Added spamhaus configuration and other postfix tuning
This commit is contained in:
parent
94b84dd1fb
commit
5dadc4ee73
@ -1,7 +1,7 @@
|
||||
x86_64:build-manifest:
|
||||
stage: build-manifest
|
||||
script:
|
||||
- docker manifest create ${CI_REGISTRY_IMAGE}:${VERSION} ${CI_REGISTRY_IMAGE}:${VERSION}-x86_64 #${CI_REGISTRY_IMAGE}:${VERSION}-arm64 ${CI_REGISTRY_IMAGE}:${VERSION}armv7l
|
||||
- docker manifest create ${CI_REGISTRY_IMAGE}:${VERSION} ${CI_REGISTRY_IMAGE}:${VERSION}-x86_64 #${CI_REGISTRY_IMAGE}:${VERSION}-arm64 ${CI_REGISTRY_IMAGE}:${VERSION}-armv7l
|
||||
- docker manifest push --purge ${CI_REGISTRY_IMAGE}:${VERSION}
|
||||
tags:
|
||||
- docker
|
||||
|
10
defaults/60-spamhaus.cf
Normal file
10
defaults/60-spamhaus.cf
Normal file
@ -0,0 +1,10 @@
|
||||
#smtpd_recipient_restrictions =
|
||||
# reject_rhsbl_sender @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
# reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
# reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
# reject_rhsbl_sender @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
# reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
# reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
# reject_rbl_client @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255]
|
||||
|
||||
rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map
|
7
defaults/dnsbl-reply-map
Normal file
7
defaults/dnsbl-reply-map
Normal file
@ -0,0 +1,7 @@
|
||||
@SPAMHAUS_DQS_KEY@.sbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using xbl.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.pbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using pbl.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.sbl-xbl.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl-xbl.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
|
||||
@SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24] $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zrd.spamhaus.org${rbl_reason?; $rbl_reason}
