one.blacklist.server.com*2
## - another.blacklist.server.com
## - third.blacklist.server.com
## - list.dnswl.org*-3
## - postscreen_dnsbl_threshold=1 # (the default value)
## -
## - if the requested incomming-ip-adress matches the first blacklist server,
## - you get a result of "2" (because the entry for that blacklict server is
## - weighted with 2).
## - if the requested ip-address matches the second or the third blacklist
## - server the result is each with "1"
## - if the requested ip-address matches the whitelist server, the result
## - is "-3"
## -
## - assuming all servers matches, than the all over result is "2+1+1-3=1".
## - because 1 is equal or grater than "1" (the value of the parameter of
## - "postscreen_dnsbl_threshold"), the concerning the concerning network
## - connection will be dropped.
## -
## - assuming the first and second blacklist server and also the whitelist
## - server matches the concerning the all over result is "2+1-3=0".
## - Because 0 is lower then 1 (the value of the parameter
## - "postscreen_dnsbl_threshold"). the connection will be accepted (at that
## - point)
## -
## -
## - See "man postconf" or site
## - http://www.postfix.org/postconf.5.html for advanced usage
## -
## -----
## -----
## - 3.)
## -
## - you can use postfix conf parameter "permit_dnswl_client"
## - in main.cf
## -
## - here is an example using list.dnswl.org
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - permit_dnswl_client list.dnswl.org,
## - reject_rbl_client someblacklist.example.com,
## - reject_rbl_client moreblacklist.example.com,
## - permit_mynetworks,
## - ...
## -
## - To override only for "low", "med" and "hi" (see
## - http://www.dnswl.org/tech):
## -
## - smtpd_recipient_restrictions =
## - ...
## - permit_sasl_authenticated,
## - permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
## - reject_rbl_client someblacklist.example.com,
## - permit_mynetworks,
## - reject_unauth_destination
## -
## -----
## - Notice:
## -
## - I have configured some white list entries d.c.b.a.dnswl.oopen.de.
## - see file /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone on
## - a.ns.oopen.de
## -
## - i.e. to avoid blacklisting t-online servers 194.25.134.*, i added
## - the followig entry
## - +*.134.25.194.dnswl.oopen.de:127.0.0.2:4300
## -
## - i added also a concerning TXT record (not needed):
## - '*.134.25.194.dnswl.oopen.de:T-Online:4300
## -
## - concernin entry in smtpd_recipient_restrictions of main.cf:
## -
## - ...
## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
## - # Whitelist (configured on a.ns.oopen.de
## - # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
## - permit_dnswl_client dnswl.oopen.de,
## - # Blacklists
## - reject_rbl_client zen.spamhaus.org,
## - reject_rbl_client ix.dnsbl.manitu.net,
## - ...