diff -Nru postfwd-1.20/debian/changelog postfwd-1.32/debian/changelog --- postfwd-1.20/debian/changelog 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/changelog 2012-01-04 15:36:47.000000000 +0000 @@ -1,3 +1,39 @@ +postfwd (1.32-1) unstable; urgency=low + + * New upstream release + - new option --save_rates= is able to load and save rate limit counters + to disk on program start and termination. + - the --debugitem="sender=example\.org$" option allows verbose logging for + particular requests + - the debug() action enables verbose logging for certain rules + - nested commands are possible now + - new mail(server/helo/from/to/subject/body) action. + - single cache items can be wiped + - sasl_username is logged if available + - rate limit action is executed, if the first request exceeds the limit + - exceeded ratecounters will not be kept permanently anymore + - rate limits are evaluated at ruleset stage now + - new parser enhancement is able to omit the trailing "\" for multi-line + rules + - new plugin interface (BETA) + - Time::HiRes is used if available + - multiple rate limits for the same items are supported now + - new $$ratecount variable for rate() actions + - new option --keep_rates + - queueid is logged when available + - rate limits fixed + - new --debug class 'cleanup' + - documentation updates and fixes + * Suppress output on restarting via init script (Closes: #636782), thanks + Martin F. Krafft for reporting + * Add hapolicy and manpage into separate binary package + * Reorganize documentation + - Add new files from upstream to documentation + - Changelogs where renamed by upstream + * Bump Standards-Version to 3.9.2, no changes needed + + -- Jan Wagner Wed, 21 Dec 2011 22:27:27 +0100 + postfwd (1.20-1) unstable; urgency=low * New upstream release diff -Nru postfwd-1.20/debian/control postfwd-1.32/debian/control --- postfwd-1.20/debian/control 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/control 2012-01-04 15:36:47.000000000 +0000 @@ -6,7 +6,7 @@ Homepage: http://www.postfwd.org/ Vcs-Browser: https://scm.uncompleted.org/projects/debian/repository/show/postfwd Vcs-Svn: https://scm.uncompleted.org/svn/debian/postfwd/trunk -Standards-Version: 3.9.1 +Standards-Version: 3.9.2 Package: postfwd Architecture: all @@ -19,3 +19,13 @@ message has been accepted. It allows you to choose an action (e.g. reject, dunno) for a combination of several smtp parameters (like sender and recipient address, size or the client's TLS fingerprint). + +Package: hapolicy +Architecture: all +Depends: ${perl:Depends}, ${misc:Depends} +Description: Balancing and fallback postfix policy delegation service + Hapolicy enables high availability, weighted loadbalancing and a fallback + action for postfix policy delegation services. Invoked via postfix spawn + it acts as a wrapper that queries other policy servers via tcp connection. + The order of the service queries can be influenced by assigning a specific + priority and weight to each service. diff -Nru postfwd-1.20/debian/hapolicy.docs postfwd-1.32/debian/hapolicy.docs --- postfwd-1.20/debian/hapolicy.docs 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/debian/hapolicy.docs 2012-01-04 15:36:47.000000000 +0000 @@ -0,0 +1,4 @@ +doc/hapolicy.html +doc/hapolicy.txt +tools/hapolicy/hapolicy.* +tools/hapolicy/hapolicy[0-9a-zA-Z.]* diff -Nru postfwd-1.20/debian/hapolicy.manpages postfwd-1.32/debian/hapolicy.manpages --- postfwd-1.20/debian/hapolicy.manpages 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/debian/hapolicy.manpages 2012-01-04 15:36:47.000000000 +0000 @@ -0,0 +1 @@ +man/man8/hapolicy.1 diff -Nru postfwd-1.20/debian/postfwd.docs postfwd-1.32/debian/postfwd.docs --- postfwd-1.20/debian/postfwd.docs 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/postfwd.docs 2012-01-04 15:36:47.000000000 +0000 @@ -1,3 +1,6 @@ -doc/postfwd.html -doc/postfwd.txt -doc/CHANGELOG2 +doc/postfwd2.CHANGELOG +doc/*.html +doc/*.txt +tools/*.pl +tools/*.sample +plugins/*.sample diff -Nru postfwd-1.20/debian/postfwd.init postfwd-1.32/debian/postfwd.init --- postfwd-1.20/debian/postfwd.init 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/postfwd.init 2012-01-04 15:36:47.000000000 +0000 @@ -86,9 +86,9 @@ ;; restart|force-reload) echo -n "Restarting $DESC (incl. cache): " - $0 stop + $0 stop > /dev/null sleep 1 - $0 start + $0 start > /dev/null echo "$NAME." ;; *) diff -Nru postfwd-1.20/debian/postfwd.manpages postfwd-1.32/debian/postfwd.manpages --- postfwd-1.20/debian/postfwd.manpages 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/debian/postfwd.manpages 2012-01-04 15:36:47.000000000 +0000 @@ -0,0 +1,2 @@ +debian/tmp/postfwd1.8 +man/man8/postfwd2.8 diff -Nru postfwd-1.20/debian/postfwd.README.Debian postfwd-1.32/debian/postfwd.README.Debian --- postfwd-1.20/debian/postfwd.README.Debian 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/debian/postfwd.README.Debian 2012-01-04 15:36:47.000000000 +0000 @@ -0,0 +1,67 @@ +postfwd for Debian +------------------ + +1. PROVIDE A CONFIGFILE +----------------------- + +Please provide a config file, usually /etc/postfix/postfwd.cf. Examples are +located in /usr/share/doc/postfwd/examples/. +Another can be found at http://hege.li/howto/spam/etc/postfwd/postfwd.conf +and is provided as example-cfg2.txt. + +A quickstart guide is available at http://www.postfwd.org/quick.html and the +online documentation at http://www.postfwd.org/doc.html, the offline version +can be viewed with 'postfix -m'. + +2. VERIFY CONFIG +---------------- + +How interpret the parser your rules, you can check with: + +# postfwd -f /etc/postfix/postfwd.cf -C -v + +Check your rules against sample request: + +# cat request.sample | postfwd -f /etc/postfix/postfwd.cf -L + +# cat request.sample + +------ snip ------- +ccert_fingerprint= +size=64063 +helo_name=english-breakfast.cloud9.net +reverse_client_name=english-breakfast.cloud9.net +queue_id= +encryption_cipher= +encryption_protocol= +etrn_domain= +ccert_subject= +request=smtpd_access_policy +protocol_state=RCPT +recipient=someone@domain.local +instance=6748.46adf3f8.62156.0 +protocol_name=ESMTP +encryption_keysize=0 +recipient_count=0 +ccert_issuer= +sender=owner-postfix-users@postfix.org +client_name=english-breakfast.cloud9.net +client_address=168.100.1.7 +------ snip ------- + +Samples can be taken into the logfile when starting the daemon with "-vv" + +3. AUTOMATIC STARTUP +-------------------- + +In order to avoid the startup of the daemon on an unconfigured machine, +automatic startup, on boot, is disabled by default. To enable it just edit the +file /etc/default/postfwd and set the "startup" variable to 1. + +4. CHOOSING WHICH POSTFWD VERSION TO USE +---------------------------------------- + +Since some time, there is also a prefork version available, called postfwd2. +You can use update-alternatives to choose between 'postfwd1' and 'postfwd2'. + + -- Jan Wagner Mon, 10 Mar 2008 22:37:44 +0100 diff -Nru postfwd-1.20/debian/README.Debian postfwd-1.32/debian/README.Debian --- postfwd-1.20/debian/README.Debian 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,67 +0,0 @@ -postfwd for Debian ------------------- - -1. PROVIDE A CONFIGFILE ------------------------ - -Please provide a config file, usually /etc/postfix/postfwd.cf. Examples are -located in /usr/share/doc/postfwd/examples/. -Another can be found at http://hege.li/howto/spam/etc/postfwd/postfwd.conf -and is provided as example-cfg2.txt. - -A quickstart guide is available at http://www.postfwd.org/quick.html and the -online documentation at http://www.postfwd.org/doc.html, the offline version -can be viewed with 'postfix -m'. - -2. VERIFY CONFIG ----------------- - -How interpret the parser your rules, you can check with: - -# postfwd -f /etc/postfix/postfwd.cf -C -v - -Check your rules against sample request: - -# cat request.sample | postfwd -f /etc/postfix/postfwd.cf -L - -# cat request.sample - ------- snip ------- -ccert_fingerprint= -size=64063 -helo_name=english-breakfast.cloud9.net -reverse_client_name=english-breakfast.cloud9.net -queue_id= -encryption_cipher= -encryption_protocol= -etrn_domain= -ccert_subject= -request=smtpd_access_policy -protocol_state=RCPT -recipient=someone@domain.local -instance=6748.46adf3f8.62156.0 -protocol_name=ESMTP -encryption_keysize=0 -recipient_count=0 -ccert_issuer= -sender=owner-postfix-users@postfix.org -client_name=english-breakfast.cloud9.net -client_address=168.100.1.7 ------- snip ------- - -Samples can be taken into the logfile when starting the daemon with "-vv" - -3. AUTOMATIC STARTUP --------------------- - -In order to avoid the startup of the daemon on an unconfigured machine, -automatic startup, on boot, is disabled by default. To enable it just edit the -file /etc/default/postfwd and set the "startup" variable to 1. - -4. CHOOSING WHICH POSTFWD VERSION TO USE ----------------------------------------- - -Since some time, there is also a prefork version available, called postfwd2. -You can use update-alternatives to choose between 'postfwd1' and 'postfwd2'. - - -- Jan Wagner Mon, 10 Mar 2008 22:37:44 +0100 diff -Nru postfwd-1.20/debian/rules postfwd-1.32/debian/rules --- postfwd-1.20/debian/rules 2012-01-04 15:36:46.000000000 +0000 +++ postfwd-1.32/debian/rules 2012-01-04 15:36:47.000000000 +0000 @@ -21,20 +21,22 @@ # install binaries install -D -m 644 sbin/postfwd debian/postfwd/usr/sbin/postfwd1 install -D -m 644 sbin/postfwd2 debian/postfwd/usr/sbin/postfwd2 + install -D -m 644 tools/hapolicy/hapolicy debian/hapolicy/usr/sbin/hapolicy # install man page mkdir -p debian/tmp/ cp man/man8/postfwd.8 debian/tmp/postfwd1.8 + pod2man debian/hapolicy/usr/sbin/hapolicy man/man8/hapolicy.1 # Build architecture-independent files here. binary-indep: build install dh_testdir dh_testroot - dh_installchangelogs doc/CHANGELOG - dh_installdocs tools + dh_installchangelogs doc/postfwd.CHANGELOG + dh_installdocs -ppostfwd -Xhapolicy + dh_installdocs -phapolicy tools/hapolicy/hapolicy[0-9a-zA-Z.]* dh_installexamples etc/postfwd.cf.sample debian/example-cfg* dh_installinit -- defaults 19 21 - dh_installman man/man8/postfwd2.8 - dh_installman debian/tmp/postfwd1.8 + dh_installman dh_compress dh_fixperms dh_perl diff -Nru postfwd-1.20/doc/arch.html postfwd-1.32/doc/arch.html --- postfwd-1.20/doc/arch.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/arch.html 2011-08-15 16:17:36.000000000 +0000 @@ -0,0 +1,27 @@ + + + +postfwd - basic architecture + + + + + + + + +