|
554
defaults/header_checks
Normal file
554
defaults/header_checks
Normal file
@ -0,0 +1,554 @@
|
||||
# HEADER_CHECKS(5) HEADER_CHECKS(5)
|
||||
#
|
||||
# NAME
|
||||
# header_checks - Postfix built-in content inspection
|
||||
#
|
||||
# SYNOPSIS
|
||||
# header_checks = pcre:/etc/postfix/header_checks
|
||||
# mime_header_checks = pcre:/etc/postfix/mime_header_checks
|
||||
# nested_header_checks = pcre:/etc/postfix/nested_header_checks
|
||||
# body_checks = pcre:/etc/postfix/body_checks
|
||||
#
|
||||
# milter_header_checks = pcre:/etc/postfix/milter_header_checks
|
||||
#
|
||||
# smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
|
||||
# smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks
|
||||
# smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks
|
||||
# smtp_body_checks = pcre:/etc/postfix/smtp_body_checks
|
||||
#
|
||||
# postmap -q "string" pcre:/etc/postfix/filename
|
||||
# postmap -q - pcre:/etc/postfix/filename <inputfile
|
||||
#
|
||||
# DESCRIPTION
|
||||
# This document describes access control on the content of
|
||||
# message headers and message body lines; it is implemented
|
||||
# by the Postfix cleanup(8) server before mail is queued.
|
||||
# See access(5) for access control on remote SMTP client
|
||||
# information.
|
||||
#
|
||||
# Each message header or message body line is compared
|
||||
# against a list of patterns. When a match is found the
|
||||
# corresponding action is executed, and the matching process
|
||||
# is repeated for the next message header or message body
|
||||
# line.
|
||||
#
|
||||
# Note: message headers are examined one logical header at a
|
||||
# time, even when a message header spans multiple lines.
|
||||
# Body lines are always examined one line at a time.
|
||||
#
|
||||
# For examples, see the EXAMPLES section at the end of this
|
||||
# manual page.
|
||||
#
|
||||
# Postfix header or body_checks are designed to stop a flood
|
||||
# of mail from worms or viruses; they do not decode attach-
|
||||
# ments, and they do not unzip archives. See the documents
|
||||
# referenced below in the README FILES section if you need
|
||||
# more sophisticated content analysis.
|
||||
#
|
||||
# FILTERS WHILE RECEIVING MAIL
|
||||
# Postfix implements the following four built-in content
|
||||
# inspection classes while receiving mail:
|
||||
#
|
||||
# header_checks (default: empty)
|
||||
# These are applied to initial message headers
|
||||
# (except for the headers that are processed with
|
||||
# mime_header_checks).
|
||||
#
|
||||
# mime_header_checks (default: $header_checks)
|
||||
# These are applied to MIME related message headers
|
||||
# only.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# nested_header_checks (default: $header_checks)
|
||||
# These are applied to message headers of attached
|
||||
# email messages (except for the headers that are
|
||||
# processed with mime_header_checks).
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# body_checks
|
||||
# These are applied to all other content, including
|
||||
# multi-part message boundaries.
|
||||
#
|
||||
# With Postfix versions before 2.0, all content after
|
||||
# the initial message headers is treated as body con-
|
||||
# tent.
|
||||
#
|
||||
# FILTERS AFTER RECEIVING MAIL
|
||||
# Postfix supports a subset of the built-in content inspec-
|
||||
# tion classes after the message is received:
|
||||
#
|
||||
# milter_header_checks (default: empty)
|
||||
# These are applied to headers that are added with
|
||||
# Milter applications.
|
||||
#
|
||||
# This feature is available in Postfix 2.7 and later.
|
||||
#
|
||||
# FILTERS WHILE DELIVERING MAIL
|
||||
# Postfix supports all four content inspection classes while
|
||||
# delivering mail via SMTP.
|
||||
#
|
||||
# smtp_header_checks (default: empty)
|
||||
#
|
||||
# smtp_mime_header_checks (default: empty)
|
||||
#
|
||||
# smtp_nested_header_checks (default: empty)
|
||||
#
|
||||
# smtp_body_checks (default: empty)
|
||||
# These features are available in Postfix 2.5 and
|
||||
# later.
|
||||
#
|
||||
# COMPATIBILITY
|
||||
# With Postfix version 2.2 and earlier specify "postmap -fq"
|
||||
# to query a table that contains case sensitive patterns. By
|
||||
# default, regexp: and pcre: patterns are case insensitive.
|
||||
#
|
||||
