meta data for this page

Postfix Antispam Konfiguration

Postfix

Auszug aus der main.cf
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_unknown_sender_domain,
        reject_unknown_reverse_client_hostname,
        reject_unknown_helo_hostname,
        reject_unknown_recipient_domain,
        check_client_access hash:/etc/postfix/access_client_whitelist,
        check_policy_service inet:127.0.0.1:12525

Die Verbindung zu 127.0.0.1:12525 ist policyd-weight. Konfiguration siehe unten. In der /etc/postfix/access_client_whitelist stehen die Mailserver, bei denen nie policyd-weight befragt werden soll. Beispiel:

/etc/postfix/access_client_whitelist
mail.gmx.de	OK
mail.gmx.net	OK
.web.de		OK

Die Datei muss mit postmap konvertiert werden.

policyd-weight

/etc/policyd-weight.conf
# ----------------------------------------------------------------
#	policyd-weight configuration (defaults) Version 0.1.14 beta-17 
# ----------------------------------------------------------------
 
	$DEBUG					=	0;		# 1 or 0 - don"t comment
 
	$REJECTMSG				=	"550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs";
 
	$REJECTLEVEL				=	9;		# Mails with scores which exceed this
									# REJECTLEVEL will be rejected
 
	$DEFER_STRING				=	"IN_SPAMCOP= BOGUS_MX="; 
									# A space separated case-sensitive list of
									# strings on which if found in the $RET
									# logging-string policyd-weight changes
									# its action to $DEFER_ACTION in case
									# of rejects.
									# USE WITH CAUTION!
									# DEFAULT: "IN_SPAMCOP= BOGUS_MX="
 
	$DEFER_ACTION				=	"450";		# Possible values: DEFER_IF_PERMIT,
									# DEFER_IF_REJECT, 
									# 4xx response codes. See also access(5)
									# DEFAULT: 450
 
	$DEFER_LEVEL				=	5;		# DEFER mail only up to this level
									# scores greater than DEFER_LEVEL will be
									# rejected
									# DEFAULT: 5
 
	$DNSERRMSG				=	"450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator";
 
	$dnsbl_checks_only 			=	0;		# 1: ON, 0: OFF (default)
									# If ON request that ALL clients are only
									# checked against RBLs
 
	@dnsbl_checks_only_regexps		=	(
								# qr/[^.]*(exch|smtp|mx|mail).*\..*\../,
								# qr/yahoo.com$/
							);
									# specify a comma-separated list of regexps
									# for client hostnames which shall only
									# be RBL checked. This does not work for
									# postfix" "unknown" clients.
									# The usage of this should not be the norm
									# and is a tool for people which like to
									# shoot in their own foot.
									# DEFAULT: empty
 
	$LOG_BAD_RBL_ONLY			=	1;		# 1: ON (default), 0: OFF
									# When set to ON it logs only RBLs which
									# affect scoring (positive or negative)
 
## DNSBL settings
	@dnsbl_score				=	(
									#HOST,						HIT SCORE,	MISS SCORE,	LOG NAME
									'zen.spamhaus.org',				3.00,		0.0,		'SPAMHAUS_ZEN',
									'dnsbl.njabl.org',				3.00,		0.0,		'NJABL_DNSBL',
									'bl.spamcop.net',				3.00,		0.0,		'SPAMCOP_BL',
									'ix.dnsbl.manitu.net',				3.00,		0.0,		'MANITU_IX',
									't1.dnsbl.net.au',				3.00,		0.0,		'NET_AU',
									'dnsbl.sorbs.net',				1.50,		0.0,		'SORBS_DNSBL',
									'dnsbl.dronebl.org',				3.00,		0.0,		'DRONEBL_DNSBL',
									'spamrbl.imp.ch',				3.00,		0.0,		'IMP_SPAMRBL',
									'relays.bl.kundenserver.de',			3.00,		0.0,		'KUNDENSERVER_RELAYS',
									'dnsbl.kempt.net',				3.00,		0.0,		'KEMPT_DNSBL',
									'dnsbl-1.uceprotect.net',			3.00,		0.0,		'UCEPROTECT_LEVEL_1',
									'dnsbl-2.uceprotect.net',			2.00,		0.0,		'UCEPROTECT_LEVEL_2',
									'combined.abuse.ch',				3.00,		0.0,		'ABUSE_CH_COMBINED',
									'cbl.abuseeat.org',				3.00,		0.0,		'ABUSEEAT_CBL',
									'hostkarma.junkemailfilter.com',		3.00,		0.0,		'JUNKEMAILFILTER',
									'bl.mailspike.net',				3.00,		0.0,		'MAILSPIKE_BL',
									'bl.spameatingmonkey.net',			3.00,		0.0,		'SPAMEATINGMONKEY',
									'psbl.surriel.com',				3.00,		0.0,		'SURRIEL_PSBL'
 