postfwd workflow

+

+

+ +

http://www.postfwd.org/ +

2007 - 2009 by Jan Peter Kessler +

info (AT) postfwd (DOT) org +

+ +

+ + + diff -Nru postfwd-1.20/doc/CHANGELOG postfwd-1.32/doc/CHANGELOG --- postfwd-1.20/doc/CHANGELOG 2010-11-14 22:01:17.000000000 +0000 +++ postfwd-1.32/doc/CHANGELOG 1970-01-01 00:00:00.000000000 +0000 @@ -1,316 +0,0 @@ -1.20 -===== -- code: changed the default umask for the server socket to 0111 - to support out-of-the-box postfix setup. Use the - --umask setting to change this -- bugfix: rbl check could fail on multiple dnsbl answers -- bugfix: rbl checks disabled for ipv6 addresses, cidr compare - will switch to default (regex/string) - -1.19 -===== -- code: Rate limit code rewritten -- code: new --umask setting allows to set filepermissions for pidfiles - and unix domain sockets. Default is 0117 (owner and group rw). - -1.18 -===== -- bugfix: Fixed bug when comparing sender and recipient addresses, like - "sender=$$recipient". This affects only postfwd version 1.17. - -1.17 -===== -- bugfix: Invalid characters in variable substitutions were not correctly catched when - the '=' operator was used, like "client_name=$$helo_name". If you can not - upgrade for some reason change your rule to "client_name=~$$helo_name" -- code: Net::DNS errors will now be handled gracefully -- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100 - -1.16 -===== -- bugfix: this is a bugfix release for 1.15. anyone affected is encouraged to upgrade. - detail: the default behavior for the '=' operator with numeric items - (size, recipient_count, ...) changed with version 1.15 to '==' (equals to). - now these items are compared '>=' (greater than) again. - note: if you are using 1.15 and you are not able upgrade for some reason, - please change '=' to '>=' in your ruleset where you mean 'greater than'. - -1.15 -===== -- feature: items may now be retrieved from files using "item=file:/some/where" - more information in the postfwd manual (FILES section) -- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items -- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon) -- code: redirect syslog to stdout for --kill, --reload and --showconfig -- code: option --reload (HUP signal) now reloads config, if the file is unchanged -- code: configuration parser improvements: - * rules without defined action will be skipped at configuration stage - * undefined ACLs will now be detected and skipped at configuration stage - * parser timeout skips loading a rule after 4s, to prevent problems with - large files or loops. use --config_timeout to override -- bugfix: documentation fixed (missing "action=" in ask() examples) - -1.14 -===== -- feature: new compare operators * - ==================================================================== - ITEM == VALUE true if ITEM equals VALUE - ITEM => VALUE true if ITEM >= VALUE - ITEM =< VALUE true if ITEM <= VALUE - ITEM =~ VALUE true if ITEM ~= /^VALUE$/i - *ITEM != VALUE false if ITEM equals VALUE - *ITEM !> VALUE false if ITEM >= VALUE - *ITEM !< VALUE false if ITEM <= VALUE - *ITEM !~ VALUE false if ITEM ~= /^VALUE$/i - ITEM = VALUE default behaviour (see ITEMS section) - ==================================================================== -- feature: added --nodaemon option -- code: non dns items first: if a rule contains dns and non dns items, the - lookups will only be done if all non dns items matched -- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly. - this bug affects postfwd versions 1.12 - 1.13 -- bugfix: negated pcre items with '~=' operator were parsed incorrectly. - this bug affects postfwd version 1.13 - -1.13 -===== -- feature: enabled dns cache for sender(ns|mx) and helo address -- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups -- bugfix: workaround: Net::Server died if a unix domain socket - filename without a dot ('.') was used (B. Frauendienst) - -1.12 -===== -- feature: new items sender_ns_names and sender_ns_addrs -- feature: new items sender_mx_names and sender_mx_addrs -- feature: new item helo_address, please see docs for more -- feature: added --proto switch, to enable the use of unix domain sockets - (thanks to Bernhard Frauendienst) -- feature: added command-line options --kill and --reload - (of course you can still use TERM and HUP signals) -- feature: dnsbl txt lookups only for dnsbls with at least one a record. - use --dns_async_txt for the old behaviour (see docs for more). -- code: small performance improvement (5-10%) for pcre (~= or =~) items -- bugfix: network 0.0.0.0/0 did not work as expected on all platforms -- bugfix: postfwd tried to chop() an uninitialized value when sending - garbage (non policy delegation protocol requests) to it. - -1.11 -===== -- feature: the ask() action allows to delegate the policy decision to another - policy service (like postgrey). a new parameter allows to specify - answer patterns which should be ignored by postfwd. please look - at the 'ACTIONS' section in the manual (postfwd2 -m) for details. -- feature: new options --noidlestats and --norulelog -- feature: more informative --version -- feature: documentation updates - - -************************************************************************************************** -ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS. - Net::DNS::Async and Net::CIDR::Lite are not required anymore. -NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information -************************************************************************************************** - -1.10pre8b -========== -- bugfix: fixed two warnings about logging of undefined values in verbose mode - -1.10pre8a -========== -- bugfix: item plugins have been made available as cache-id items. this fixes a minor issue with - --cache-rdomain-only and version 1.10pre8 - -1.10pre8 -========= -- code: Net::DNS::Async is no longer used. The parameters --dns_queuesize and - --dns_retries are still valid but have no function. The option --dns_timeout - now defaults to 14s and applies to all rules containing dns items. -- code: Net::CIDR::Lite is not required any longer. -- feature: the new variable $$request_hits contains a list of all matching ruleids -- feature: the new variable $$dnsbltext allows access to txt records of rbls -- feature: new options --no-rulestats and --nodnslog -- feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means - that you can set the option to 0 if you want to use the ttl of the dns answer. -- feature: new item "rhsbl_helo" allows to check helo against rhsbls -- bugfix: disabled fallback to synchronous dns on timed out rbls, default is now - to disable non responding dnsbls after 11 timeouts for 1200 seconds. - use --dns_timeout_max and --dns_timeout_interval to adjust these settings. -- bugfix: days=Wed now means exactly Wednesday. to use a range you may - still specify days=Wed- days=-Wed and days=Tue-Thu - this applies to all date and time items -- code: --shortlog is now default behaviour (use -v to see more) -- code: changed Net::Server behaviour to ignore syslog errors - - -1.10pre7c -========== -- note: 1.10pre7c does not contain any code-changes to the postfwd daemon. - this release only fixes some issues when buidling packages. -- bugfix: set permissions of manpage dirs to 755 -- bugfix: manpage has gone to section 8 -- bugfix: postfwd-rblcheck.pl has gone to the tools folder -- bugfix: documentation now refers to request.sample - -1.10pre7b -========== -- bugfix: inter-section links in documentation did not work correctly - (thanks to Alexander 'Leo' Bergolth) - -1.10pre7a -========== -- bugfix: implemented workaround for possible crash of Sys::Syslog when syslog - daemon is unavailable (thanks to Henrik Krohns) -- bugfix: changed syslog socktype on solaris - -1.10pre7 -========= -- feature: $$request_score may now be used to access a request's score -- feature: auto-deactivation of non-responding dnsbls; please see the - new --cleanup-timeouts and --dns_timeout_max options -- feature: the set command allows some basic operations: - ========================================================= - action=set(ITEM+=VALUE) adds VALUE to ITEM - action=set(ITEM-=VALUE) substracts VALUE from ITEM - action=set(ITEM*=VALUE) multiplies ITEM by VALUE - action=set(ITEM/=VALUE) divides ITEM through VALUE - action=set(ITEM.=VALUE) concatenates ITEM and VALUE - action=set(ITEM==VALUE) sets ITEM to VALUE - action=set(ITEM=VALUE) default: sets ITEM to VALUE - ========================================================= -- bugfix: fixed wrong timestamp for timed out rbls -- code: score() command now allows integer values -- code: setting an empty score removes it from the table -- code: duplicate lookups within the same rule are now recognised - -1.10pre6 -========= -- feature: the new rate() and size() commands offer some basic rate limit controls -- feature: new cleanup options: --cleanup-rates -- feature: regexps may now be included in // characters -- feature: an empty sender address is now replaced by <> -- bugfix: some csv-separated itemlists did not work correctly since v1.10pre1 -- bugfix: fixed a possible race condition with request cache when config was reloaded via HUP signal - -1.10pre5a -========= -- bugfix: fixed a possible race condition in rbl_read_dns() function - -1.10pre5 -======== -- feature: new dnsbl lookup types: rhsbl_client, rhsbl_sender, rhsbl_reverse_client -- feature: new caching option --cacheid allows to increase performance and cache efficiency -- code: cleanups will only be logged if '-v' was set or if the process took at least 1 second - -1.10pre4 -======== -- feature: new date items 'days=Sun-Sat' and 'months=Jan-Dec' -- feature: all date/time items may now be csv-separated lists -- feature: the set command can now have multiple, csv-separated arguments -- feature: enhanced use of rblcount and rhsblcount (see doc) -- feature: new caching options --cache-no-sender,--cache-rbl-timeout and --cache-rbl-default -- feature: new cleanup options: --cleanup-requests and --cleanup-rbls -- code: cache cleanups are now performed on interval basis (not per request) - which should decrease load on busy systems. -- code: warning on multiple definitions of id, action, rblcount and rhsblcount is issued -- bugfix: date items may now contain whitespaces (e.g. days = Fri - Sat) - -1.10pre3 -======== -- feature: all hits for a rule are now logged in the final message -- feature: option --shortlog disables logging for some postfwd actions -- feature: introduced set() command, which enables setting of variables, which then can be - compared to the ruleset to gain performance on repeated item lists (see doc). -- feature: introduced new command-line switches --dns_queuesize, --dns_retries and dns_retries - to influence the behaviour of DNS lookups -- code: restructured code (~+15% speed compared to v1.03, with nodns ruleset) - -1.10pre2 -======== -- feature: DNS lookups are now parallelized per rule. this increases the performance of dnsbl - items (and any other future dns based check) significantly. implementation (per rule): - 1.) send dns queries, 2.) process other non-dns items, 3.) evaluate dns results - As a downside of this approach the parser does not wait for dns queries anymore, which - could result in increased load. you might use the sleep() command to get some delay ;-) - -1.10pre1 -======== -- feature: the way how request items are compared to the ruleset can now be influenced. - =============================================================== - ITEM==VALUE true if ITEM equals VALUE - ITEM>=VALUE true if ITEM >= VALUE - ITEM<=VALUE true if ITEM <= VALUE - ITEM~=VALUE true if ITEM ~= /^VALUE$/i - ITEM=VALUE old default behaviour - =============================================================== -- feature: the score() command now allows some basic arithmetic operations (+-*/=) - e.g. action=score(*2) will double the current score -- feature: you can now refer to request attributes in actions, which will e.g. allow the following: - id=R001; rbl=zen.spamhaus.org; \ - action=554 5.7.1 see http://www.spamhaus.org/query/bl?ip=$$client_address -- feature: introduced extra request attributes sender_localpart, sender_domain, - recipient_localpart, recipient_domain and version for use like: - id=test01; client_name ~= $$(sender_domain)$; action=score(-0.5) -- bugfix: the "=" character could not be used in items -- bugfix: negation of items (!!) did not work correctly under some circumstances -- bugfix: time was logged incorrectly during request cache cleanups in verbose mode - (thanks to Henrik Krohns) -- code: restructured some parts of the code for future enhancement options. a plugin interface - was prepared and will be included in the final version. perl's -w switch is used now. -- note: the documentation has not been fully updated yet. - -1.03 -==== -- feature: request attributes can now be compared (e.g. to compare client_name and helo_name) -- feature: rule items can now be negated (e.g. to compare if client_name does not match helo_name) -- feature: extra verbose mode '-vv' now displays much more debug information -- feature: -L switch to redirect log output to stdout -- feature: new manual section about the parser, other updates -- bugfix: caching did not work at end_of_data level because of different queue ids, corrected -- bugfix: all numeric items will now match if the request attribute exceeds the corresponding - rule item. the negation operator will lead to the opposite effect: - ============================================================================= - ITEM=VALUE TYPE - ============================================================================= - rblcount=2 matches if rbl hits >= 2 - recipient_count=10 matches if recipients >= 10 - size=12345 matches if size >= 12345 - encryption_keysize=256 matches if keysize >= 256 - encryption_keysize=!!256 matches if keysize < 256 - ============================================================================= - -1.02 -==== -- bugfix: rblcount and rhsblcount did not work correctly since V1.01, corrected - -1.01 -==== -- feature: multiple rbl, rhsbl and client_address statements in a single rule are now possible -- feature: note() command will now log (not warn!). an empty argument suppresses logging -- feature: in verbose mode you must set -vv now to see the whole request attributes -- feature: cached dnsbl results are now only logged in verbose mode -- manual: several minor updates - -1.00 -==== -- feature: multiple definitions of the same item in a single rule to build groups -- feature: rules can span multiple lines by specifying a trailing "\" character -- feature: syslog_name can now be set with -l|--logname -- bugfix: fixed bug in acl parser (no "}" character could be used in ACLs) - -0.99p -===== -- bugfix: size and rcpt_count were checked as minimum values - now they are correctly interpreted as maximum. - -0.99o -===== -- feature: date and time based rules -- feature: macros (please see doc) -- feature: slightly changed statistics output - -0.99n -===== -- first public beta version - - diff -Nru postfwd-1.20/doc/CHANGELOG2 postfwd-1.32/doc/CHANGELOG2 --- postfwd-1.20/doc/CHANGELOG2 2010-11-14 22:01:31.000000000 +0000 +++ postfwd-1.32/doc/CHANGELOG2 1970-01-01 00:00:00.000000000 +0000 @@ -1,173 +0,0 @@ -postfwd2 1.00 -============= -- code: changed the default umask for the server socket to 0111 - to support out-of-the-box postfix setup. Use the - --server_umask setting to change this -- code: --dumpcache command does not require debug mode anymore -- code: rate hits included to cache stats -- bugfix: rbl checks disabled for ipv6 addresses, cidr compare - will switch to default (regex/string) - -postfwd2 0.22 -============= -- feature: Rate limits are completely supported by postfwd2 now. - Please note that the cache daemon is required for reliable operation. -- bugfix: --syslog_facility could not be changed -- code: rate limit code rewritten -- code: new --umask, --cache_umask and --server_umask settings allow to set - filepermissions for pidfiles and unix domain sockets. New defaults are: - * master (pidfile): 0177 (owner rw) - * cache (socket): 0177 (owner rw) - * server (socket): 0117 (owner and group rw) - -postfwd2 0.21 -============= -- bugfix: Fixed bug when comparing sender and recipient addresses, like - "sender=$$recipient". This affects only postfwd2 version 0.20. - -postfwd2 0.20 -============= -- bugfix: Invalid characters in variable substitutions were not correctly catched when - the '=' operator was used, like "client_name=$$helo_name". If you can not - upgrade for some reason change your rule to "client_name=~$$helo_name" -- code: Net::DNS errors will now be handled gracefully -- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100 - -postfwd2 0.19 -============= -- bugfix: this is a bugfix release for 0.18. anyone affected is encouraged to upgrade. - detail: the default behavior for the '=' operator with numeric items - (size, recipient_count, ...) changed with version 0.18 to '==' (equals to). - now these items are compared '>=' (greater than) again. - note: if you are using 0.18 and you are not able upgrade for some reason, - please change '=' to '>=' in your ruleset where you mean 'greater than'. - -postfwd2 0.18 -============= -- feature: items may now be retrieved from files using "item=file:/some/where" - more information in the postfwd manual (FILES section) -- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items -- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon) -- code: redirect syslog to stdout for --kill, --reload, --showconfig and --dump(cache|stats) -- code: option --reload (HUP signal) now reloads config, if the file is unchanged -- code: new --debug classes 'config' and 'request' -- code: configuration parser improvements: - * rules without defined action will be skipped at configuration stage - * undefined ACLs will now be detected and skipped at configuration stage - * parser timeout skips loading a rule after 4s, to prevent problems with - large files or loops. use --config_timeout to override -- bugfix: documentation fixed (missing "action=" in ask() examples) -- bugfix: fixed logging of an uninitialized value in cache cleanups - -postfwd2 0.17 -============= -- feature: new compare operators * - ==================================================================== - ITEM == VALUE true if ITEM equals VALUE - ITEM => VALUE true if ITEM >= VALUE - ITEM =< VALUE true if ITEM <= VALUE - ITEM =~ VALUE true if ITEM ~= /^VALUE$/i - *ITEM != VALUE false if ITEM equals VALUE - *ITEM !> VALUE false if ITEM >= VALUE - *ITEM !< VALUE false if ITEM <= VALUE - *ITEM !~ VALUE false if ITEM ~= /^VALUE$/i - ITEM = VALUE default behaviour (see ITEMS section) - ==================================================================== -- feature: added --nodaemon and --stdout options -- code: non dns items first: if a rule contains dns and non dns items, the - lookups will only be done if all non dns items matched -- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly. - this bug affects postfwd2 versions 0.15 - 0.16 -- bugfix: negated pcre items with '~=' operator were parsed incorrectly. - this bug affects postfwd2 version 0.16 - -postfwd2 0.16 -============= -- feature: enabled dns cache for sender(ns|mx) and helo address -- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups -- code: parent_dns_cache is now disabled by default. use - --parent_dns_cache if you have a slow nameserver -- bugfix: workaround: Net::Server died if a unix domain socket - filename without a dot ('.') was used (B. Frauendienst) - -postfwd2 0.15 -============= -- feature: new items sender_ns_names and sender_ns_addrs -- feature: new items sender_mx_names and sender_mx_addrs -- feature: new item helo_address, please see docs for more -- feature: new parent cache statistics. the command line option --dumpstats - uses the --daemons setting now (default: cache,server) -- feature: dnsbl txt lookups only for dnsbls with at least one a record. - use --dns_async_txt for the old behaviour (see docs for more). -- code: summary function went to postfwd::master (and will stay there ;) -- code: small performance improvement (5-10%) for pcre (~= or =~) items -- bugfix: network 0.0.0.0/0 did not work as expected on all platforms - - -postfwd2 0.14 -============= -- code: summary function was moved from postfwd::cache to postfwd::policy. - the reduced policy <-> cache communication increases throughput - considerably and improves cpu balancing on multiprocessor systems -- bugfix: fixed potential division by zero in summary function - - -postfwd2 0.13 -============= -- feature: new options --noidlestats and --norulestats -- feature: more informative --version -- feature: documentation updates -- bugfix: disabled parent_cache counters when --summary=0 - - -postfwd2 0.12 -============= -- feature: the ask() action allows to delegate the policy decision to another - policy service (like postgrey). a new parameter allows to specify - answer patterns which should be ignored by postfwd. please look - at the 'ACTIONS' section in the manual (postfwd2 -m) for details. -- feature: parent-request cache will now only be updated, if a rule matches. - if postfwd should cache all requests, you must place a last rule: - id=DEFAULT; action=dunno -- bugfix: reorganised some parent-cache loggings for -vv and *cache debug classes - - -postfwd2 0.11 -============= -- bugfix: all postfwd settings are now detainted -- bugfix: cache-update used an uninitialized value when no rule had hit - - -postfwd2 0.10 -============= -- bugfix: command line arguments --pidfile - - -postfwd2 0.09 -============= -- bugfix: command line arguments --user and --group were not correctly de-tainted - - -postfwd2 0.08 -============= -- bugfix: command line argument --pid_file was ignored -- bugfix: command line argument --manual (-m) did not work - - -postfwd2 0.07 -============= -- first semi-public release of postfwd2 -- full ruleset compatibility, no changes required when migrating from postfwd v1 -- new architecture: - - * Net::Server::PreFork - ruleset processor (server) forks new child for any request - - * Net::Server::Multiplex for parent cache - offers a shared request, dns and rate cache for postfwd2 children - - * Net::Server::Daemonize for master process - controls server and cache (watchdog function) and allows direct - access to statistics, cache-contents, ... from the command-line - -- many new commandline options (see postfwd2 -h) for more information diff -Nru postfwd-1.20/doc/hapolicy.html postfwd-1.32/doc/hapolicy.html --- postfwd-1.20/doc/hapolicy.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/hapolicy.html 2011-08-15 16:23:10.000000000 +0000 @@ -0,0 +1,151 @@ + + + +hapolicy - policy delegation high availability script + + + + + +