# TABLE FORMAT
|
||||
# This document assumes that header and body_checks rules
|
||||
# are specified in the form of Postfix regular expression
|
||||
# lookup tables. Usually the best performance is obtained
|
||||
# with pcre (Perl Compatible Regular Expression) tables. The
|
||||
# regexp (POSIX regular expressions) tables are usually
|
||||
# slower, but more widely available. Use the command "post-
|
||||
# conf -m" to find out what lookup table types your Postfix
|
||||
# system supports.
|
||||
#
|
||||
# The general format of Postfix regular expression tables is
|
||||
# given below. For a discussion of specific pattern or
|
||||
# flags syntax, see pcre_table(5) or regexp_table(5),
|
||||
# respectively.
|
||||
#
|
||||
# /pattern/flags action
|
||||
# When /pattern/ matches the input string, execute
|
||||
# the corresponding action. See below for a list of
|
||||
# possible actions.
|
||||
#
|
||||
# !/pattern/flags action
|
||||
# When /pattern/ does not match the input string,
|
||||
# execute the corresponding action.
|
||||
#
|
||||
# if /pattern/flags
|
||||
#
|
||||
# endif If the input string matches /pattern/, then match
|
||||
# that input string against the patterns between if
|
||||
# and endif. The if..endif can nest.
|
||||
#
|
||||
# Note: do not prepend whitespace to patterns inside
|
||||
# if..endif.
|
||||
#
|
||||
# if !/pattern/flags
|
||||
#
|
||||
# endif If the input string does not match /pattern/, then
|
||||
# match that input string against the patterns
|
||||
# between if and endif. The if..endif can nest.
|
||||
#
|
||||
# blank lines and comments
|
||||
# Empty lines and whitespace-only lines are ignored,
|
||||
# as are lines whose first non-whitespace character
|
||||
# is a `#'.
|
||||
#
|
||||
# multi-line text
|
||||
# A pattern/action line starts with non-whitespace
|
||||
# text. A line that starts with whitespace continues
|
||||
# a logical line.
|
||||
#
|
||||
# TABLE SEARCH ORDER
|
||||
# For each line of message input, the patterns are applied
|
||||
# in the order as specified in the table. When a pattern is
|
||||
# found that matches the input line, the corresponding
|
||||
# action is executed and then the next input line is
|
||||
# inspected.
|
||||
#
|
||||
# TEXT SUBSTITUTION
|
||||
# Substitution of substrings from the matched expression
|
||||
# into the action string is possible using the conventional
|
||||
# Perl syntax ($1, $2, etc.). The macros in the result
|
||||
# string may need to be written as ${n} or $(n) if they
|
||||
# aren't followed by whitespace.
|
||||
#
|
||||
# Note: since negated patterns (those preceded by !) return
|
||||
# a result when the expression does not match, substitutions
|
||||
# are not available for negated patterns.
|
||||
#
|
||||
# ACTIONS
|
||||
# Action names are case insensitive. They are shown in upper
|
||||
# case for consistency with other Postfix documentation.
|
||||
#
|
||||
# BCC user@domain
|
||||
# Add the specified address as a BCC recipient, and
|
||||
# inspect the next input line. The address must have
|
||||
# a local part and domain part. The number of BCC
|
||||
# addresses that can be added is limited only by the
|
||||
# amount of available storage space.
|
||||
#
|
||||
# Note 1: the BCC address is added as if it was spec-
|
||||
# ified with NOTIFY=NONE. The sender will not be
|
||||
# notified when the BCC address is undeliverable, as
|
||||
# long as all down-stream software implements RFC
|
||||
# 3461.
|
||||
#
|
||||
# Note 2: this ignores duplicate addresses (with the
|
||||
# same delivery status notification options).
|
||||
#
|
||||
# This feature is available in Postfix 3.0 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# DISCARD optional text...
|
||||
# Claim successful delivery and silently discard the
|
||||
# message. Do not inspect the remainder of the input
|
||||
# message. Log the optional text if specified, oth-
|
||||
# erwise log a generic message.
|
||||
#
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# affects all recipients. To discard only one recip-
|
||||
# ient without discarding the entire message, use the
|
||||
# transport(5) table to direct mail to the discard(8)
|
||||
# service.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# DUNNO Pretend that the input line did not match any pat-
