meta data for this page
Postfix Antispam Konfiguration
Postfix
- Auszug aus der main.cf
smtpd_helo_required = yes disable_vrfy_command = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_helo_hostname, reject_unknown_recipient_domain, check_client_access hash:/etc/postfix/access_client_whitelist, check_policy_service inet:127.0.0.1:12525
Die Verbindung zu 127.0.0.1:12525 ist policyd-weight. Konfiguration siehe unten. In der /etc/postfix/access_client_whitelist stehen die Mailserver, bei denen nie policyd-weight befragt werden soll. Beispiel:
- /etc/postfix/access_client_whitelist
mail.gmx.de OK mail.gmx.net OK .web.de OK
Die Datei muss mit postmap konvertiert werden.
policyd-weight
- /etc/policyd-weight.conf
# ---------------------------------------------------------------- # policyd-weight configuration (defaults) Version 0.1.14 beta-17 # ---------------------------------------------------------------- $DEBUG = 0; # 1 or 0 - don"t comment $REJECTMSG = "550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs"; $REJECTLEVEL = 9; # Mails with scores which exceed this # REJECTLEVEL will be rejected $DEFER_STRING = "IN_SPAMCOP= BOGUS_MX="; # A space separated case-sensitive list of # strings on which if found in the $RET # logging-string policyd-weight changes # its action to $DEFER_ACTION in case # of rejects. # USE WITH CAUTION! # DEFAULT: "IN_SPAMCOP= BOGUS_MX=" $DEFER_ACTION = "450"; # Possible values: DEFER_IF_PERMIT, # DEFER_IF_REJECT, # 4xx response codes. See also access(5) # DEFAULT: 450 $DEFER_LEVEL = 5; # DEFER mail only up to this level # scores greater than DEFER_LEVEL will be # rejected # DEFAULT: 5 $DNSERRMSG = "450 No DNS entries for your MTA, HELO and Domain. Contact YOUR administrator"; $dnsbl_checks_only = 0; # 1: ON, 0: OFF (default) # If ON request that ALL clients are only # checked against RBLs @dnsbl_checks_only_regexps = ( # qr/[^.]*(exch|smtp|mx|mail).*\..*\../, # qr/yahoo.com$/ ); # specify a comma-separated list of regexps # for client hostnames which shall only # be RBL checked. This does not work for # postfix" "unknown" clients. # The usage of this should not be the norm # and is a tool for people which like to # shoot in their own foot. # DEFAULT: empty $LOG_BAD_RBL_ONLY = 1; # 1: ON (default), 0: OFF # When set to ON it logs only RBLs which # affect scoring (positive or negative) ## DNSBL settings @dnsbl_score = ( #HOST, HIT SCORE, MISS SCORE, LOG NAME 'zen.spamhaus.org', 3.00, 0.0, 'SPAMHAUS_ZEN', 'dnsbl.njabl.org', 3.00, 0.0, 'NJABL_DNSBL', 'bl.spamcop.net', 3.00, 0.0, 'SPAMCOP_BL', 'ix.dnsbl.manitu.net', 3.00, 0.0, 'MANITU_IX', 't1.dnsbl.net.au', 3.00, 0.0, 'NET_AU', 'dnsbl.sorbs.net', 1.50, 0.0, 'SORBS_DNSBL', 'dnsbl.dronebl.org', 3.00, 0.0, 'DRONEBL_DNSBL', 'spamrbl.imp.ch', 3.00, 0.0, 'IMP_SPAMRBL', 'relays.bl.kundenserver.de', 3.00, 0.0, 'KUNDENSERVER_RELAYS', 'dnsbl.kempt.net', 3.00, 0.0, 'KEMPT_DNSBL', 'dnsbl-1.uceprotect.net', 3.00, 0.0, 'UCEPROTECT_LEVEL_1', 'dnsbl-2.uceprotect.net', 2.00, 0.0, 'UCEPROTECT_LEVEL_2', 'combined.abuse.ch', 3.00, 0.0, 'ABUSE_CH_COMBINED', 'cbl.abuseeat.org', 3.00, 0.0, 'ABUSEEAT_CBL', 'hostkarma.junkemailfilter.com', 3.00, 0.0, 'JUNKEMAILFILTER', 'bl.mailspike.net', 3.00, 0.0, 'MAILSPIKE_BL', 'bl.spameatingmonkey.net', 3.00, 0.0, 'SPAMEATINGMONKEY', 'psbl.surriel.com', 3.00, 0.0, 'SURRIEL_PSBL' ); $MAXDNSBLHITS = 3; # If Client IP is listed in MORE # DNSBLS than this var, it gets # REJECTed immediately $MAXDNSBLSCORE = 12; # alternatively, if the score of # DNSBLs is ABOVE this # level, reject immediately $MAXDNSBLMSG = "550 Your MTA is listed in too many DNSBLs"; ## RHSBL settings @rhsbl_score = ( 'multi.surbl.org', 3.0, 0, 'SURBL', 'rhsbl.sorbs.net', 3.0, 0, 'SORBS_RHSBL', 'dbl.spamhaus.org', 0.1, 0, 'SPAMHAUS_DBL' ); $BL_ERROR_SKIP = 4; # skip a RBL if this RBL had this many continuous errors $BL_SKIP_RELEASE = 12; # skip a RBL for that many times ## cache stuff $LOCKPATH = "/var/run/policyd-weight/"; # must be a directory (add # trailing slash) $SPATH = $LOCKPATH."