+ + +

NAME
SYNOPSIS
DESCRIPTION

INTRODUCTION
CONFIGURATION
INTEGRATION

LINKS
LICENSE
AUTHOR

+ + +

NAME

hapolicy - policy delegation high availability script

SYNOPSIS

hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...]

+        Services:
+        -s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>]

+        Options:
+        -d, --default <action>  returns <action> if no service was available (default: 'dunno')
+        -l, --logging           log requests
+        -v, --verbose           increase logging verbosity
+        -L, --stdout            log to stdout, for debugging, do NOT use with postfix

DESCRIPTION

INTRODUCTION

hapolicy enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries +other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing', +if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, hapolicy returns a default action (e.g. dunno) to postfix.

With version 1.00 hapolicy has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged +user account. This should allow fast and reliable operation.

CONFIGURATION

A service has the following attributes

+    "servicename"           => {
+               ip              => '127.0.0.1',         # ip address
+               port            => '10040',             # tcp port
+               prio            => '10',                # optional, lower wins
+               weight          => '1',                 # optional, for items with same prio (weighted round-robin), higher is better
+               timeout         => '30',                # optional, query timeout in seconds
+    },

You may define multiple services at the command line. Which means that

+        hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20"

will always try first service grey1 at ip 10.0.0.1 port 10031 and if that service is not available or +does not answer within the default of 30 seconds the next service grey2 at ip 10.0.0.2 port 10031 will +be queried.

If you want to load balance connections you may define

+        hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1"

which queries service polw1 at ip 10.0.0.1 twice as much as service polw2 at ip 10.0.0.2. Note that this +setup also ensures high availability for both services. If polw1 is not available or does not answer +within the default of 30 seconds polw2 will be queried and vice versa. There is no reason to define a service twice.

INTEGRATION

Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix):

+        # service description, note the leading blanks at the second line
+        127.0.0.1:10060 inet    n       n       n       -       0       spawn
+          user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10

save the file and open postfix main.cf. Modify it as follows:

+        127.0.0.1:10060_time_limit   = 3600

+        smtpd_recipient_restrictions =
+            permit_mynetworks,
+            ... other authed permits ...
+            reject_unauth_destination,
+            ... other restrictions ...
+            check_policy_service inet:127.0.0.1:10060   # <- hapolicy query

Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups +using postfix restriction classes. Please see LINKS for further options.

LINKS

[1] Postfix SMTP Access Policy Delegation +http://www.postfix.org/SMTPD_POLICY_README.html

[2] Postfix Per-Client/User/etc. Access Control +http://www.postfix.org/RESTRICTION_CLASS_README.html

LICENSE

hapolicy is free software and released under BSD license, which basically means +that you can do what you want as long as you keep the copyright notice:

Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met:

+ * Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+ * Neither the name of the authors nor the names of his contributors
+   may be used to endorse or promote products derived from this
+   software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE.

AUTHOR

Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you have any suggestions.

+ + + + diff -Nru postfwd-1.20/doc/hapolicy.txt postfwd-1.32/doc/hapolicy.txt --- postfwd-1.20/doc/hapolicy.txt 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/hapolicy.txt 2011-08-15 16:23:21.000000000 +0000 @@ -0,0 +1,127 @@ +NAME + hapolicy - policy delegation high availability script + +SYNOPSIS + hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...] + + Services: + -s, --service =

:[:::] + + Options: + -d, --default returns if no service was available (default: 'dunno') + -l, --logging log requests + -v, --verbose increase logging verbosity + -L, --stdout log to stdout, for debugging, do NOT use with postfix + +DESCRIPTION + INTRODUCTION + hapolicy enables high availability, weighted loadbalancing and a + fallback action for postfix policy delegation services. Invoked via + postfix spawn it acts as a wrapper that queries other policy servers via + tcp connection. The order of the service queries can be influenced by + assigning a specific priority and weight to each service. A service is + considered 'failing', if the connection is refused or the specified + service timeout is reached. If all of the configured policy services + were failing, hapolicy returns a default action (e.g. dunno) to postfix. + + With version 1.00 hapolicy has less than 200 lines of perl code using + only standard perl modules. It does not require any disk access nor + configuration files and runs under an unpriviledged user account. This + should allow fast and reliable operation. + + CONFIGURATION + A service has the following attributes + + "servicename" => { + ip => '127.0.0.1', # ip address + port => '10040', # tcp port + prio => '10', # optional, lower wins + weight => '1', # optional, for items with same prio (weighted round-robin), higher is better + timeout => '30', # optional, query timeout in seconds + }, + + You may define multiple services at the command line. Which means that + + hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20" + + will always try first service *grey1* at ip 10.0.0.1 port 10031 and if + that service is not available or does not answer within the default of + 30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be + queried. + + If you want to load balance connections you may define + + hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1" + + which queries service *polw1* at ip 10.0.0.1 twice as much as service + *polw2* at ip 10.0.0.2. Note that this setup also ensures high + availability for both services. If *polw1* is not available or does not + answer within the default of 30 seconds *polw2* will be queried and vice + versa. There is no reason to define a service twice. + + INTEGRATION + Enter the following at the bottom of your postfix master.cf (usually + located at /etc/postfix): + + # service description, note the leading blanks at the second line + 127.0.0.1:10060 inet n n n - 0 spawn + user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10 + + save the file and open postfix main.cf. Modify it as follows: + + 127.0.0.1:10060_time_limit = 3600 + + smtpd_recipient_restrictions = + permit_mynetworks, + ... other authed permits ... + reject_unauth_destination, + ... other restrictions ... + check_policy_service inet:127.0.0.1:10060 # <- hapolicy query + + Now issue 'postfix reload' at the command line. Of course you can have + more enhanced setups using postfix restriction classes. Please see + "LINKS" for further options. + +LINKS + [1] Postfix SMTP Access Policy Delegation + + + [2] Postfix Per-Client/User/etc. Access Control + + +LICENSE + hapolicy is free software and released under BSD license, which + basically means that you can do what you want as long as you keep the + copyright notice: + + Copyright (c) 2008, Jan Peter Kessler All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of the authors nor the names of his contributors + may be used to endorse or promote products derived from this + software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN + NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +AUTHOR + Jan Peter Kessler . Let me know, if you + have any suggestions. + diff -Nru postfwd-1.20/doc/postfwd2.CHANGELOG postfwd-1.32/doc/postfwd2.CHANGELOG --- postfwd-1.20/doc/postfwd2.CHANGELOG 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/postfwd2.CHANGELOG 2011-12-18 13:03:44.000000000 +0000 @@ -0,0 +1,248 @@ +postfwd2 1.32 +============= +- feature: new option --save_rates= allows to load and save + rate limit counters to disk on program start and termination. + this allows rate limit persistence during restarts and reboots + (requires perl module 'Storable') +- feature: the --debugitem="sender=example\.org$" option + allows verbose logging for particular requests +- feature: the debug() action allows verbose logging for certain + rules: + ------------------------------------------------------------ + id=R01 + client_address=1.1.1.1 + action=debug(on) + id=R02 + ... + id=R42 + action=debug(off) + ------------------------------------------------------------ +- feature: nested commands are possible now, e.g.: + ------------------------------------------------------------ + # throttle + action=rate(client_address/10/60/wait(3)) + ------------------------------------------------------------ +- feature: new mail(server/helo/from/to/subject/body) action. + Please take a look at the manual, especially about + it's limitations, before using it! + ------------------------------------------------------------ + # alert + action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text)) + ------------------------------------------------------------ +- feature: --chroot option works now (patch by Lukas Wunner). + Look for his notes at http://postfwd.org/postfwd2-chroot.html + on how to set up the required chroot environment. + +postfwd2 1.31 +============= +- feature: single cache items can be wiped using --delcache + or --delrate options. use --dumpcache to identify +- feature: sasl_username is logged if available + (thanks to Bernhard Schmidt) +- code: rate limit action is executed, if the first request exceeds the limit +- code: exceeded ratecounters will not be kept permanently anymore. this + allows further requests to pass, if they are below the limit +- code: rate limits are evaluated at ruleset stage now, which leads to + much more comprehensible behaviour. due to this change the request + cache is now disabled, if rate limits are used. use the + --fast_limit_evaluation option to return to the former mode. + +postfwd2 1.30 +============= +- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules, + if the following lines are prefixed by whitespace characters: + -------------------------------------- + id=RCPTCOUNT + protocol_state == END-OF-MESSAGE + client_address != 10.1.1.0/24 + recipient_count >= 100 + action=REJECT too many recipients + -------------------------------------- +- feature: new plugin interface (BETA) +- feature: Time::HiRes is used if available +- feature: multiple rate limits for the same items are supported now +- feature: new $$ratecount variable for rate() actions +- feature: new option --keep_rates +- code: new --debug class 'cleanup' +- docs: documentation updates + +postfwd2 1.22 +============= +- general: adapted postfwd1 versioning scheme +- feature: queueid is logged when available +- bugfix: rate limits did not work correctly (thanks to Yves Blusseau) +- docs: documentation updates and fixes (thanks to Vincent Lefevre) + +postfwd2 1.00 +============= +- code: changed the default umask for the server socket to 0111 + to support out-of-the-box postfix setup. Use the + --server_umask setting to change this +- code: --dumpcache command does not require debug mode anymore +- code: rate hits included to cache stats +- bugfix: rbl checks disabled for ipv6 addresses, cidr compare + will switch to default (regex/string) + +postfwd2 0.22 +============= +- feature: Rate limits are completely supported by postfwd2 now. + Please note that the cache daemon is required for reliable operation. +- bugfix: --syslog_facility could not be changed +- code: rate limit code rewritten +- code: new --umask, --cache_umask and --server_umask settings allow to set + filepermissions for pidfiles and unix domain sockets. New defaults are: + * master (pidfile): 0177 (owner rw) + * cache (socket): 0177 (owner rw) + * server (socket): 0117 (owner and group rw) + +postfwd2 0.21 +============= +- bugfix: Fixed bug when comparing sender and recipient addresses, like + "sender=$$recipient". This affects only postfwd2 version 0.20. + +postfwd2 0.20 +============= +- bugfix: Invalid characters in variable substitutions were not correctly catched when + the '=' operator was used, like "client_name=$$helo_name". If you can not + upgrade for some reason change your rule to "client_name=~$$helo_name" +- code: Net::DNS errors will now be handled gracefully +- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100 + +postfwd2 0.19 +============= +- bugfix: this is a bugfix release for 0.18. anyone affected is encouraged to upgrade. + detail: the default behavior for the '=' operator with numeric items + (size, recipient_count, ...) changed with version 0.18 to '==' (equals to). + now these items are compared '>=' (greater than) again. + note: if you are using 0.18 and you are not able upgrade for some reason, + please change '=' to '>=' in your ruleset where you mean 'greater than'. + +postfwd2 0.18 +============= +- feature: items may now be retrieved from files using "item=file:/some/where" + more information in the postfwd manual (FILES section) +- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items +- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon) +- code: redirect syslog to stdout for --kill, --reload, --showconfig and --dump(cache|stats) +- code: option --reload (HUP signal) now reloads config, if the file is unchanged +- code: new --debug classes 'config' and 'request' +- code: configuration parser improvements: + * rules without defined action will be skipped at configuration stage + * undefined ACLs will now be detected and skipped at configuration stage + * parser timeout skips loading a rule after 4s, to prevent problems with + large files or loops. use --config_timeout to override +- bugfix: documentation fixed (missing "action=" in ask() examples) +- bugfix: fixed logging of an uninitialized value in cache cleanups + +postfwd2 0.17 +============= +- feature: new compare operators * + ==================================================================== + ITEM == VALUE true if ITEM equals VALUE + ITEM => VALUE true if ITEM >= VALUE + ITEM =< VALUE true if ITEM <= VALUE + ITEM =~ VALUE true if ITEM ~= /^VALUE$/i + *ITEM != VALUE false if ITEM equals VALUE + *ITEM !> VALUE false if ITEM >= VALUE + *ITEM !< VALUE false if ITEM <= VALUE + *ITEM !~ VALUE false if ITEM ~= /^VALUE$/i + ITEM = VALUE default behaviour (see ITEMS section) + ==================================================================== +- feature: added --nodaemon and --stdout options +- code: non dns items first: if a rule contains dns and non dns items, the + lookups will only be done if all non dns items matched +- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly. + this bug affects postfwd2 versions 0.15 - 0.16 +- bugfix: negated pcre items with '~=' operator were parsed incorrectly. + this bug affects postfwd2 version 0.16 + +postfwd2 0.16 +============= +- feature: enabled dns cache for sender(ns|mx) and helo address +- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups +- code: parent_dns_cache is now disabled by default. use + --parent_dns_cache if you have a slow nameserver +- bugfix: workaround: Net::Server died if a unix domain socket + filename without a dot ('.') was used (B. Frauendienst) + +postfwd2 0.15 +============= +- feature: new items sender_ns_names and sender_ns_addrs +- feature: new items sender_mx_names and sender_mx_addrs +- feature: new item helo_address, please see docs for more +- feature: new parent cache statistics. the command line option --dumpstats + uses the --daemons setting now (default: cache,server) +- feature: dnsbl txt lookups only for dnsbls with at least one a record. + use --dns_async_txt for the old behaviour (see docs for more). +- code: summary function went to postfwd::master (and will stay there ;) +- code: small performance improvement (5-10%) for pcre (~= or =~) items +- bugfix: network 0.0.0.0/0 did not work as expected on all platforms + + +postfwd2 0.14 +============= +- code: summary function was moved from postfwd::cache to postfwd::policy. + the reduced policy <-> cache communication increases throughput + considerably and improves cpu balancing on multiprocessor systems +- bugfix: fixed potential division by zero in summary function + + +postfwd2 0.13 +============= +- feature: new options --noidlestats and --norulestats +- feature: more informative --version +- feature: documentation updates +- bugfix: disabled parent_cache counters when --summary=0 + + +postfwd2 0.12 +============= +- feature: the ask() action allows to delegate the policy decision to another + policy service (like postgrey). a new parameter allows to specify + answer patterns which should be ignored by postfwd. please look + at the 'ACTIONS' section in the manual (postfwd2 -m) for details. +- feature: parent-request cache will now only be updated, if a rule matches. + if postfwd should cache all requests, you must place a last rule: + id=DEFAULT; action=dunno +- bugfix: reorganised some parent-cache loggings for -vv and *cache debug classes + + +postfwd2 0.11 +============= +- bugfix: all postfwd settings are now detainted +- bugfix: cache-update used an uninitialized value when no rule had hit + + +postfwd2 0.10 +============= +- bugfix: command line arguments --pidfile + + +postfwd2 0.09 +============= +- bugfix: command line arguments --user and --group were not correctly de-tainted + + +postfwd2 0.08 +============= +- bugfix: command line argument --pid_file was ignored +- bugfix: command line argument --manual (-m) did not work + + +postfwd2 0.07 +============= +- first semi-public release of postfwd2 +- full ruleset compatibility, no changes required when migrating from postfwd v1 +- new architecture: + + * Net::Server::PreFork + ruleset processor (server) forks new child for any request + + * Net::Server::Multiplex for parent cache + offers a shared request, dns and rate cache for postfwd2 children + + * Net::Server::Daemonize for master process + controls server and cache (watchdog function) and allows direct + access to statistics, cache-contents, ... from the command-line + +- many new commandline options (see postfwd2 -h) for more information diff -Nru postfwd-1.20/doc/postfwd2-chroot.html postfwd-1.32/doc/postfwd2-chroot.html --- postfwd-1.20/doc/postfwd2-chroot.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/postfwd2-chroot.html 2011-12-17 14:11:52.000000000 +0000 @@ -0,0 +1,99 @@ + + + + +postfwd2 - chroot setup + + + + + + + + +

