postscreen implementation

Issue #59 resolved
Zhang Huangbin
repo owner created an issue

Contributed by Michael Ebenbeck ebenbeck@itb[???].de.

/etc/postfix/master.cf

smtp      inet  n       -       -       -       1       postscreen
smtpd     pass  -       -       -       -       -       smtpd
   -o smtpd_proxy_filter=127.0.0.1:10024
   -o smtpd_client_connection_count_limit=20
   -o smtpd_proxy_options=speed_adjust

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_proxy_filter=127.0.0.1:10026   # -> different Amavis port for SASL users
  -o smtpd_client_connection_count_limit=20
  -o smtpd_proxy_options=speed_adjust
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

/etc/postfix/main.cf

postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_reply_map = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
#postscreen_cache_map = btree:$data_directory/postscreen_cache
#postscreen_client_connection_count_limit = $smtpd_client_connection_count_limit
#postscreen_command_count_limit = 20
#postscreen_command_time_limit = ${stress?10}${stress:300}s
#postscreen_disable_vrfy_command = $disable_vrfy_command
#postscreen_discard_ehlo_keyword_address_maps = $smtpd_discard_ehlo_keyword_address_maps
#postscreen_discard_ehlo_keywords = $smtpd_discard_ehlo_keywords
#postscreen_enforce_tls = $smtpd_enforce_tls
#postscreen_use_tls = $smtpd_use_tls
#postscreen_expansion_filter = $smtpd_expansion_filter
#postscreen_forbidden_commands = $smtpd_forbidden_commands
#postscreen_helo_required = $smtpd_helo_required
#postscreen_post_queue_limit = $default_process_limit
#postscreen_pre_queue_limit = $default_process_limit
#postscreen_reject_footer = $smtpd_reject_footer
#postscreen_tls_security_level = $smtpd_tls_security_level
#postscreen_watchdog_timeout = 10s

postscreen_greet_action = enforce
#postscreen_greet_banner = $myhostname - Please wait to be seated
#postscreen_greet_ttl = 1d
#postscreen_greet_wait = ${stress?2}${stress:4}s

# these three lines are the expensive tests:
# http://www.postfix.org/POSTSCREEN_README.html#after_220
#postscreen_pipelining_enable = no
#postscreen_non_smtp_command_enable = no
#postscreen_bare_newline_enable = no

postscreen_dnsbl_action = enforce
postscreen_blacklist_action = enforce

postscreen_dnsbl_whitelist_threshold = -2
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
  zen.spamhaus.org*3,
  hostkarma.junkemailfilter.com=127.0.0.2*2,
  rep.mailspike.net=127.0.0.[10;11]*2,
  rep.mailspike.net=127.0.0.[12;13],
  b.barracudacentral.org,
  bl.spameatingmonkey.net,
  bl.spamcop.net,
  dnsbl.sorbs.net=127.0.0.[6;10],
  ix.dnsbl.manitu.net,
  psbl.surriel.com,
  dnsbl.inps.de,
  swl.spamhaus.org=127.0.2.[2;3]*-2,
  hostkarma.junkemailfilter.com=127.0.0.1*-2,
  list.dnswl.org=127.0.[0..255].2*-1,
  list.dnswl.org=127.0.[0..255].3*-2,
  rep.mailspike.net=127.0.0.[18;19]*-1,
  rep.mailspike.net=127.0.0.20*-2

# delete or comment out this two lines
#content_filter = smtp-amavis:[127.0.0.1]:10024
#smtp-amavis_destination_recipient_limit = 1

/etc/postfix/postscreen_access.cidr

this file is needed for manually white- or blacklist ip-addresses in postscreen.

# Rules are evaluated in the order as specified.
1.2.3.4     permit

2.3.4.5     reject

/etc/postfix/postscreen_dnsbl_reply_map.pcre

!/^zen\.spamhaus\.org$/         multiple DNS-based blocklists

/etc/amavis/conf.d/50-user

# add port 10026
$inet_socket_port = [10024, 10026, 9998,];

# Allow SASL authenticated users to bypass scanning. Typically SASL
# users already submit messages to the submission port (587) or the
# smtps port (465):
# SASL authenticated users bypass spam check
$interface_policy{'10026'} = 'SASLBYPASS';
$policy_bank{'SASLBYPASS'} = {  # mail from submission and smtps ports
    originating => 1,
    allow_disclaimers => 1,
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    terminate_dsn_on_notify_success => 0,
    bypass_spam_checks_maps   => [1],  # don't spam-check this mail
    #bypass_banned_checks_maps => [1],  # don't banned-check this mail
    #bypass_header_checks_maps => [1],  # don't header-check this mail
};

Comments (5)

  1. Log in to comment