							);
 
	$MAXDNSBLHITS				=	3;		# If Client IP is listed in MORE
									# DNSBLS than this var, it gets
									# REJECTed immediately
 
	$MAXDNSBLSCORE				=	12;		# alternatively, if the score of
									# DNSBLs is ABOVE this
									# level, reject immediately
 
	$MAXDNSBLMSG				=	"550 Your MTA is listed in too many DNSBLs";
 
## RHSBL settings
	@rhsbl_score				=	(
									'multi.surbl.org',			3.0,		0,			'SURBL',
									'rhsbl.sorbs.net',			3.0,		0,			'SORBS_RHSBL',
									'dbl.spamhaus.org',	 		0.1,		0,			'SPAMHAUS_DBL'
							);
 
	$BL_ERROR_SKIP				=	4;		# skip a RBL if this RBL had this many continuous errors
 
	$BL_SKIP_RELEASE			=	12;		# skip a RBL for that many times
 
## cache stuff
	$LOCKPATH				=	"/var/run/policyd-weight/";	
									# must be a directory (add
									# trailing slash)
 
	$SPATH					=	$LOCKPATH."/polw.sock";
									# socket path for the cache daemon. 
 
	$MAXIDLECACHE				=	60;		# how many seconds the cache may be idle
									# before starting maintenance routines
									# NOTE: standard maintenance jobs happen
									# regardless of this setting.
 
	$MAINTENANCE_LEVEL			=	5;		# after this number of requests do following
									# maintenance jobs:
									# checking for config changes
 
# negative (i.e. SPAM) result cache settings ##################################
 
	$CACHESIZE				=	2000;		# set to 0 to disable caching for spam results. 
									# To this level the cache will be cleaned.
 
	$CACHEMAXSIZE				=	4000; 		# at this number of entries cleanup takes place
 
	$CACHEREJECTMSG				= 	"550 temporarily blocked because of previous errors";
 
	$NTTL					=	1;		# after NTTL retries the cache entry is deleted
 
	$NTIME					=	30;		# client MUST NOT retry within this seconds in order
									# to decrease TTL counter
 
# positve (i.,e. HAM) result cache settings ###################################
 
	$POSCACHESIZE				=	1000;		# set to 0 to disable caching of HAM. To this number
									# of entries the cache will be cleaned
 
	$POSCACHEMAXSIZE			=	2000; 		# at this number of entries cleanup takes place
 
	$POSCACHEMSG				=	"using cached result";
 
	$PTTL					=	60;		# after PTTL requests the HAM entry must
									# succeed one time the RBL checks again
 
	$PTIME					=	"3h";		# after $PTIME in HAM Cache the client
									# must pass one time the RBL checks again.
									# Values must be nonfractal. Accepted
									# time-units: s, m, h, d
 
	$TEMP_PTIME				=	"1d";		# The client must pass this time the RBL
									# checks in order to be listed as hard-HAM
									# After this time the client will pass
									# immediately for PTTL within PTIME
 
## DNS settings
	$DNS_RETRIES				=	2;		# Retries for ONE DNS-Lookup
 
	$DNS_RETRY_IVAL				=	2;		# Retry-interval for ONE DNS-Lookup
 
	$MAXDNSERR				=	3;		# max error count for unresponded queries
									# in a complete policy query
 