postfwd2 - chroot setup

+If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared. + +

+How to create a minimal chroot environment for postfwd2
+=======================================================
+
+Tested with SLES 11 x86_64, customize this to suit your specific system.
+For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0
+and glibc version 2.4 instead of 2.11.1.
+
+cd $CHROOTDIR
+for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \
+  usr/lib/perl5/site_perl \
+  usr/lib/perl5/site_perl/5.10.0 \
+  usr/lib/perl5/site_perl/5.10.0/Net \
+  usr/lib/perl5/site_perl/5.10.0/Net/Server \
+  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do
+    mkdir $dir
+    chmod --reference /$dir $dir
+    chown --reference /$dir $dir
+done
+for file in dev/null etc/protocols etc/localtime etc/resolv.conf \
+  lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \
+  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \
+  usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do
+    cp -p /$file $file
+done
+grep nobody /etc/passwd > etc/passwd
+grep nobody /etc/group > etc/group
+echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf
+
+=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log:
+    echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \
+      >> /etc/sysconfig/syslog
+    /etc/init.d/syslog restart
+
+=> Place your postfwd configuration in $CHROOTDIR:
+    cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf
+
+=> Start postfwd2:
+    /usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR
+
+
+List of directories
+===================
+
+tmp
+lib64
+dev
+var
+var/tmp
+etc
+usr
+usr/lib
+usr/lib/perl5
+usr/lib/perl5/site_perl
+usr/lib/perl5/site_perl/5.10.0
+usr/lib/perl5/site_perl/5.10.0/Net
+usr/lib/perl5/site_perl/5.10.0/Net/Server
+usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto
+
+
+List of files
+=============
+
+lib64/libnss_files.so.2
+lib64/libnss_files-2.11.1.so
+dev/null
+dev/log
+etc/localtime
+etc/protocols
+etc/postfwd.conf
+etc/nsswitch.conf
+etc/passwd
+etc/resolv.conf
+etc/group
+usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm
+usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm
+

+ +Thanks to Lukas Wunner for providing this howto and the patch for postfwd2! + + + diff -Nru postfwd-1.20/doc/postfwd2-chroot.txt postfwd-1.32/doc/postfwd2-chroot.txt --- postfwd-1.20/doc/postfwd2-chroot.txt 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/postfwd2-chroot.txt 2011-12-17 14:13:30.000000000 +0000 @@ -0,0 +1,82 @@ +postfwd2 - chroot setup +======================= +If you care about security and want to run postfwd2 within a chroot environment you have to setup it up before. This document will give you an idea about what has to be prepared. + +How to create a minimal chroot environment for postfwd2 +======================================================= + +Tested with SLES 11 x86_64, customize this to suit your specific system. +For example, on SLES 10 x86_64, use perl version 5.8.8 instead of 5.10.0 +and glibc version 2.4 instead of 2.11.1. + +cd $CHROOTDIR +for dir in tmp dev var var/tmp etc lib64 usr usr/lib usr/lib/perl5 \ + usr/lib/perl5/site_perl \ + usr/lib/perl5/site_perl/5.10.0 \ + usr/lib/perl5/site_perl/5.10.0/Net \ + usr/lib/perl5/site_perl/5.10.0/Net/Server \ + usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto ; do + mkdir $dir + chmod --reference /$dir $dir + chown --reference /$dir $dir +done +for file in dev/null etc/protocols etc/localtime etc/resolv.conf \ + lib64/libnss_files-2.11.1.so lib64/libnss_files.so.2 \ + usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm \ + usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm ; do + cp -p /$file $file +done +grep nobody /etc/passwd > etc/passwd +grep nobody /etc/group > etc/group +echo -e 'passwd: files\ngroup: files\nprotocols: files' > etc/nsswitch.conf + +=> Configure your syslog daemon to listen to $CHROOTDIR/dev/log: + echo 'SYSLOGD_ADDITIONAL_SOCKET_POSTFWD="$CHROOTDIR/dev/log"' \ + >> /etc/sysconfig/syslog + /etc/init.d/syslog restart + +=> Place your postfwd configuration in $CHROOTDIR: + cp $POSTFWDCONF $CHROOTDIR/etc/postfwd.conf + +=> Start postfwd2: + /usr/local/sbin/postfwd2 --file=/etc/postfwd.conf --chroot=$CHROOTDIR + + +List of directories +=================== + +tmp +lib64 +dev +var +var/tmp +etc +usr +usr/lib +usr/lib/perl5 +usr/lib/perl5/site_perl +usr/lib/perl5/site_perl/5.10.0 +usr/lib/perl5/site_perl/5.10.0/Net +usr/lib/perl5/site_perl/5.10.0/Net/Server +usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto + + +List of files +============= + +lib64/libnss_files.so.2 +lib64/libnss_files-2.11.1.so +dev/null +dev/log +etc/localtime +etc/protocols +etc/postfwd.conf +etc/nsswitch.conf +etc/passwd +etc/resolv.conf +etc/group +usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/UNIX.pm +usr/lib/perl5/site_perl/5.10.0/Net/Server/Proto/TCP.pm + +Thanks to Lukas Wunner for providing this howto and the patch for postfwd2! + diff -Nru postfwd-1.20/doc/postfwd2.html postfwd-1.32/doc/postfwd2.html --- postfwd-1.20/doc/postfwd2.html 2010-11-14 21:52:06.000000000 +0000 +++ postfwd-1.32/doc/postfwd2.html 2011-12-18 12:34:42.000000000 +0000 @@ -85,7 +85,7 @@ --cache-no-size skip size for cache-id --no_parent_request_cache disable parent request cache --no_parent_rate_cache disable parent rate cache - --no_parent_dns_cache disable parent dns cache + --no_parent_dns_cache disable parent dns cache (default) --no_parent_cache disable all parent caches

         Rates:
@@ -99,7 +99,10 @@
             --failures <f>              max respawn failure counter
             --daemons <list>            list of daemons to start
             --dumpcache                 show cache contents
-            --dumpstats                 show statistics

+ --dumpstats show statistics + -R, --chroot <path> chroot to <path> before start + --delcache <item> removes an item from the request cache + --delrate <item> removes an item from the rate cache

         DNS:
         -n, --nodns                     skip any dns based test
@@ -119,11 +122,18 @@
             --noidlestats               disables statistics when idle
             --norulestats               disables per rule statistics
         -I, --instantcfg                reloads ruleset on every new request
-            --config_timeout <i>        parser timeout in seconds

+ --config_timeout <i> parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates <file> save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed +

+        Plugins:
+            --plugins <file>            loads postfwd plugins from file

         Logging:
         -l, --logname <label>           label for syslog messages
             --facility <s>              use syslog facility <s>
+            --socktype <s>              use syslog socktype <s>
             --nodnslog                  do not log dns results
             --anydnslog                 log any dns (even cached) results
             --norulelog                 do not log rule actions
@@ -170,7 +180,7 @@
 A configuration line consists of optional item=value pairs, separated by semicolons
 (`;`) and the appropriate desired action:
 -        [ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result>
+        [ <item1>=<value>; <item2>=<value>; ... ] action=<result>

Example:

         client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT

@@ -199,10 +209,19 @@ appreciate.

A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic.

Rules can span multiple lines by adding a trailing backslash ``\'' character:

Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros):

-        id=R_001 ;  client_address=192.168.1.0/24; sender==no@bad.local; \
-                    action=REJECT please use your relay from there

+ id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access +

postfwd versions prior to 1.30 require trailing ';' and '\'-characters:

+        id=RULE001; \
+                client_address=192.168.1.0/24; \
+                sender==no@bad.local; \
+                action=REJECT no access

ITEMS

@@ -268,8 +287,14 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access +

+        ratecount               - only available for rate(), size() and rcpt() actions.
+                                  contains the actual limit counter:
+                                        id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits])
+                                        id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits])

Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below).

Most values can be specified as regular expressions (PCRE). Please see the table below @@ -319,34 +344,33 @@ encryption_keysize=256 mask = numeric, will match if keysize >= 256 ...

the current list can be found at http://www.postfix.org/SMTPD_POLICY_README.html. Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive.

Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected:

-        id=TRUST001; action=OK; encryption_keysize=64;          \
-                ccert_fingerprint=11:22:33:44:55:66:77:88:99;   \
-                ccert_fingerprint=22:33:44:55:66:77:88:99:00;   \
-                ccert_fingerprint=33:44:55:66:77:88:99:00:11;   \
+        id=TRUST001; action=OK; encryption_keysize=64
+                ccert_fingerprint=11:22:33:44:55:66:77:88:99
+                ccert_fingerprint=22:33:44:55:66:77:88:99:00
+                ccert_fingerprint=33:44:55:66:77:88:99:00:11
                 sender=@domain\.local$

client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values:

-        id=SKIP01; action=dunno; \
+        id=SKIP01; action=dunno
                 client_address=192.168.1.0/24, 172.16.254.23
-        id=SKIP02; action=dunno; \
-                client_address= 10.10.3.32       \
-                                10.216.222.0/27

+ id=SKIP02; action=dunno + client_address= 10.10.3.32 10.216.222.0/27

The following items must be unique:

         id, minimum and maximum values, rblcount and rhsblcount

Any item can be negated by preceeding '!!' to it, e.g.:

-        id=TLS001 ;  hostname=!!^secure\.trust\.local$ ;  action=REJECT only secure.trust.local please

+ id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please

or using the right compare operator:

-        id=USER01 ;  sasl_username !~ /^(bob|alice)$/ ;  action=REJECT who is that?

+ id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please

To avoid confusion with regexps or simply for better visibility you can use '!!(...)':

-        id=USER01 ;  sasl_username=!!( /^(bob|alice)$/ )  ;  action=REJECT who is that?

+ id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that?