|
||||
# tern, and inspect the next input line. This action
|
||||
# can be used to shorten the table search.
|
||||
#
|
||||
# For backwards compatibility reasons, Postfix also
|
||||
# accepts OK but it is (and always has been) treated
|
||||
# as DUNNO.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# FILTER transport:destination
|
||||
# Override the content_filter parameter setting, and
|
||||
# inspect the next input line. After the message is
|
||||
# queued, send the entire message through the speci-
|
||||
# fied external content filter. The transport name
|
||||
# specifies the first field of a mail delivery agent
|
||||
# definition in master.cf; the syntax of the next-hop
|
||||
# destination is described in the manual page of the
|
||||
# corresponding delivery agent. More information
|
||||
# about external content filters is in the Postfix
|
||||
# FILTER_README file.
|
||||
#
|
||||
# Note 1: do not use $number regular expression sub-
|
||||
# stitutions for transport or destination unless you
|
||||
# know that the information has a trusted origin.
|
||||
#
|
||||
# Note 2: this action overrides the main.cf con-
|
||||
# tent_filter setting, and affects all recipients of
|
||||
# the message. In the case that multiple FILTER
|
||||
# actions fire, only the last one is executed.
|
||||
#
|
||||
# Note 3: the purpose of the FILTER command is to
|
||||
# override message routing. To override the recipi-
|
||||
# ent's transport but not the next-hop destination,
|
||||
# specify an empty filter destination (Postfix 2.7
|
||||
# and later), or specify a transport:destination that
|
||||
# delivers through a different Postfix instance
|
||||
# (Postfix 2.6 and earlier). Other options are using
|
||||
# the recipient-dependent transport_maps or the sen-
|
||||
# der-dependent sender_dependent_default_transport-
|
||||
# _maps features.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# HOLD optional text...
|
||||
# Arrange for the message to be placed on the hold
|
||||
# queue, and inspect the next input line. The mes-
|
||||
# sage remains on hold until someone either deletes
|
||||
# it or releases it for delivery. Log the optional
|
||||
# text if specified, otherwise log a generic message.
|
||||
#
|
||||
# Mail that is placed on hold can be examined with
|
||||
# the postcat(1) command, and can be destroyed or
|
||||
# released with the postsuper(1) command.
|
||||
#
|
||||
# Note: use "postsuper -r" to release mail that was
|
||||
# kept on hold for a significant fraction of $maxi-
|
||||
# mal_queue_lifetime or $bounce_queue_lifetime, or
|
||||
# longer. Use "postsuper -H" only for mail that will
|
||||
# not expire within a few delivery attempts.
|
||||
#
|
||||
# Note: this action affects all recipients of the
|
||||
# message.
|
||||
#
|
||||
# This feature is available in Postfix 2.0 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# IGNORE Delete the current line from the input, and inspect
|
||||
# the next input line. See STRIP for an alternative
|
||||
# that logs the action.
|
||||
#
|
||||
# INFO optional text...
|
||||
# Log an "info:" record with the optional text... (or
|
||||
# log a generic text), and inspect the next input
|
||||
# line. This action is useful for routine logging or
|
||||
# for debugging.
|
||||
#
|
||||
# This feature is available in Postfix 2.8 and later.
|
||||
#
|
||||
# PASS optional text...
|
||||
# Log a "pass:" record with the optional text... (or
|
||||
# log a generic text), and turn off header, body, and
|
||||
# Milter inspection for the remainder of this mes-
|
||||
# sage.
|
||||
#
|
||||
# Note: this feature relies on trust in information
|
||||
# that is easy to forge.
|
||||
#
|
||||
# This feature is available in Postfix 3.2 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# PREPEND text...
|
||||
# Prepend one line with the specified text, and
|
||||
# inspect the next input line.
|
||||
#
|
||||
# Notes:
|
||||
#
|
||||
# o The prepended text is output on a separate
|
||||
# line, immediately before the input that
|
||||
# triggered the PREPEND action.
|
||||
#
|
||||
# o The prepended text is not considered part of
|
||||
# the input stream: it is not subject to
|
||||
# header/body checks or address rewriting, and
|
||||
# it does not affect the way that Postfix adds
|
||||
# missing message headers.
|
||||
#
|
||||
# o When prepending text before a message header
|
||||
# line, the prepended text must begin with a
|
||||
# valid message header label.
|
||||
#
|
||||
# o This action cannot be used to prepend
|
||||
# multi-line text.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# This feature is not supported with mil-
|
||||
# ter_header_checks.
|
||||
#
|
||||
# REDIRECT user@domain
|
||||
# Write a message redirection request to the queue
|
||||
# file, and inspect the next input line. After the
|
||||
# message is queued, it will be sent to the specified
|
||||
# address instead of the intended recipient(s).
|
||||
#
|
||||
# Note: this action overrides the FILTER action, and
|
||||
# affects all recipients of the message. If multiple
|
||||
# REDIRECT actions fire, only the last one is exe-
|
||||
# cuted.
|
||||
#
|
||||
# This feature is available in Postfix 2.1 and later.
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# REPLACE text...
