Postfix Antispam Konfiguration
Postfix
main.cf
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_unauth_pipelining,
reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname,
reject_unknown_helo_hostname,
reject_unknown_recipient_domain,
check_client_access hash:/etc/postfix/access_client_whitelist,
check_policy_service inet:127.0.0.1:12525Die Verbindung zu 127.0.0.1:12525 ist policyd-weight. Konfiguration siehe unten. In der /etc/postfix/access_client_whitelist stehen die Mailserver, bei denen nie policyd-weight befragt werden soll. Beispiel:
/etc/postfix/access_client_whitelist
mail.gmx.de OK
mail.gmx.net OK
.web.de OKDie Datei muss mit postmap konvertiert werden.
policyd-weight
/etc/policyd-weight.conf
# ----------------------------------------------------------------
# policyd-weight configuration (defaults) Version 0.1.14 beta-17
# ----------------------------------------------------------------
$DEBUG = 0; # 1 or 0 - don"t comment
$REJECTMSG = "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs";
$REJECTLEVEL = 9; # Mails with scores which exceed this
# REJECTLEVEL will be rejected
$DEFER_STRING = "IN_SPAMCOP= BOGUS_MX=";
# A space separated case-sensitive list of
# strings on which if found in the $RET
# logging-string policyd-weight changes
# its action to $DEFER_ACTION in case
# of rejects.
# USE WITH CAUTION!
# DEFAULT: "IN_SPAMCOP= BOGUS_MX="
$DEFER_ACTION = "450"; # Possible values: DEFER_IF_PERMIT,
# DEFER_IF_REJECT,
# 4xx response codes. See also access(5)
# DEFAULT: 450
$DEFER_LEVEL = 5; # DEFER mail only up to this level
# scores greater than DEFER_LEVEL will be
# rejected
# DEFAULT: 5
$DNSERRMSG = "450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator";
$dnsbl_checks_only = 0; # 1: ON, 0: OFF (default)
# If ON request that ALL clients are only
# checked against RBLs
@dnsbl_checks_only_regexps = (
# qr/[^.]*(exch|smtp|mx|mail).*
# qr/yahoo.com$/
);
# specify a comma-separated list of regexps
# for client hostnames which shall only
# be RBL checked. This does not work for
# postfix" "unknown" clients.
# The usage of this should not be the norm
# and is a tool for people which like to
# shoot in their own foot.
# DEFAULT: empty
$LOG_BAD_RBL_ONLY = 1; # 1: ON (default), 0: OFF
# When set to ON it logs only RBLs which
# affect scoring (positive or negative)
## DNSBL settings
@dnsbl_score = (
# HOST, HIT SCORE, MISS SCORE, LOG NAME
'zen.spamhaus.org', 3.00, 0.0, 'SPAMHAUS_ZEN',
'dnsbl.njabl.org', 3.00, 0.0, 'NJABL_DNSBL',
'bl.spamcop.net', 3.00, 0.0, 'SPAMCOP_BL',
'ix.dnsbl.manitu.net', 3.00, 0.0, 'MANITU_IX',
't1.dnsbl.net.au', 3.00, 0.0, 'NET_AU',
'dnsbl.sorbs.net', 1.50, 0.0, 'SORBS_DNSBL',
'dnsbl.dronebl.org', 3.00, 0.0, 'DRONEBL_DNSBL',
'spamrbl.imp.ch', 3.00, 0.0, 'IMP_SPAMRBL',
'relays.bl.kundenserver.de', 3.00, 0.0, 'KUNDENSERVER_RELAYS',
'dnsbl.kempt.net', 3.00, 0.0, 'KEMPT_DNSBL',
'dnsbl-1.uceprotect.net', 3.00, 0.0, 'UCEPROTECT_LEVEL_1',
'dnsbl-2.uceprotect.net', 2.00, 0.0, 'UCEPROTECT_LEVEL_2',
'combined.abuse.ch', 3.00, 0.0, 'ABUSE_CH_COMBINED',
'cbl.abuseeat.org', 3.00, 0.0, 'ABUSEEAT_CBL',
'hostkarma.junkemailfilter.com', 3.00, 0.0, 'JUNKEMAILFILTER',
'bl.mailspike.net', 3.00, 0.0, 'MAILSPIKE_BL',
'bl.spameatingmonkey.net', 3.00, 0.0, 'SPAMEATINGMONKEY',
'psbl.surriel.com', 3.00, 0.0, 'SURRIEL_PSBL'
);
$MAXDNSBLHITS = 3; # If Client IP is listed in MORE
# DNSBLS than this var, it gets
# REJECTed immediately
$MAXDNSBLSCORE = 12; # alternatively, if the score of
# DNSBLs is ABOVE this
# level, reject immediately
$MAXDNSBLMSG = "550 Your MTA is listed in too many DNSBLs";
## RHSBL settings
@rhsbl_score = (
'multi.surbl.org', 3.0, 0, 'SURBL',
'rhsbl.sorbs.net', 3.0, 0, 'SORBS_RHSBL',
'dbl.spamhaus.org', 0.1, 0, 'SPAMHAUS_DBL'
);
$BL_ERROR_SKIP = 4; # skip a RBL if this RBL had this many continuous errors
$BL_SKIP_RELEASE = 12; # skip a RBL for that many times
## cache stuff
$LOCKPATH = "/var/run/policyd-weight/";
# must be a directory (add
# trailing slash)
$SPATH = $LOCKPATH."/polw.sock";
# socket path for the cache daemon.
$MAXIDLECACHE = 60; # how many seconds the cache may be idle
# before starting maintenance routines
# NOTE: standard maintenance jobs happen
# regardless of this setting.
$MAINTENANCE_LEVEL = 5; # after this number of requests do following
# maintenance jobs:
# checking for config changes
# negative (i.e. SPAM) result cache settings ##################################
$CACHESIZE = 2000; # set to 0 to disable caching for spam results.