Request attributes can be compared by preceeding '$$' characters, e.g.:

         id=R-003 ;  client_name = !! $$helo_name      ;  action=WARN helo does not match DNS
@@ -354,6 +378,29 @@
         id=R-003 ;  client_name = !!($$(helo_name))   ;  action=WARN helo does not match DNS

This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match. Use the '-vv' option to debug.

These special items will be reset for any new rule:

+        rblcount        - contains the number of RBL answers
+        rhsblcount      - contains the number of RHSBL answers
+        matches         - contains the number of matched items
+        dnsbltext       - contains the dns TXT part of all RBL and RHSBL replies in the form
+                          rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...

These special items will be changed for any matching rule:

+        request_hits    - contains ids of all matching rules

This means that it might be necessary to save them, if you plan to use these values in later rules:

+        # set vals
+        id=RBL01 ; rhsblcount=all; rblcount=all
+                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
+                rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org
+                rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net
+                rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net

+        # compare
+        id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
+        id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
+        id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]

FILES

@@ -373,15 +420,15 @@ id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO

This will ignore the right-hand value. Items can be mixed:

-        id=R002 ;  action=REJECT \
-                client_name==unknown; \
+        id=R002 ;  action=REJECT
+                client_name==unknown
                 client_name==file:/etc/postfwd/blacklisted

and for non pcre (comma separated) items:

-        id=R003 ;  action=REJECT \
+        id=R003 ;  action=REJECT
                 client_address==10.1.1.1, file:/etc/postfwd/blacklisted

-        id=R004 ;  action=REJECT \
+        id=R004 ;  action=REJECT
                 rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing

You can check your configuration with the --show_config option at the command line:

@@ -479,16 +526,16 @@
         please note that <action> is currently limited to postfix actions (no postfwd actions)!
             # no more than 3 requests per 5 minutes
             # from the same "unknown" client
-            id=RATE01 ;  client_name==unknown ; \
-               action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)

+ id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes)

         size (<item>/<max>/<time>/<action>)
         this command works similar to the rate() command with the difference, that the rate counter is
         increased by the request's size attribute. to do this reliably you should call postfwd2 from
         smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset:
            # size limit 1.5mb per hour per client
-           id=SIZE01 ;  state==END_OF_DATA ;  client_address==!!(10.1.1.1); \
-              action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)

+ id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour)

         rcpt (<item>/<max>/<time>/<action>)
         this command works similar to the rate() command with the difference, that the rate counter is
@@ -496,8 +543,8 @@
         from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could
         check it within the ruleset:
            # recipient count limit 3 per hour per client
-           id=RCPT01 ;  state==END_OF_DATA ;  client_address==!!(10.1.1.1); \
-              action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)

+ id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour)

         ask (<addr>:<port>[:<ignore>])
         allows to delegate the policy decision to another policy service (e.g. postgrey). the first
@@ -509,13 +556,18 @@
            # and continue parsing postfwd's ruleset
            id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$)

+        mail(server/helo/from/to/subject/body)
+        Very basic mail command, that sends a message with the given arguments. LIMITATIONS:
+        This basically performs a telnet. No authentication or TLS are available. Additionally it does
+        not track notification state and will notify you any time, the corresponding rule hits.

         wait (<delay>)
         pauses the program execution for <delay> seconds. use this for
         delaying or throtteling connections.

         note (<string>)
         just logs the given string and continues parsing the ruleset.
-        if the string is empty, nothing will be logged.

+ if the string is empty, nothing will be logged (noop).

         quit (<code>)
         terminates the program with the given exit-code. postfix doesn`t
@@ -523,29 +575,6 @@
 You can reference to request attributes, like
          id=R-HELO ;  helo_name=^[^\.]+$ ;  action=REJECT invalid helo '$$helo_name'
-These special attributes will be reset for any new rule:
--        rblcount        - contains the number of RBL answers
-        rhsblcount      - contains the number of RHSBL answers
-        matches         - contains the number of matched items
-        dnsbltext       - contains the dns TXT part of all RBL and RHSBL replies in the form
-                          rbltype:rblname:<txt>; rbltype:rblname:<txt>; ...
-These special attributes will be changed for any matching rule:
--        request_hits    - contains ids of all matching rules
-This means that it might be necessary to save them, if you plan to use these values in later rules:
--        # set vals
-        id=RBL01 ; rhsblcount=all ; rblcount=all ; \
-                rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \
-                rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
-                rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \
-                action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext)
--        # compare
-        id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt]
-        id=RBL03 ; HIT_rhls>=2               ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt]
-        id=RBL04 ; HIT_rbls>=2               ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt]
 
 
 MACROS/ACLS
@@ -568,18 +597,18 @@
         &&GONOW ;  &&RBLS ;  client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]

Macros can contain macros, too:

-        # definition (note the trailing "\" characters)
-        &&RBLS {                                                \
-                rbl=zen.spamhaus.org ;                          \
-                rbl=list.dsbl.org ;                             \
-                rbl=bl.spamcop.net ;                            \
-                rbl=dnsbl.sorbs.net ;                           \
-                rbl=ix.dnsbl.manitu.net ;                       \
+        # definition
+        &&RBLS{
+                rbl=zen.spamhaus.org
+                rbl=list.dsbl.org
+                rbl=bl.spamcop.net
+                rbl=dnsbl.sorbs.net
+                rbl=ix.dnsbl.manitu.net
         };
-        &&DYNAMIC {                                             \
-                client_name=^unknown$ ;                         \
-                client_name=(\d+[\.-_]){4} ;                    \
-                client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ;   \
+        &&DYNAMIC{
+                client_name=^unknown$
+                client_name=(\d+[\.-_]){4}
+                client_name=[\.-_](adsl|dynamic|ppp|)[\.-_]
         };
         &&GOAWAY { &&RBLS; &&DYNAMIC; };
         # rules
@@ -588,7 +617,141 @@
 
 
 PLUGINS
-Please visit http://www.postfwd.org/postfwd.plugins
+Description
+The plugin interface allow you to define your own checks and enhance postfwd's
+functionality. Feel free to share useful things!
+Warning
+Note that the plugin interface is still at devel stage. Please test your plugins
+carefully, because errors may cause postfwd to break! It is also
+allowed to override attributes or built-in functions, but be sure that you know
+what you do because some of them are used internally.
+Please keep security in mind, when you access sensible ressources and never, ever
+run postfwd as privileged user! Also never trust your input (especially hostnames,
+and e-mail addresses).
+ITEMS
+Item plugins are perl subroutines which integrate additional attributes to requests
+before they are evaluated against postfwd's ruleset like any other item of the
+policy delegation protocol. This allows you to create your own checks.
+plugin-items can not be used selective. these functions will be executed for every
+request postfwd receives, so keep performance in mind.
++        SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request)
+means that your subroutine, called <name>, has access to a hash called %request,
+which contains all request attributes, like $request{client_name} and must
+return a value in the following form:
++        save: $result{<item>} = <value>
+this creates the new item <item> containing <value>, which will be integrated in
+the policy delegation request and therefore may be used in postfwd's ruleset.
++        # do NOT remove the next line
+        %postfwd_items_plugin = (
++                # EXAMPLES - integrated in postfwd. no need to activate them here.
+                
+                        # allows to check postfwd version in ruleset
+                        "version" => sub {
+                                my(%request) = @_;
+                                my(%result) = (
+                                        "version" => $NAME." ".$VERSION,
+                                );
+                                return %result;
+                        },
+                
+                        # sender_domain and recipient_domain
+                        "address_parts" => sub {
+                                my(%request) = @_;
+                                my(%result) = ();
+                                $request{sender} =~ /@([^@]*)$/;
+                                $result{sender_domain} = ($1 || '');
+                                $request{recipient} =~ /@([^@]*)$/;
+                                $result{recipient_domain} = ($1 || '');
+                                return %result;
+                        },
++        # do NOT remove the next line
+        );
+COMPARE
+Compare plugins allow you to define how your new items should be compared to the ruleset.
+These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...)
+will be used.
++        SYNOPSIS:  <item> => sub { return &{$postfwd_compare{<type>}}(@_); },
++        # do NOT remove the next line
+        %postfwd_compare_plugin = (
++                EXAMPLES - integrated in postfwd. no need to activate them here.
+        
+                        # Simple example
+                        # SYNOPSIS:  <result> = <item> (return &{$postfwd_compare{<type>}}(@_))
+                        "client_address"  => sub { return &{$postfwd_compare{cidr}}(@_); },
+                        "size"            => sub { return &{$postfwd_compare{numeric}}(@_); },
+                        "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); },
+        
+                        # Complex example
+                        # SYNOPSIS:  <result> = <item>(<operator>, <ruleset value>, <request value>, <request>)
+                        "numeric" => sub {
+                                my($cmp,$val,$myitem,%request) = @_;
+                                my($myresult) = undef;  $myitem ||= "0"; $val ||= "0";
+                                if ($cmp eq '==') {
+                                        $myresult = ($myitem == $val);
+                                } elsif ($cmp eq '=<') {
+                                        $myresult = ($myitem <= $val);
+                                } elsif ($cmp eq '=>') {
+                                        $myresult = ($myitem >= $val);
+                                } elsif ($cmp eq '!=') {
+                                        $myresult = not($myitem == $val);
+                                } elsif ($cmp eq '!<') {
+                                        $myresult = not($myitem <= $val);
+                                } elsif ($cmp eq '!>') {
+                                        $myresult = not($myitem >= $val);
+                                } else {
+                                        $myresult = ($myitem >= $val);
+                                };
+                                return $myresult;
+                        },
++        # do NOT remove the next line
+        );
+ACTIONS
+Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to
+continue or to stop parsing the ruleset.
++        SYNOPSIS:  (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) =
+                        <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>)
++        # do NOT remove the next line
+        %postfwd_actions_plugin = (
++                # EXAMPLES - integrated in postfwd. no need to activate them here.
+        
+                        # note(<logstring>) command
+                        "note"  => sub {
+                                my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
+                                my($myaction) = $default_action; my($stop) = 0;
+                                mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg;
+                                return ($stop,$index,$myaction,$myline,%request);
+                        },
+        
+                        # skips next <myarg> rules
+                        "skip" => sub {
+                                my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
+                                my($myaction) = $default_action; my($stop) = 0;
+                                $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) );
+                                return ($stop,$index,$myaction,$myline,%request);
+                        },
+        
+                        # dumps current request contents to syslog
+                        "dumprequest" => sub {
+                                my($index,$now,$mycmd,$myarg,$myline,%request) = @_;
+                                my($myaction) = $default_action; my($stop) = 0;
+                                map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request);
+                                return ($stop,$index,$myaction,$myline,%request);
+                        },
++        # do NOT remove the next line
+        );
 
 
 COMMAND LINE
@@ -603,18 +766,13 @@
         -r, --rule <rule>
         Adds <rule> to ruleset. Remember that you might have to quote
         strings that contain whitespaces or shell characters.

Plugins

-        --plugins
-        A file containing plugin routines for postfwd. Please see the
-        PLUGINS section for more information.

Scoring

         -s, --scores <val>=<action>
         Returns <action> to postfix, when the request's score exceeds <val>

Multiple usage is allowed. Just chain your arguments, like:

-        postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ...
+        postfwd2 -r "<item>=<value>;action=<result>" -f <file> -f <file> ...
           or
         postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ...

In case of multiple scores, the highest match will count. The order of the arguments will be @@ -625,13 +783,13 @@

         -d, --daemon
         postfwd2 will run as daemon and listen on the network for incoming
-        queries (default 127.0.0.1:10040).

+ queries (default 127.0.0.1:10045).

         -i, --interface <dev>
         Bind postfwd2 to the specified interface (default 127.0.0.1).

         -p, --port <port>
-        postfwd2 listens on the specified port (default tcp/10040).

+ postfwd2 listens on the specified port (default tcp/10045).

         --proto <type>
         The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here.
@@ -657,17 +815,29 @@
          -R, --chroot <path>
         Chroot the process to the specified path.
-        Test this before using - you might need some libs there.
+        Please look at http://postfwd.org/postfwd2-chroot.html before use!

         --pidfile <path>
         The process id will be saved in the specified file.

+        --facility <f>
+        sets the syslog facility, default is 'mail'

+        --socktype <s>
+        sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'.
+        Default is to auto-detect this depening on module version and os.

         -l, --logname <label>
         Labels the syslog messages. Useful when running multiple
         instances of postfwd.

         --loglen <int>
         Truncates any syslog message after <int> characters.

Plugins

+        --plugins <file>
+        Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins
+        or the plugins.postfwd.sample that is available from the tarball for more info.

Optional arguments

These parameters influence the way postfwd2 is working. Any of them can be combined.

@@ -794,7 +964,22 @@
         timeout in seconds to parse a single configuration line. if exceeded, the rule will
         be skipped. this is used to prevent problems due to large files or loops.
         
-I<Informational arguments>

+ --keep_rates (default=0) + With this option set postfwd2 does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. +

+        --save_rates    (default=none)
+        With this option postfwd saves existing rate limit counters to disk and reloads them
+        on program start. This allows persistent rate limits across program restarts or reboots.
+        Please note that postfwd needs read and write access to the specified file.

+        --fast_limit_evaluation    (default=0)
+        Once a ratelimit was set by the ruleset, future requests will be evaluated against it
+        before consulting the ruleset. This mode was the default behaviour until v1.30.
+        With this mode rate limits will be faster, but also eventually set up
+        whitelisting-rules within the ruleset might not work as expected.

Informational arguments

These arguments are for command line usage only. Never ever use them with postfix!

         -C, --showconfig
@@ -815,6 +1000,26 @@
         -P, --perfmon
         This option turns of any syslogging and output. It is included
         for performance testing.

+        --dumpstats
+        Displays program usage statistics.

+        --dumpcache
+        Displays cache contents.

+        --delcache <item>
+        Removes an item from the request cache. Use --dumpcache to identify objects.
+        E.g.:
+                # postfwd --dumpcache
+                ...
+                %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count    -> '1'
+                %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2'
+                ...
+                # postfwd --delrate="sender=gmato@jqvo.org"
+                rate cache item 'sender=gmato@jqvo.org' removed

+        --delrate <item>
+        Removes an item from the rate cache. Use --dumpcache to identify objects.