/polw.sock"; # socket path for the cache daemon. $MAXIDLECACHE = 60; # how many seconds the cache may be idle # before starting maintenance routines # NOTE: standard maintenance jobs happen # regardless of this setting. $MAINTENANCE_LEVEL = 5; # after this number of requests do following # maintenance jobs: # checking for config changes # negative (i.e. SPAM) result cache settings ################################## $CACHESIZE = 2000; # set to 0 to disable caching for spam results. # To this level the cache will be cleaned. $CACHEMAXSIZE = 4000; # at this number of entries cleanup takes place $CACHEREJECTMSG = "550 temporarily blocked because of previous errors"; $NTTL = 1; # after NTTL retries the cache entry is deleted $NTIME = 30; # client MUST NOT retry within this seconds in order # to decrease TTL counter # positve (i.,e. HAM) result cache settings ################################### $POSCACHESIZE = 1000; # set to 0 to disable caching of HAM. To this number # of entries the cache will be cleaned $POSCACHEMAXSIZE = 2000; # at this number of entries cleanup takes place $POSCACHEMSG = "using cached result"; $PTTL = 60; # after PTTL requests the HAM entry must # succeed one time the RBL checks again $PTIME = "3h"; # after $PTIME in HAM Cache the client # must pass one time the RBL checks again. # Values must be nonfractal. Accepted # time-units: s, m, h, d $TEMP_PTIME = "1d"; # The client must pass this time the RBL # checks in order to be listed as hard-HAM # After this time the client will pass # immediately for PTTL within PTIME ## DNS settings $DNS_RETRIES = 2; # Retries for ONE DNS-Lookup $DNS_RETRY_IVAL = 2; # Retry-interval for ONE DNS-Lookup $MAXDNSERR = 3; # max error count for unresponded queries # in a complete policy query $MAXDNSERRMSG = "passed - too many local DNS-errors"; $PUDP = 0; # persistent udp connection for DNS queries. # broken in Net::DNS version 0.51. Works with # Net::DNS 0.53; DEFAULT: off $USE_NET_DNS = 0; # Force the usage of Net::DNS for RBL lookups. # Normally policyd-weight tries to use a faster # RBL lookup routine instead of Net::DNS $NS = ""; # A list of space separated NS IPs # This overrides resolv.conf settings # Example: $NS = "1.2.3.4 1.2.3.5"; # DEFAULT: empty $IPC_TIMEOUT = 2; # timeout for receiving from cache instance $TRY_BALANCE = 0; # If set to 1 policyd-weight closes connections # to smtpd clients in order to avoid too many # established connections to one policyd-weight # child # scores for checks, WARNING: they may manipulate eachother # or be factors for other scores. # HIT score, MISS Score @client_ip_eq_helo_score = ( 1.7, -1 ); @helo_score = ( 1.7, -2 ); @helo_from_mx_eq_ip_score = ( 1.7, -3.1 ); @helo_numeric_score = ( 2.7, 0 ); @from_match_regex_verified_helo = ( 1, -2 ); @from_match_regex_unverified_helo = ( 1.6, -1.5 ); @from_match_regex_failed_helo = ( 2.5, 0 ); @helo_seems_dialup = ( 1.7, 0 ); @failed_helo_seems_dialup = ( 2.2, 0 ); @helo_ip_in_client_subnet = ( 0, 0 ); @helo_ip_in_cl16_subnet = ( 0, 0 ); @client_seems_dialup_score = ( 4, 0 ); @from_multiparted = ( 1.09, 0 ); @from_anon = ( 1.17, 0 ); @bogus_mx_score = ( 2.1, 0 ); @random_sender_score = ( 0.25, 0 ); @rhsbl_penalty_score = ( 3.1, 0 ); @enforce_dyndns_score = ( 3, 0 ); $VERBOSE = 0; $ADD_X_HEADER = 1; # Switch on or off an additional # X-policyd-weight: header # DEFAULT: on $DEFAULT_RESPONSE = "DUNNO default"; # Fallback response in case # the weighted check didn"t # return any response (should never # appear). # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # $syslog_socktype = "unix"; # inet, unix, stream, console $syslog_facility = "mail"; $syslog_options = "pid"; $syslog_priority = "info"; $syslog_ident = "postfix/policyd-weight"; # # Process Options # $USER = "polw"; # User must be a username, no UID $GROUP = ""; # specify GROUP if necessary # DEFAULT: empty, will be initialized as # $USER $MAX_PROC = 50; # Upper limit if child processes $MIN_PROC = 3; # keep that minimum processes alive $TCP_PORT = 12525; # The TCP port on which policyd-weight # listens for policy requests from postfix $BIND_ADDRESS = "127.0.0.1"; # IP-Address on which policyd-weight will # listen for requests. # You may only list ONE IP here, if you want # to listen on all IPs you need to say "all" # here. Default is "127.0.0.1". # You need to restart policyd-weight if you # change this. $SOMAXCONN = 1024; # Maximum of client connections # policyd-weight accepts # Default: 1024 $CHILDIDLE = 240; # how many seconds a child may be idle before # it dies. $PIDFILE = "/var/run/policyd-weight.pid";