	$MAXDNSERRMSG				=	"passed - too many local DNS-errors";
 
	$PUDP					=	0;		# persistent udp connection for DNS queries.
									# broken in Net::DNS version 0.51. Works with
									# Net::DNS 0.53; DEFAULT: off
 
	$USE_NET_DNS				=	0;		# Force the usage of Net::DNS for RBL lookups.
									# Normally policyd-weight tries to use a faster
									# RBL lookup routine instead of Net::DNS
 
	$NS					=	"";		# A list of space separated NS IPs
									# This overrides resolv.conf settings
									# Example: $NS = "1.2.3.4 1.2.3.5";
									# DEFAULT: empty
 
	$IPC_TIMEOUT				=	2;		# timeout for receiving from cache instance
 
	$TRY_BALANCE				=	0;		# If set to 1 policyd-weight closes connections
									# to smtpd clients in order to avoid too many
									# established connections to one policyd-weight
									# child
 
# scores for checks, WARNING: they may manipulate eachother
# or be factors for other scores.
#								HIT score,	MISS Score
	@client_ip_eq_helo_score		=	(	1.7,		-1	);
	@helo_score				=	(	1.7,		-2	);
	@helo_from_mx_eq_ip_score		=	(	1.7,		-3.1	);
	@helo_numeric_score			=	(	2.7,		0	);
	@from_match_regex_verified_helo		=	(	1,		-2	);
	@from_match_regex_unverified_helo	=	(	1.6,		-1.5	);
	@from_match_regex_failed_helo		=	(	2.5,		0	);
	@helo_seems_dialup			=	(	1.7,		0	);
	@failed_helo_seems_dialup		=	(	2.2,		0	);
	@helo_ip_in_client_subnet	 	=	(	0,		0	);
	@helo_ip_in_cl16_subnet			=	(	0,		0	);
	@client_seems_dialup_score		=	(	4,		0	);
	@from_multiparted			=	(	1.09,		0	);
	@from_anon				=	(	1.17,		0	);
	@bogus_mx_score				=	(	2.1,		0	);
	@random_sender_score			=	(	0.25,		0	);
	@rhsbl_penalty_score			=	(	3.1,		0	);
	@enforce_dyndns_score		 	=	(	3,		0	);
 
 
	$VERBOSE				=	0;
 
	$ADD_X_HEADER				=	1;		# Switch on or off an additional 
									# X-policyd-weight: header
									# DEFAULT: on
 
	$DEFAULT_RESPONSE			=	"DUNNO default"; 
									# Fallback response in case
									# the weighted check didn"t
									# return any response (should never
									# appear).
 
#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#
	$syslog_socktype			=	"unix";		# inet, unix, stream, console
	$syslog_facility			=	"mail";
	$syslog_options				=	"pid";
	$syslog_priority			=	"info";
	$syslog_ident				=	"postfix/policyd-weight";
 
#
# Process Options
#
	$USER					=	"polw";		# User must be a username, no UID
 
	$GROUP					=	"";		# specify GROUP if necessary
									# DEFAULT: empty, will be initialized as 
									# $USER
 
	$MAX_PROC				=	50;		# Upper limit if child processes
	$MIN_PROC				=	3;		# keep that minimum processes alive
 
	$TCP_PORT				=	12525;		# The TCP port on which policyd-weight 
									# listens for policy requests from postfix
 
	$BIND_ADDRESS				=	"127.0.0.1"; 
									# IP-Address on which policyd-weight will
									# listen for requests.
									# You may only list ONE IP here, if you want
									# to listen on all IPs you need to say "all"
									# here. Default is "127.0.0.1".
									# You need to restart policyd-weight if you
									# change this.
 
	$SOMAXCONN				= 	1024;		# Maximum of client connections 
									# policyd-weight accepts
									# Default: 1024
 
	$CHILDIDLE				=	240;		# how many seconds a child may be idle before
									# it dies.
 
	$PIDFILE				=	"/var/run/policyd-weight.pid";