REFRESH

@@ -854,18 +1059,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large

         ## Selective Greylisting
+        ##
+        ## Note that postfwd does not include greylisting. This setup requires a running postgrey service
+        ## at port 10031 and the following postfix restriction class in your main.cf:
+        ##
+        ##      smtpd_restriction_classes = check_postgrey, ...
+        ##      check_postgrey = check_policy_service inet:127.0.0.1:10031
+        #
         # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s
         # 2. Client has no rDNS
         # 3. Client comes from several dialin domains
-        id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200
-        id=GR002; action=greylisting ; client_name=^unknown$
-        id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$

+ id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$

         ## Date Time
         date=24.12.2007-26.12.2007          ;  action=450 4.7.1 office closed during christmas
@@ -873,7 +1085,7 @@
         time=-07:00:00 ;  sasl_username=jim ;  action=450 4.7.1 to early for you, jim
         time=22:00:00- ;  sasl_username=jim ;  action=450 4.7.1 to late now, jim
         months=-Apr                         ;  action=450 4.7.1 see you in may
-        days=!!Mon-Fri                      ;  action=greylist

+ days=!!Mon-Fri ; action=check_postgrey

         ## Usage of jump
         # The following allows a message size of 30MB for different
@@ -883,8 +1095,8 @@
         id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:...
         id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:...
         id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:...
-        id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000
-        id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000

+ id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000

         ## Usage of score
         # The following rejects a mail, if the client
@@ -892,8 +1104,8 @@
         # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS
         # - other clients without correct rDNS will be greylist-checked
         # - some whitelists are used to lower the score
-        id=S01 ; score=2.6              ; action=greylisting
-        id=S02 ; score=5.0              ; action=REJECT postfwd2 score too high
+        id=S01 ; score=2.6              ; action=check_postgrey
+        id=S02 ; score=5.0              ; action=REJECT postfwd score too high
         id=R00 ; action=score(-1.0)     ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org
         id=R01 ; action=score(2.5)      ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net
         id=R02 ; action=score(2.5)      ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net
@@ -905,10 +1117,10 @@
         # The following temporary rejects requests from "unknown" clients, if they
         # 1. exceeded 30 requests per hour or
         # 2. tried to send more than 1.5mb within 10 minutes
-        id=RATE01 ;  client_name==unknown ;  state==RCPT ; \
-                action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour)
-        id=SIZE01 ;  client_name==unknown ;  state==END_OF_DATA ; \
-                action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)

+ id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes)

         ## Macros
         # definition
@@ -921,34 +1133,34 @@
          ## Groups
         # definition
-        &&RBLS { \
-                rbl=zen.spamhaus.org ;          \
-                rbl=list.dsbl.org ;             \
-                rbl=bl.spamcop.net ;            \
-                rbl=dnsbl.sorbs.net ;           \
-                rbl=ix.dnsbl.manitu.net ;       \
+        &&RBLS{
+                rbl=zen.spamhaus.org
+                rbl=list.dsbl.org
+                rbl=bl.spamcop.net
+                rbl=dnsbl.sorbs.net
+                rbl=ix.dnsbl.manitu.net
         };
-        &&RHSBLS { \
+        &&RHSBLS{
                 ...
         };
-        &&DYNAMIC { \
-                client_name==unknown ;                          \
-                client_name~=(\d+[\.-_]){4} ;                   \
-                client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ;  \
+        &&DYNAMIC{
+                client_name==unknown
+                client_name~=(\d+[\.-_]){4}
+                client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_]
                 ...
         };
-        &&BAD_HELO { \
-                helo_name==my.name.tld;         \
-                helo_name~=^([^\.]+)$;          \
-                helo_name~=\.(local|lan)$;      \
+        &&BAD_HELO{
+                helo_name==my.name.tld
+                helo_name~=^([^\.]+)$
+                helo_name~=\.(local|lan)$
                 ...
         };
-        &&MAINTENANCE { \
-                date=15.01.2007 ; \
-                date=15.04.2007 ; \
-                date=15.07.2007 ; \
-                date=15.10.2007 ; \
-                time=03:00:00 - 04:00:00 ; \
+        &&MAINTENANCE{
+                date=15.01.2007
+                date=15.04.2007
+                date=15.07.2007
+                date=15.10.2007
+                time=03:00:00 - 04:00:00
         };
         # rules
         id=COMBINED    ;  &&RBLS ;  &&DYNAMIC ;  action=REJECT dynamic client and listed on RBL
@@ -965,7 +1177,7 @@
          ## combined with enhanced rbl features
         #
-        id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \
+        id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS
              action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext)
         id=RBL02 ; HIT_dnsbls>=2  ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt]
 
@@ -1068,21 +1280,21 @@
 postfwd2 will spawn multiple child processes which communicate with a parent cache. This is
 the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters:
 -        postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S
+        postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S
 For efficient caching you should check if you can use the options --cacheid, --cache-rdomain-only,
 --cache-no-sender and --cache-no-size.
 Now check your syslogs (default facility ``mail'') for a line like:
          Aug  9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input
-and use `netstat -an|grep 10040` to check for something like
+and use `netstat -an|grep 10045` to check for something like
 -        tcp  0  0  127.0.0.1:10040  0.0.0.0:*  LISTEN
+        tcp  0  0  127.0.0.1:10045  0.0.0.0:*  LISTEN

If everything works, open your postfix main.cf and insert the following

-        127.0.0.1:10040_time_limit      = 3600                                          <--- integration
+        127.0.0.1:10045_time_limit      = 3600                                          <--- integration
         smtpd_recipient_restrictions    = permit_mynetworks                             <--- recommended
                                           reject_unauth_destination                     <--- recommended
-                                          check_policy_service inet:127.0.0.1:10040     <--- integration

+ check_policy_service inet:127.0.0.1:10045 <--- integration

Reload your configuration with `postfix reload` and watch your logs. In it works you should see lines like the following in your mail log:

@@ -1098,9 +1310,9 @@
          # Restriction Classes
         smtpd_restriction_classes       = postfwdcheck, <some more>...                          <--- integration
-        postfwdcheck                    = check_policy_service inet:127.0.0.1:10040             <--- integration
+        postfwdcheck                    = check_policy_service inet:127.0.0.1:10045             <--- integration

-        127.0.0.1:10040_time_limit      = 3600                                                  <--- integration
+        127.0.0.1:10045_time_limit      = 3600                                                  <--- integration
         smtpd_recipient_restrictions    = permit_mynetworks,                                    <--- recommended
                                           reject_unauth_destination,                            <--- recommended
                                           ...                                                   <--- optional
@@ -1122,7 +1334,7 @@
         action=<whateveryouconfigured>

For network tests I use netcat:

-        nc 127.0.0.1 10040 <request.sample

+ nc 127.0.0.1 10045 <request.sample

to send a request to postfwd. If you receive nothing, make sure that postfwd2 is running and listening on the specified network settings.