|
||||
# Replace the current line with the specified text,
|
||||
# and inspect the next input line.
|
||||
#
|
||||
# This feature is available in Postfix 2.2 and later.
|
||||
# The description below applies to Postfix 2.2.2 and
|
||||
# later.
|
||||
#
|
||||
# Notes:
|
||||
#
|
||||
# o When replacing a message header line, the
|
||||
# replacement text must begin with a valid
|
||||
# header label.
|
||||
#
|
||||
# o The replaced text remains part of the input
|
||||
# stream. Unlike the result from the PREPEND
|
||||
# action, a replaced message header may be
|
||||
# subject to address rewriting and may affect
|
||||
# the way that Postfix adds missing message
|
||||
# headers.
|
||||
#
|
||||
# REJECT optional text...
|
||||
# Reject the entire message. Do not inspect the
|
||||
# remainder of the input message. Reply with
|
||||
# optional text... when the optional text is speci-
|
||||
# fied, otherwise reply with a generic error message.
|
||||
#
|
||||
# Note: this action disables further header or
|
||||
# body_checks inspection of the current message and
|
||||
# affects all recipients.
|
||||
#
|
||||
# Postfix version 2.3 and later support enhanced sta-
|
||||
# tus codes. When no code is specified at the begin-
|
||||
# ning of optional text..., Postfix inserts a default
|
||||
# enhanced status code of "5.7.1".
|
||||
#
|
||||
# This feature is not supported with smtp header/body
|
||||
# checks.
|
||||
#
|
||||
# STRIP optional text...
|
||||
# Log a "strip:" record with the optional text... (or
|
||||
# log a generic text), delete the input line from the
|
||||
# input, and inspect the next input line. See IGNORE
|
||||
# for a silent alternative.
|
||||
#
|
||||
# This feature is available in Postfix 3.2 and later.
|
||||
#
|
||||
# WARN optional text...
|
||||
# Log a "warning:" record with the optional text...
|
||||
# (or log a generic text), and inspect the next input
|
||||
# line. This action is useful for debugging and for
|
||||
# testing a pattern before applying more drastic
|
||||
# actions.
|
||||
#
|
||||
# BUGS
|
||||
# Empty lines never match, because some map types mis-behave
|
||||
# when given a zero-length search string. This limitation
|
||||
# may be removed for regular expression tables in a future
|
||||
# release.
|
||||
#
|
||||
# Many people overlook the main limitations of header and
|
||||
# body_checks rules.
|
||||
#
|
||||
# o These rules operate on one logical message header
|
||||
# or one body line at a time. A decision made for one
|
||||
# line is not carried over to the next line.
|
||||
#
|
||||
# o If text in the message body is encoded (RFC 2045)
|
||||
# then the rules need to be specified for the encoded
|
||||
# form.
|
||||
#
|
||||
# o Likewise, when message headers are encoded (RFC
|
||||
# 2047) then the rules need to be specified for the
|
||||
# encoded form.
|
||||
#
|
||||
# Message headers added by the cleanup(8) daemon itself are
|
||||
# excluded from inspection. Examples of such message headers
|
||||
# are From:, To:, Message-ID:, Date:.
|
||||
#
|
||||
# Message headers deleted by the cleanup(8) daemon will be
|
||||
# examined before they are deleted. Examples are: Bcc:, Con-
|
||||
# tent-Length:, Return-Path:.
|
||||
#
|
||||
# CONFIGURATION PARAMETERS
|
||||
# body_checks
|
||||
# Lookup tables with content filter rules for message
|
||||
# body lines. These filters see one physical line at
|
||||
# a time, in chunks of at most $line_length_limit
|
||||
# bytes.
|
||||
#
|
||||
# body_checks_size_limit
|
||||
# The amount of content per message body segment
|
||||
# (attachment) that is subjected to $body_checks fil-
|
||||
# tering.
|
||||
#
|
||||
# header_checks
|
||||
#
|
||||
# mime_header_checks (default: $header_checks)
|
||||
#
|
||||
# nested_header_checks (default: $header_checks)
|
||||
# Lookup tables with content filter rules for message
|
||||
# header lines: respectively, these are applied to
|
||||
# the initial message headers (not including MIME
|
||||
# headers), to the MIME headers anywhere in the mes-
|
||||
# sage, and to the initial headers of attached mes-
|
||||
# sages.
|
||||
#
|
||||
# Note: these filters see one logical message header
|