# To this level the cache will be cleaned.
$CACHEMAXSIZE = 4000; # at this number of entries cleanup takes place
$CACHEREJECTMSG = "550 temporarily blocked because of previous errors";
$NTTL = 1; # after NTTL retries the cache entry is deleted
$NTIME = 30; # client MUST NOT retry within this seconds in order
# to decrease TTL counter
# positve (i.e. HAM) result cache settings ###################################
$POSCACHESIZE = 1000; # set to 0 to disable caching of HAM. To this number
# of entries the cache will be cleaned
$POSCACHEMAXSIZE = 2000; # at this number of entries cleanup takes place
$POSCACHEMSG = "using cached result";
$PTTL = 60; # after PTTL requests the HAM entry must
# succeed one time the RBL checks again
$PTIME = "3h"; # after $PTIME in HAM Cache the client
# must pass one time the RBL checks again.
# Values must be nonfractal. Accepted
# time-units: s, m, h, d
$TEMP_PTIME = "1d"; # The client must pass this time the RBL
# checks in order to be listed as hard-HAM
# After this time the client will pass
# immediately for PTTL within PTIME
## DNS settings
$DNS_RETRIES = 2; # Retries for ONE DNS-Lookup
$DNS_RETRY_IVAL = 2; # Retry-interval for ONE DNS-Lookup
$MAXDNSERR = 3; # max error count for unresponded queries
# in a complete policy query
$MAXDNSERRMSG = "passed - too many local DNS-errors";
$PUDP = 0; # persistent udp connection for DNS queries.
# broken in Net::DNS version 0.51. Works with
# Net::DNS 0.53; DEFAULT: off
$USE_NET_DNS = 0; # Force the usage of Net::DNS for RBL lookups.
# Normally policyd-weight tries to use a faster
# RBL lookup routine instead of Net::DNS
$NS = ""; # A list of space separated NS IPs
# This overrides resolv.conf settings
# Example: $NS = "1.2.3.4 1.2.3.5";
# DEFAULT: empty
$IPC_TIMEOUT = 2; # timeout for receiving from cache instance
$TRY_BALANCE = 0; # If set to 1 policyd-weight closes connections
# to smtpd clients in order to avoid too many
# established connections to one policyd-weight
# child
# scores for checks, WARNING: they may manipulate eachother
# or be factors for other scores.
# HIT score, MISS Score
@client_ip_eq_helo_score = ( 1.7, -1 );
@helo_score = ( 1.7, -2 );
@helo_from_mx_eq_ip_score = ( 1.7, -3.1 );
@helo_numeric_score = ( 2.7, 0 );
@from_match_regex_verified_helo = ( 1, -2 );
@from_match_regex_unverified_helo = ( 1.6, -1.5 );
@from_match_regex_failed_helo = ( 2.5, 0 );
@helo_seems_dialup = ( 1.7, 0 );
@failed_helo_seems_dialup = ( 2.2, 0 );
@helo_ip_in_client_subnet = ( 0, 0 );
@helo_ip_in_cl16_subnet = ( 0, 0 );
@client_seems_dialup_score = ( 4, 0 );
@from_multiparted = ( 1.09, 0 );
@from_anon = ( 1.17, 0 );
@bogus_mx_score = ( 2.1, 0 );
@random_sender_score = ( 0.25, 0 );
@rhsbl_penalty_score = ( 3.1, 0 );
@enforce_dyndns_score = ( 3, 0 );
$VERBOSE = 0;
$ADD_X_HEADER = 1; # Switch on or off an additional
# X-policyd-weight: header
# DEFAULT: on
$DEFAULT_RESPONSE = "DUNNO default";
# Fallback response in case
# the weighted check didn"t
# return any response (should never
# appear).
#
# Syslogging options for verbose mode and for fatal errors.
# NOTE: comment out the $syslog_socktype line if syslogging does not
# work on your system.
#
$syslog_socktype = "unix"; # inet, unix, stream, console
$syslog_facility = "mail";
$syslog_options = "pid";
$syslog_priority = "info";
$syslog_ident = "postfix/policyd-weight";
#
# Process Options
#
$USER = "polw"; # User must be a username, no UID
$GROUP = ""; # specify GROUP if necessary
# DEFAULT: empty, will be initialized as
# $USER
$MAX_PROC = 50; # Upper limit if child processes
$MIN_PROC = 3; # keep that minimum processes alive
$TCP_PORT = 12525; # The TCP port on which policyd-weight
# listens for policy requests from postfix
$BIND_ADDRESS = "127.0.0.1";
# IP-Address on which policyd-weight will
# listen for requests.
# You may only list ONE IP here, if you want
# to listen on all IPs you need to say "all"
# here. Default is "127.0.0.1".
# You need to restart policyd-weight if you
# change this.
$SOMAXCONN = 1024; # Maximum of client connections
# policyd-weight accepts
# Default: 1024
$CHILDIDLE = 240; # how many seconds a child may be idle before
# it dies.
$PIDFILE = "/var/run/policyd-weight.pid";Zuletzt aktualisiert am