diff -Nru postfwd-1.20/doc/postfwd2.txt postfwd-1.32/doc/postfwd2.txt --- postfwd-1.20/doc/postfwd2.txt 2010-11-14 21:51:34.000000000 +0000 +++ postfwd-1.32/doc/postfwd2.txt 2011-12-18 12:34:41.000000000 +0000 @@ -38,7 +38,7 @@ --cache-no-size skip size for cache-id --no_parent_request_cache disable parent request cache --no_parent_rate_cache disable parent rate cache - --no_parent_dns_cache disable parent dns cache + --no_parent_dns_cache disable parent dns cache (default) --no_parent_cache disable all parent caches Rates: @@ -53,6 +53,9 @@ --daemons list of daemons to start --dumpcache show cache contents --dumpstats show statistics + -R, --chroot chroot to before start + --delcache removes an item from the request cache + --delrate removes an item from the rate cache DNS: -n, --nodns skip any dns based test @@ -73,10 +76,17 @@ --norulestats disables per rule statistics -I, --instantcfg reloads ruleset on every new request --config_timeout parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed + + Plugins: + --plugins loads postfwd plugins from file Logging: -l, --logname label for syslog messages --facility use syslog facility + --socktype use syslog socktype --nodnslog do not log dns results --anydnslog log any dns (even cached) results --norulelog do not log rule actions @@ -132,7 +142,7 @@ A configuration line consists of optional item=value pairs, separated by semicolons (`;`) and the appropriate desired action: - [ [=><~]=; [=><~]=; ... ] action= + [ =; =; ... ] action= *Example:* @@ -173,11 +183,21 @@ files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic. - Rules can span multiple lines by adding a trailing backslash "\" - character: - - id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \ - action=REJECT please use your relay from there + Since postfwd version 1.30 rules spanning span multiple lines can be + defined by prefixing the following lines with one or multiple whitespace + characters (or '}' for macros): + + id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access + + postfwd versions prior to 1.30 require trailing ';' and '\'-characters: + + id=RULE001; \ + client_address=192.168.1.0/24; \ + sender==no@bad.local; \ + action=REJECT no access ITEMS id - a unique rule id, which can be used for log analysis @@ -241,9 +261,15 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access + ratecount - only available for rate(), size() and rcpt() actions. + contains the actual limit counter: + id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) + id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) + Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below). @@ -298,26 +324,25 @@ the current list can be found at . Please read carefully about which attribute can be used at which level of the smtp transaction - (e.g. size will only work reliably at END_OF_DATA level). Pattern + (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected: - id=TRUST001; action=OK; encryption_keysize=64; \ - ccert_fingerprint=11:22:33:44:55:66:77:88:99; \ - ccert_fingerprint=22:33:44:55:66:77:88:99:00; \ - ccert_fingerprint=33:44:55:66:77:88:99:00:11; \ + id=TRUST001; action=OK; encryption_keysize=64 + ccert_fingerprint=11:22:33:44:55:66:77:88:99 + ccert_fingerprint=22:33:44:55:66:77:88:99:00 + ccert_fingerprint=33:44:55:66:77:88:99:00:11 sender=@domain\.local$ client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: - id=SKIP01; action=dunno; \ + id=SKIP01; action=dunno client_address=192.168.1.0/24, 172.16.254.23 - id=SKIP02; action=dunno; \ - client_address= 10.10.3.32 \ - 10.216.222.0/27 + id=SKIP02; action=dunno + client_address= 10.10.3.32 10.216.222.0/27 The following items must be unique: @@ -325,16 +350,16 @@ Any item can be negated by preceeding '!!' to it, e.g.: - id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please + id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please or using the right compare operator: - id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? + id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please To avoid confusion with regexps or simply for better visibility you can use '!!(...)': - id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that? + id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that? Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -346,6 +371,33 @@ be performed as case insensitive exact match. Use the '-vv' option to debug. + These special items will be reset for any new rule: + + rblcount - contains the number of RBL answers + rhsblcount - contains the number of RHSBL answers + matches - contains the number of matched items + dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form + rbltype:rblname:; rbltype:rblname:; ... + + These special items will be changed for any matching rule: + + request_hits - contains ids of all matching rules + + This means that it might be necessary to save them, if you plan to use + these values in later rules: + + # set vals + id=RBL01 ; rhsblcount=all; rblcount=all + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) + rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org + rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + + # compare + id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] + id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] + id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] + FILES Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files: @@ -368,16 +420,16 @@ This will ignore the right-hand value. Items can be mixed: - id=R002 ; action=REJECT \ - client_name==unknown; \ + id=R002 ; action=REJECT + client_name==unknown client_name==file:/etc/postfwd/blacklisted and for non pcre (comma separated) items: - id=R003 ; action=REJECT \ + id=R003 ; action=REJECT client_address==10.1.1.1, file:/etc/postfwd/blacklisted - id=R004 ; action=REJECT \ + id=R004 ; action=REJECT rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing You can check your configuration with the --show_config option at the @@ -499,16 +551,16 @@ please note that is currently limited to postfix actions (no postfwd actions)! # no more than 3 requests per 5 minutes # from the same "unknown" client - id=RATE01 ; client_name==unknown ; \ - action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) size (///) this command works similar to the rate() command with the difference, that the rate counter is increased by the request's size attribute. to do this reliably you should call postfwd2 from smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # size limit 1.5mb per hour per client - id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) + id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) rcpt (///) this command works similar to the rate() command with the difference, that the rate counter is @@ -516,8 +568,8 @@ from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # recipient count limit 3 per hour per client - id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) + id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) ask (:[:]) allows to delegate the policy decision to another policy service (e.g. postgrey). the first @@ -529,13 +581,18 @@ # and continue parsing postfwd's ruleset id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) + mail(server/helo/from/to/subject/body) + Very basic mail command, that sends a message with the given arguments. LIMITATIONS: + This basically performs a telnet. No authentication or TLS are available. Additionally it does + not track notification state and will notify you any time, the corresponding rule hits. + wait () pauses the program execution for seconds. use this for delaying or throtteling connections. note () just logs the given string and continues parsing the ruleset. - if the string is empty, nothing will be logged. + if the string is empty, nothing will be logged (noop). quit () terminates the program with the given exit-code. postfix doesn`t @@ -545,33 +602,6 @@ id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name' - These special attributes will be reset for any new rule: - - rblcount - contains the number of RBL answers - rhsblcount - contains the number of RHSBL answers - matches - contains the number of matched items - dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form - rbltype:rblname:; rbltype:rblname:; ... - - These special attributes will be changed for any matching rule: - - request_hits - contains ids of all matching rules - - This means that it might be necessary to save them, if you plan to use - these values in later rules: - - # set vals - id=RBL01 ; rhsblcount=all ; rblcount=all ; \ - rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \ - rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) - - # compare - id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] - id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] - id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] - MACROS/ACLS Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters). First the @@ -596,18 +626,18 @@ Macros can contain macros, too: - # definition (note the trailing "\" characters) - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + # definition + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&DYNAMIC { \ - client_name=^unknown$ ; \ - client_name=(\d+[\.-_]){4} ; \ - client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name=^unknown$ + client_name=(\d+[\.-_]){4} + client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] }; &&GOAWAY { &&RBLS; &&DYNAMIC; }; # rules @@ -617,7 +647,156 @@ section for more information. PLUGINS - Please visit + Description + + The plugin interface allow you to define your own checks and enhance + postfwd's functionality. Feel free to share useful things! + + Warning + + Note that the plugin interface is still at devel stage. Please test your + plugins carefully, because errors may cause postfwd to break! It is also + allowed to override attributes or built-in functions, but be sure that + you know what you do because some of them are used internally. + + Please keep security in mind, when you access sensible ressources and + never, ever run postfwd as privileged user! Also never trust your input + (especially hostnames, and e-mail addresses). + + ITEMS + + Item plugins are perl subroutines which integrate additional attributes + to requests before they are evaluated against postfwd's ruleset like any + other item of the policy delegation protocol. This allows you to create + your own checks. + + plugin-items can not be used selective. these functions will be executed + for every request postfwd receives, so keep performance in mind. + + SYNOPSIS: %result = postfwd_items_plugin{}(%request) + + means that your subroutine, called , has access to a hash called + %request, which contains all request attributes, like + $request{client_name} and must return a value in the following form: + + save: $result{} = + + this creates the new item containing , which will be + integrated in the policy delegation request and therefore may be used in + postfwd's ruleset. + + # do NOT remove the next line + %postfwd_items_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # allows to check postfwd version in ruleset + "version" => sub { + my(%request) = @_; + my(%result) = ( + "version" => $NAME." ".$VERSION, + ); + return %result; + }, + + # sender_domain and recipient_domain + "address_parts" => sub { + my(%request) = @_; + my(%result) = (); + $request{sender} =~ /@([^@]*)$/; + $result{sender_domain} = ($1 || ''); + $request{recipient} =~ /@([^@]*)$/; + $result{recipient_domain} = ($1 || ''); + return %result; + }, + + # do NOT remove the next line + ); + + COMPARE + + Compare plugins allow you to define how your new items should be + compared to the ruleset. These are optional. If you don't specify one, + the default (== for exact match, =~ for PCRE, ...) will be used. + + SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, + + # do NOT remove the next line + %postfwd_compare_plugin = ( + + EXAMPLES - integrated in postfwd. no need to activate them here. + + # Simple example + # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) + "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + + # Complex example + # SYNOPSIS: = (, , , ) + "numeric" => sub { + my($cmp,$val,$myitem,%request) = @_; + my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + if ($cmp eq '==') { + $myresult = ($myitem == $val); + } elsif ($cmp eq '=<') { + $myresult = ($myitem <= $val); + } elsif ($cmp eq '=>') { + $myresult = ($myitem >= $val); + } elsif ($cmp eq '!=') { + $myresult = not($myitem == $val); + } elsif ($cmp eq '!<') { + $myresult = not($myitem <= $val); + } elsif ($cmp eq '!>') { + $myresult = not($myitem >= $val); + } else { + $myresult = ($myitem >= $val); + }; + return $myresult; + }, + + # do NOT remove the next line + ); + + ACTIONS + + Action plugins allow to define new postfwd actions. By setting the + $stop-flag you can decide to continue or to stop parsing the ruleset. + + SYNOPSIS: (, , , , ) = + (, , , , , ) + + # do NOT remove the next line + %postfwd_actions_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # note() command + "note" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + return ($stop,$index,$myaction,$myline,%request); + }, + + # skips next rules + "skip" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + return ($stop,$index,$myaction,$myline,%request); + }, + + # dumps current request contents to syslog + "dumprequest" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + return ($stop,$index,$myaction,$myline,%request); + }, + + # do NOT remove the next line + ); COMMAND LINE *Ruleset* @@ -634,12 +813,6 @@ Adds to ruleset. Remember that you might have to quote strings that contain whitespaces or shell characters. - *Plugins* - - --plugins - A file containing plugin routines for postfwd. Please see the - PLUGINS section for more information. - *Scoring* -s, --scores = @@ -647,7 +820,7 @@ Multiple usage is allowed. Just chain your arguments, like: - postfwd2 -r "=;action=" -f -f --plugins ... + postfwd2 -r "=;action=" -f -f ... or postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ... @@ -662,13 +835,13 @@ -d, --daemon postfwd2 will run as daemon and listen on the network for incoming - queries (default 127.0.0.1:10040). + queries (default 127.0.0.1:10045). -i, --interface Bind postfwd2 to the specified interface (default 127.0.0.1). -p, --port - postfwd2 listens on the specified port (default tcp/10040). + postfwd2 listens on the specified port (default tcp/10045). --proto The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here. @@ -694,11 +867,18 @@ -R, --chroot Chroot the process to the specified path. - Test this before using - you might need some libs there. + Please look at http://postfwd.org/postfwd2-chroot.html before use! --pidfile The process id will be saved in the specified file. + --facility + sets the syslog facility, default is 'mail' + + --socktype + sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. + Default is to auto-detect this depening on module version and os. + -l, --logname Labels the syslog messages. Useful when running multiple instances of postfwd. @@ -706,6 +886,12 @@ --loglen Truncates any syslog message after characters. + *Plugins* + + --plugins + Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins + or the plugins.postfwd.sample that is available from the tarball for more info. + *Optional arguments* These parameters influence the way postfwd2 is working. Any of them can @@ -834,6 +1020,22 @@ timeout in seconds to parse a single configuration line. if exceeded, the rule will be skipped. this is used to prevent problems due to large files or loops. + --keep_rates (default=0) + With this option set postfwd2 does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. + + --save_rates (default=none) + With this option postfwd saves existing rate limit counters to disk and reloads them + on program start. This allows persistent rate limits across program restarts or reboots. + Please note that postfwd needs read and write access to the specified file. + + --fast_limit_evaluation (default=0) + Once a ratelimit was set by the ruleset, future requests will be evaluated against it + before consulting the ruleset. This mode was the default behaviour until v1.30. + With this mode rate limits will be faster, but also eventually set up + whitelisting-rules within the ruleset might not work as expected. + *Informational arguments* These arguments are for command line usage only. Never ever use them @@ -858,6 +1060,26 @@ This option turns of any syslogging and output. It is included for performance testing. + --dumpstats + Displays program usage statistics. + + --dumpcache + Displays cache contents. + + --delcache + Removes an item from the request cache. Use --dumpcache to identify objects. + E.g.: + # postfwd --dumpcache + ... + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' + ... + # postfwd --delrate="sender=gmato@jqvo.org" + rate cache item 'sender=gmato@jqvo.org' removed + + --delrate + Removes an item from the rate cache. Use --dumpcache to identify objects. + REFRESH In daemon mode postfwd2 reloads it's ruleset after receiving a HUP signal. Please see the description of the '-I' switch to have your @@ -894,18 +1116,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large ## Selective Greylisting + ## + ## Note that postfwd does not include greylisting. This setup requires a running postgrey service + ## at port 10031 and the following postfix restriction class in your main.cf: + ## + ## smtpd_restriction_classes = check_postgrey, ... + ## check_postgrey = check_policy_service inet:127.0.0.1:10031 + # # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s # 2. Client has no rDNS # 3. Client comes from several dialin domains - id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 - id=GR002; action=greylisting ; client_name=^unknown$ - id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ + id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ ## Date Time date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas @@ -913,7 +1142,7 @@ time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim months=-Apr ; action=450 4.7.1 see you in may - days=!!Mon-Fri ; action=greylist + days=!!Mon-Fri ; action=check_postgrey ## Usage of jump # The following allows a message size of 30MB for different @@ -923,8 +1152,8 @@ id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... - id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 - id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 + id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 ## Usage of score # The following rejects a mail, if the client @@ -932,8 +1161,8 @@ # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS # - other clients without correct rDNS will be greylist-checked # - some whitelists are used to lower the score - id=S01 ; score=2.6 ; action=greylisting - id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high + id=S01 ; score=2.6 ; action=check_postgrey + id=S02 ; score=5.0 ; action=REJECT postfwd score too high id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net @@ -945,10 +1174,10 @@ # The following temporary rejects requests from "unknown" clients, if they # 1. exceeded 30 requests per hour or # 2. tried to send more than 1.5mb within 10 minutes - id=RATE01 ; client_name==unknown ; state==RCPT ; \ - action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) - id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \ - action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) + id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) ## Macros # definition @@ -961,34 +1190,34 @@ ## Groups # definition - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&RHSBLS { \ + &&RHSBLS{ ... }; - &&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\d+[\.-_]){4} ; \ - client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name==unknown + client_name~=(\d+[\.-_]){4} + client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ... }; - &&BAD_HELO { \ - helo_name==my.name.tld; \ - helo_name~=^([^\.]+)$; \ - helo_name~=\.(local|lan)$; \ + &&BAD_HELO{ + helo_name==my.name.tld + helo_name~=^([^\.]+)$ + helo_name~=\.(local|lan)$ ... }; - &&MAINTENANCE { \ - date=15.01.2007 ; \ - date=15.04.2007 ; \ - date=15.07.2007 ; \ - date=15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ + &&MAINTENANCE{ + date=15.01.2007 + date=15.04.2007 + date=15.07.2007 + date=15.10.2007 + time=03:00:00 - 04:00:00 }; # rules id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -1005,7 +1234,7 @@ ## combined with enhanced rbl features # - id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \ + id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] @@ -1144,7 +1373,7 @@ postfwd2 in high volume environments. Start postfwd2 with the following parameters: - postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S + postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S For efficient caching you should check if you can use the options --cacheid, --cache-rdomain-only, --cache-no-sender and --cache-no-size. @@ -1153,16 +1382,16 @@ Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input - and use `netstat -an|grep 10040` to check for something like + and use `netstat -an|grep 10045` to check for something like - tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN + tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN If everything works, open your postfix main.cf and insert the following - 127.0.0.1:10040_time_limit = 3600 <--- integration + 127.0.0.1:10045_time_limit = 3600 <--- integration smtpd_recipient_restrictions = permit_mynetworks <--- recommended reject_unauth_destination <--- recommended - check_policy_service inet:127.0.0.1:10040 <--- integration + check_policy_service inet:127.0.0.1:10045 <--- integration Reload your configuration with `postfix reload` and watch your logs. In it works you should see lines like the following in your mail log: @@ -1183,9 +1412,9 @@ # Restriction Classes smtpd_restriction_classes = postfwdcheck, ... <--- integration - postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration + postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration - 127.0.0.1:10040_time_limit = 3600 <--- integration + 127.0.0.1:10045_time_limit = 3600 <--- integration smtpd_recipient_restrictions = permit_mynetworks, <--- recommended reject_unauth_destination, <--- recommended ... <--- optional @@ -1211,7 +1440,7 @@ For network tests I use netcat: - nc 127.0.0.1 10040 allows to load and save + rate limit counters to disk on program start and termination. + this allows rate limit persistence during restarts and reboots + (requires perl module 'Storable') +- feature: the --debugitem="sender=example\.org$" option + allows verbose logging for particular requests +- feature: the debug() action allows verbose logging for certain + rules: + ------------------------------------------------------------ + id=R01 + client_address=1.1.1.1 + action=debug(on) + id=R02 + ... + id=R42 + action=debug(off) + ------------------------------------------------------------ +- feature: nested commands are possible now, e.g.: + ------------------------------------------------------------ + # throttle + action=rate(client_address/10/60/wait(3)) + ------------------------------------------------------------ +- feature: new mail(server/helo/from/to/subject/body) action. + Please take a look at the manual, especially about + it's limitations, before using it! + ------------------------------------------------------------ + # alert + action=size(recipient_domain/100000000/86400/mail(mailhost/helo/from/to/subject/text)) + ------------------------------------------------------------ + +1.31 +==== +- feature: single cache items can be wiped using --delcache + or --delrate options. use --dumpcache to identify +- feature: sasl_username is logged if available + (thanks to Bernhard Schmidt) +- code: rate limit action is executed, if the first request exceeds the limit +- code: exceeded ratecounters will not be kept permanently anymore. this + allows further requests to pass, if they are below the limit +- code: rate limits are evaluated at ruleset stage now, which leads to + much more comprehensible behaviour. due to this change the request + cache is now disabled, if rate limits are used. use the + --fast_limit_evaluation option to revert to the former mode. + +1.30 +==== +- feature: new parser enhancement allows to omit the trailing "\" for multi-line rules, + if the following lines are prefixed by whitespace characters: + -------------------------------------- + id=RCPTCOUNT + protocol_state == END-OF-MESSAGE + client_address != 10.1.1.0/24 + recipient_count >= 100 + action=REJECT too many recipients + -------------------------------------- +- feature: new plugin interface (BETA) +- feature: Time::HiRes is used if available +- feature: new $$ratecount variable for rate() actions +- feature: ported --dumpstats and --dumpcache option from postfwd2 +- bugfix: fixed program usage statistics (--summary) +- docs: documentation updates + +1.22 +===== +- feature: new option --keep_rates +- feature: queueid is logged when available +- bugfix: rate limits using the same item and the same limits + did not work correctly (thanks to Yves Blusseau): + id=INT01; INT_DOMAIN==1; \ + action=rate(sender/100/60/450 4.7.1 too much for internal domains) + id=EXT01; EXT_DOMAIN==1; \ + action=rate(sender/100/60/450 4.7.1 too much for external domains) +- bugfix: small fix for cleanup of old rate limits +- docs: documentation updates and fixes (thanks to Vincent Lefevre) + +1.21 +===== +- feature: postfwd supports multiple rate limits to the same items now. + this means that the following will now work as expected: + id=R001; recipient_count>=100; action=rate(sender/3/3600/WARN state RED) + id=R002; recipient_count>=100; action=rate(sender/2/3600/WARN state YELLOW) + id=R003; recipient_count>=100; action=rate(sender/1/3600/WARN state GREEN) +- code: ported command-line option --facility from postfwd2 +- docs: documentation updates and fixes (thanks to Vincent Lefevre) + +1.20 +===== +- code: changed the default umask for the server socket to 0111 + to support out-of-the-box postfix setup. Use the + --umask setting to change this +- bugfix: rbl check could fail on multiple dnsbl answers +- bugfix: rbl checks disabled for ipv6 addresses, cidr compare + will switch to default (regex/string) + +1.19 +===== +- code: Rate limit code rewritten +- code: new --umask setting allows to set filepermissions for pidfiles + and unix domain sockets. Default is 0117 (owner and group rw). + +1.18 +===== +- bugfix: Fixed bug when comparing sender and recipient addresses, like + "sender=$$recipient". This affects only postfwd version 1.17. + +1.17 +===== +- bugfix: Invalid characters in variable substitutions were not correctly catched when + the '=' operator was used, like "client_name=$$helo_name". If you can not + upgrade for some reason change your rule to "client_name=~$$helo_name" +- code: Net::DNS errors will now be handled gracefully +- code: default for options --dns_max_ns_a_lookups and --dns_max_mx_a_lookups of 100 + +1.16 +===== +- bugfix: this is a bugfix release for 1.15. anyone affected is encouraged to upgrade. + detail: the default behavior for the '=' operator with numeric items + (size, recipient_count, ...) changed with version 1.15 to '==' (equals to). + now these items are compared '>=' (greater than) again. + note: if you are using 1.15 and you are not able upgrade for some reason, + please change '=' to '>=' in your ruleset where you mean 'greater than'. + +1.15 +===== +- feature: items may now be retrieved from files using "item=file:/some/where" + more information in the postfwd manual (FILES section) +- feature: helo_address, and sender_(ns|mx)_addrs can now be csv items +- feature: new rcpt() command counts recipients for rate limits (thanks to Sahil Tandon) +- code: redirect syslog to stdout for --kill, --reload and --showconfig +- code: option --reload (HUP signal) now reloads config, if the file is unchanged +- code: configuration parser improvements: + * rules without defined action will be skipped at configuration stage + * undefined ACLs will now be detected and skipped at configuration stage + * parser timeout skips loading a rule after 4s, to prevent problems with + large files or loops. use --config_timeout to override +- bugfix: documentation fixed (missing "action=" in ask() examples) + +1.14 +===== +- feature: new compare operators * + ==================================================================== + ITEM == VALUE true if ITEM equals VALUE + ITEM => VALUE true if ITEM >= VALUE + ITEM =< VALUE true if ITEM <= VALUE + ITEM =~ VALUE true if ITEM ~= /^VALUE$/i + *ITEM != VALUE false if ITEM equals VALUE + *ITEM !> VALUE false if ITEM >= VALUE + *ITEM !< VALUE false if ITEM <= VALUE + *ITEM !~ VALUE false if ITEM ~= /^VALUE$/i + ITEM = VALUE default behaviour (see ITEMS section) + ==================================================================== +- feature: added --nodaemon option +- code: non dns items first: if a rule contains dns and non dns items, the + lookups will only be done if all non dns items matched +- bugfix: empty pcre with empty sender_(ns|mx)_names was parsed incorrectly. + this bug affects postfwd versions 1.12 - 1.13 +- bugfix: negated pcre items with '~=' operator were parsed incorrectly. + this bug affects postfwd version 1.13 + +1.13 +===== +- feature: enabled dns cache for sender(ns|mx) and helo address +- feature: new options --dns_max_ns_lookups and --dns_max_mx_lookups +- bugfix: workaround: Net::Server died if a unix domain socket + filename without a dot ('.') was used (B. Frauendienst) + +1.12 +===== +- feature: new items sender_ns_names and sender_ns_addrs +- feature: new items sender_mx_names and sender_mx_addrs +- feature: new item helo_address, please see docs for more +- feature: added --proto switch, to enable the use of unix domain sockets + (thanks to Bernhard Frauendienst) +- feature: added command-line options --kill and --reload + (of course you can still use TERM and HUP signals) +- feature: dnsbl txt lookups only for dnsbls with at least one a record. + use --dns_async_txt for the old behaviour (see docs for more). +- code: small performance improvement (5-10%) for pcre (~= or =~) items +- bugfix: network 0.0.0.0/0 did not work as expected on all platforms +- bugfix: postfwd tried to chop() an uninitialized value when sending + garbage (non policy delegation protocol requests) to it. + +1.11 +===== +- feature: the ask() action allows to delegate the policy decision to another + policy service (like postgrey). a new parameter allows to specify + answer patterns which should be ignored by postfwd. please look + at the 'ACTIONS' section in the manual (postfwd2 -m) for details. +- feature: new options --noidlestats and --norulelog +- feature: more informative --version +- feature: documentation updates + + +************************************************************************************************** +ATTENTION: requirements changed - postfwd since v1.10pre8 now uses Net::DNS. + Net::DNS::Async and Net::CIDR::Lite are not required anymore. +NOTE: please see the docs ('postfwd -m' or 'perldoc postfwd') for more information +************************************************************************************************** + +1.10pre8b +========== +- bugfix: fixed two warnings about logging of undefined values in verbose mode + +1.10pre8a +========== +- bugfix: item plugins have been made available as cache-id items. this fixes a minor issue with + --cache-rdomain-only and version 1.10pre8 + +1.10pre8 +========= +- code: Net::DNS::Async is no longer used. The parameters --dns_queuesize and + --dns_retries are still valid but have no function. The option --dns_timeout + now defaults to 14s and applies to all rules containing dns items. +- code: Net::CIDR::Lite is not required any longer. +- feature: the new variable $$request_hits contains a list of all matching ruleids +- feature: the new variable $$dnsbltext allows access to txt records of rbls +- feature: new options --no-rulestats and --nodnslog +- feature: ttls of the dns responses override --cache-rbl-timeout when bigger, which means + that you can set the option to 0 if you want to use the ttl of the dns answer. +- feature: new item "rhsbl_helo" allows to check helo against rhsbls +- bugfix: disabled fallback to synchronous dns on timed out rbls, default is now + to disable non responding dnsbls after 11 timeouts for 1200 seconds. + use --dns_timeout_max and --dns_timeout_interval to adjust these settings. +- bugfix: days=Wed now means exactly Wednesday. to use a range you may + still specify days=Wed- days=-Wed and days=Tue-Thu + this applies to all date and time items +- code: --shortlog is now default behaviour (use -v to see more) +- code: changed Net::Server behaviour to ignore syslog errors + + +1.10pre7c +========== +- note: 1.10pre7c does not contain any code-changes to the postfwd daemon. + this release only fixes some issues when buidling packages. +- bugfix: set permissions of manpage dirs to 755 +- bugfix: manpage has gone to section 8 +- bugfix: postfwd-rblcheck.pl has gone to the tools folder +- bugfix: documentation now refers to request.sample + +1.10pre7b +========== +- bugfix: inter-section links in documentation did not work correctly + (thanks to Alexander 'Leo' Bergolth) + +1.10pre7a +========== +- bugfix: implemented workaround for possible crash of Sys::Syslog when syslog + daemon is unavailable (thanks to Henrik Krohns) +- bugfix: changed syslog socktype on solaris + +1.10pre7 +========= +- feature: $$request_score may now be used to access a request's score +- feature: auto-deactivation of non-responding dnsbls; please see the + new --cleanup-timeouts and --dns_timeout_max options +- feature: the set command allows some basic operations: + ========================================================= + action=set(ITEM+=VALUE) adds VALUE to ITEM + action=set(ITEM-=VALUE) substracts VALUE from ITEM + action=set(ITEM*=VALUE) multiplies ITEM by VALUE + action=set(ITEM/=VALUE) divides ITEM through VALUE + action=set(ITEM.=VALUE) concatenates ITEM and VALUE + action=set(ITEM==VALUE) sets ITEM to VALUE + action=set(ITEM=VALUE) default: sets ITEM to VALUE + ========================================================= +- bugfix: fixed wrong timestamp for timed out rbls +- code: score() command now allows integer values +- code: setting an empty score removes it from the table +- code: duplicate lookups within the same rule are now recognised + +1.10pre6 +========= +- feature: the new rate() and size() commands offer some basic rate limit controls +- feature: new cleanup options: --cleanup-rates +- feature: regexps may now be included in // characters +- feature: an empty sender address is now replaced by <> +- bugfix: some csv-separated itemlists did not work correctly since v1.10pre1 +- bugfix: fixed a possible race condition with request cache when config was reloaded via HUP signal + +1.10pre5a +========= +- bugfix: fixed a possible race condition in rbl_read_dns() function + +1.10pre5 +======== +- feature: new dnsbl lookup types: rhsbl_client, rhsbl_sender, rhsbl_reverse_client +- feature: new caching option --cacheid allows to increase performance and cache efficiency +- code: cleanups will only be logged if '-v' was set or if the process took at least 1 second + +1.10pre4 +======== +- feature: new date items 'days=Sun-Sat' and 'months=Jan-Dec' +- feature: all date/time items may now be csv-separated lists +- feature: the set command can now have multiple, csv-separated arguments +- feature: enhanced use of rblcount and rhsblcount (see doc) +- feature: new caching options --cache-no-sender,--cache-rbl-timeout and --cache-rbl-default +- feature: new cleanup options: --cleanup-requests and --cleanup-rbls +- code: cache cleanups are now performed on interval basis (not per request) + which should decrease load on busy systems. +- code: warning on multiple definitions of id, action, rblcount and rhsblcount is issued +- bugfix: date items may now contain whitespaces (e.g. days = Fri - Sat) + +1.10pre3 +======== +- feature: all hits for a rule are now logged in the final message +- feature: option --shortlog disables logging for some postfwd actions +- feature: introduced set() command, which enables setting of variables, which then can be + compared to the ruleset to gain performance on repeated item lists (see doc). +- feature: introduced new command-line switches --dns_queuesize, --dns_retries and dns_retries + to influence the behaviour of DNS lookups +- code: restructured code (~+15% speed compared to v1.03, with nodns ruleset) + +1.10pre2 +======== +- feature: DNS lookups are now parallelized per rule. this increases the performance of dnsbl + items (and any other future dns based check) significantly. implementation (per rule): + 1.) send dns queries, 2.) process other non-dns items, 3.) evaluate dns results + As a downside of this approach the parser does not wait for dns queries anymore, which + could result in increased load. you might use the sleep() command to get some delay ;-) + +1.10pre1 +======== +- feature: the way how request items are compared to the ruleset can now be influenced. + =============================================================== + ITEM==VALUE true if ITEM equals VALUE + ITEM>=VALUE true if ITEM >= VALUE + ITEM<=VALUE true if ITEM <= VALUE + ITEM~=VALUE true if ITEM ~= /^VALUE$/i + ITEM=VALUE old default behaviour + =============================================================== +- feature: the score() command now allows some basic arithmetic operations (+-*/=) + e.g. action=score(*2) will double the current score +- feature: you can now refer to request attributes in actions, which will e.g. allow the following: + id=R001; rbl=zen.spamhaus.org; \ + action=554 5.7.1 see http://www.spamhaus.org/query/bl?ip=$$client_address +- feature: introduced extra request attributes sender_localpart, sender_domain, + recipient_localpart, recipient_domain and version for use like: + id=test01; client_name ~= $$(sender_domain)$; action=score(-0.5) +- bugfix: the "=" character could not be used in items +- bugfix: negation of items (!!) did not work correctly under some circumstances +- bugfix: time was logged incorrectly during request cache cleanups in verbose mode + (thanks to Henrik Krohns) +- code: restructured some parts of the code for future enhancement options. a plugin interface + was prepared and will be included in the final version. perl's -w switch is used now. +- note: the documentation has not been fully updated yet. + +1.03 +==== +- feature: request attributes can now be compared (e.g. to compare client_name and helo_name) +- feature: rule items can now be negated (e.g. to compare if client_name does not match helo_name) +- feature: extra verbose mode '-vv' now displays much more debug information +- feature: -L switch to redirect log output to stdout +- feature: new manual section about the parser, other updates +- bugfix: caching did not work at end_of_data level because of different queue ids, corrected +- bugfix: all numeric items will now match if the request attribute exceeds the corresponding + rule item. the negation operator will lead to the opposite effect: + ============================================================================= + ITEM=VALUE TYPE + ============================================================================= + rblcount=2 matches if rbl hits >= 2 + recipient_count=10 matches if recipients >= 10 + size=12345 matches if size >= 12345 + encryption_keysize=256 matches if keysize >= 256 + encryption_keysize=!!256 matches if keysize < 256 + ============================================================================= + +1.02 +==== +- bugfix: rblcount and rhsblcount did not work correctly since V1.01, corrected + +1.01 +==== +- feature: multiple rbl, rhsbl and client_address statements in a single rule are now possible +- feature: note() command will now log (not warn!). an empty argument suppresses logging +- feature: in verbose mode you must set -vv now to see the whole request attributes +- feature: cached dnsbl results are now only logged in verbose mode +- manual: several minor updates + +1.00 +==== +- feature: multiple definitions of the same item in a single rule to build groups +- feature: rules can span multiple lines by specifying a trailing "\" character +- feature: syslog_name can now be set with -l|--logname +- bugfix: fixed bug in acl parser (no "}" character could be used in ACLs) + +0.99p +===== +- bugfix: size and rcpt_count were checked as minimum values + now they are correctly interpreted as maximum. + +0.99o +===== +- feature: date and time based rules +- feature: macros (please see doc) +- feature: slightly changed statistics output + +0.99n +===== +- first public beta version + + diff -Nru postfwd-1.20/doc/postfwd.html postfwd-1.32/doc/postfwd.html --- postfwd-1.20/doc/postfwd.html 2010-11-14 21:52:12.000000000 +0000 +++ postfwd-1.32/doc/postfwd.html 2011-12-18 12:34:41.000000000 +0000 @@ -51,54 +51,70 @@