||||
# at a time, even when a message header spans multi-
|
||||
# ple lines. Message headers that are longer than
|
||||
# $header_size_limit characters are truncated.
|
||||
#
|
||||
# disable_mime_input_processing
|
||||
# While receiving mail, give no special treatment to
|
||||
# MIME related message headers; all text after the
|
||||
# initial message headers is considered to be part of
|
||||
# the message body. This means that header_checks is
|
||||
# applied to all the initial message headers, and
|
||||
# that body_checks is applied to the remainder of the
|
||||
# message.
|
||||
#
|
||||
# Note: when used in this manner, body_checks will
|
||||
# process a multi-line message header one line at a
|
||||
# time.
|
||||
#
|
||||
# EXAMPLES
|
||||
# Header pattern to block attachments with bad file name
|
||||
# extensions. For convenience, the PCRE /x flag is speci-
|
||||
# fied, so that there is no need to collapse the pattern
|
||||
# into a single line of text. The purpose of the
|
||||
# [[:xdigit:]] sub-expressions is to recognize Windows CLSID
|
||||
# strings.
|
||||
#
|
||||
# /etc/postfix/main.cf:
|
||||
# header_checks = pcre:/etc/postfix/header_checks.pcre
|
||||
#
|
||||
# /etc/postfix/header_checks.pcre:
|
||||
# /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
|
||||
# ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
|
||||
# hlp|ht[at]|
|
||||
# inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
|
||||
# \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
|
||||
# ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
|
||||
# vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
|
||||
# REJECT Attachment name "$2" may not end with ".$4"
|
||||
#
|
||||
# Body pattern to stop a specific HTML browser vulnerability
|
||||
# exploit.
|
||||
#
|
||||
# /etc/postfix/main.cf:
|
||||
# body_checks = regexp:/etc/postfix/body_checks
|
||||
#
|
||||
# /etc/postfix/body_checks:
|
||||
# /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
|
||||
# REJECT IFRAME vulnerability exploit
|
||||
#
|
||||
# SEE ALSO
|
||||
# cleanup(8), canonicalize and enqueue Postfix message
|
||||
# pcre_table(5), format of PCRE lookup tables
|
||||
# regexp_table(5), format of POSIX regular expression tables
|
||||
# postconf(1), Postfix configuration utility
|
||||
# postmap(1), Postfix lookup table management
|
||||
# postsuper(1), Postfix janitor
|
||||
# postcat(1), show Postfix queue file contents
|
||||
# RFC 2045, base64 and quoted-printable encoding rules
|
||||
# RFC 2047, message header encoding for non-ASCII text
|
||||
#
|
||||
# README FILES
|
||||
# Use "postconf readme_directory" or "postconf html_direc-
|
||||
# tory" to locate this information.
|
||||
# DATABASE_README, Postfix lookup table overview
|
||||
# CONTENT_INSPECTION_README, Postfix content inspection overview
|
||||
# BUILTIN_FILTER_README, Postfix built-in content inspection
|
||||
# BACKSCATTER_README, blocking returned forged mail
|
||||
#
|
||||
# LICENSE
|
||||
# The Secure Mailer license must be distributed with this
|
||||
# software.
|
||||
#
|
||||
# AUTHOR(S)
|
||||
# Wietse Venema
|
||||
# IBM T.J. Watson Research
|
||||
# P.O. Box 704
|
||||
# Yorktown Heights, NY 10598, USA
|
||||
#
|
||||
# Wietse Venema
|
||||
# Google, Inc.
|
||||
# 111 8th Avenue
|
||||
# New York, NY 10011, USA
|
||||
#
|
||||
# HEADER_CHECKS(5)
|
||||
/^Received:\ from\ localhost\ \(localhost\ \[127.0.0.1\]\)/ IGNORE
|
||||
/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE
|
||||
/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[::1/ IGNORE
|
||||
/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE
|
||||
/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[::1/ IGNORE
|
0
defaults/helo_access
Normal file
0
defaults/helo_access
Normal file
0
defaults/recipient_canonical
Normal file
0
defaults/recipient_canonical
Normal file
0
defaults/sender_access
Normal file
0
defaults/sender_access
Normal file
0
defaults/sender_canonical
Normal file
0
defaults/sender_canonical
Normal file
@ -2,3 +2,29 @@ message_size_limit = 25600000
|
||||
queue_minfree = 51200000
|
||||
smtpd_helo_required = yes
|
||||
recipient_delimiter = +
|
||||
disable_vrfy_command = yes
|
||||
header_checks = regexp:/etc/postfix/custom/header_checks
|
||||
#inet_protocols = ipv4, ipv6
|
||||
local_recipient_maps =
|
||||
mailbox_size_limit = 133169152
|
||||
qmqpd_authorized_clients = 127.0.0.1 [::1]
|
||||
recipient_canonical_maps = lmdb:/etc/postfix/custom/recipient_canonical
|
||||
sender_canonical_maps = lmdb:/etc/postfix/custom/sender_canonical
|
||||
smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_tls_session_cache
|
||||
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client 7dizji4jgexx4lzr4bp5urjmgq.sbl.dq.spamhaus.net
|
||||
smtpd_data_restrictions = reject_unauth_pipelining
|
||||
smtpd_helo_restrictions = check_helo_access lmdb:/etc/postfix/custom/helo_access, reject_invalid_hostname
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access lmdb:/etc/postfix/custom/recipient_access,
|
||||
#reject_rhsbl_sender @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
#reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
#reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
|
||||
#reject_rhsbl_sender @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
#reject_rhsbl_helo @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
#reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
|
||||
#reject_rbl_client @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255],
|
||||
reject_unverified_recipient
|
||||
rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map
|
||||
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access lmdb:/etc/postfix/custom/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
|
||||
smtpd_use_tls = yes
|
||||
unverified_recipient_reject_code = 450
|
||||
unverified_recipient_reject_reason = No user at this address
|
||||
|
@ -1,4 +1,4 @@
|
||||
smtp_sasl_auth_enable = yes
|
||||
smtp_sasl_password_maps = lmdb:/etc/postfix/custom/sasl_passwd
|
||||
smtp_sasl_security_options =
|
||||
smtp_sasl_security_options = noplaintext, noanonymous
|
||||
smtpd_sasl_auth_enable = yes
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Milter configuration - opendkim
|
||||
# If the OpenDKIM milter isn't available, accept the message anyway.
|
||||
milter_default_action = accept
|
||||
milter_default_action = tempfail
|
||||
# What milter communication protocol should be used to pass messages
|
||||
# to and from OpenDKIM?
|
||||
milter_protocol = 6
|
||||
|
19
init
19
init
@ -28,6 +28,18 @@ if [ -z "$@" ]; then
|
||||
/usr/sbin/saslauthd -m /run/saslauthd -ca shadow
|
||||
/usr/sbin/opendkim -u opendkim -P /run/opendkim/opendkim.pid
|
||||
|
||||
if [ -n "${SPAMHAUS_DQS_KEY}" ]; then
|
||||
sed -i -e "s/@SPAMHAUS_DQS_KEY@/${SPAMHAUS_DQS_KEY}/g" ${DEFAULTS}/dnsbl-reply-map ${INCLUDE_DIR}/01-custom.cf
|
||||
sed -i -e "s/^#reject/ reject/" ${INCLUDE_DIR}/01-custom.cf
|
||||
|
||||
if [ ! -f ${CUSTOM}/dnsbl-reply-map ]; then
|
||||
cp ${DEFAULTS}/dnsbl-reply-map ${CUSTOM}/
|
||||
postmap -o lmdb:${CUSTOM}/dnsbl-reply-map
|
||||
fi
|
||||
|
||||
cp ${DEFAULTS}/60-spamhaus.cf ${INCLUDE_DIR}/
|
||||
fi
|
||||
|
||||
# Setup our postfix environment
|
||||
if [ -d ${INCLUDE_DIR} ]; then
|
||||
if ls -1 ${INCLUDE_DIR}/*.cf >/dev/null 2>&1; then
|
||||
@ -83,6 +95,13 @@ if [ -z "$@" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
[ ! -f ${CUSTOM}/header_checks ] && cp ${DEFAULTS}/header_checks ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/header_checks
|
||||
[ ! -f ${CUSTOM}/helo_access ] && cp ${DEFAULTS}/helo_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/helo_access
|
||||
[ ! -f ${CUSTOM}/recipient_access ] && cp ${DEFAULTS}/recipient_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/recipient_access
|
||||
[ ! -f ${CUSTOM}/recipient_canonical ] && cp ${DEFAULTS}/recipient_canonical ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/recipient_canonical
|
||||
[ ! -f ${CUSTOM}/sender_access ] && cp ${DEFAULTS}/sender_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/sender_access
|
||||
[ ! -f ${CUSTOM}/sender_canonical ] && cp ${DEFAULTS}/sender_canonical ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/sender_canonical
|
||||
|
||||
newaliases
|
||||
postfix start
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user