~~postfwd [OPTIONS] [SOURCE1, SOURCE2, ...]~~

Ruleset: (at least one, multiple use is allowed): - -f, --file <file> reads rules from <file> - -r, --rule <rule> adds <rule> to config + -f, --file <file> reads rules from <file> + -r, --rule <rule> adds <rule> to config Scoring: - -s, --scores <v>=<r> returns <r> when score exceeds <v> + -s, --scores <v>=<r> returns <r> when score exceeds <v> ++ Control: + -d, --daemon run postfwd as daemon + -k, --kill stops daemon + --reload reloads configuration + --dumpstats displays usage statistics + --dumpcache displays cache contents + --delcache <item> removes an item from the request cache + --delrate <item> removes an item from the rate cache Networking: - -d, --daemon run postfwd as daemon - -i, --interface <dev> listen on interface <dev> - -p, --port <port> listen on port <port> - --proto <proto> socket type (tcp or unix) - -u, --user <name> set uid to user <name> - -g, --group <name> set gid to group <name> - --umask <mask> set umask for file permissions - -R, --chroot <path> chroot the daemon to <path> - --pidfile <path> create pidfile under <path> - -l, --logname <label> label for syslog messages - --loglen <int> truncates syslogs after <int> chars + -i, --interface <dev> listen on interface <dev> + -p, --port <port> listen on port <port> + --proto <proto> socket type (tcp or unix) + -u, --user <name> set uid to user <name> + -g, --group <name> set gid to group <name> + --umask <mask> set umask for file permissions + -R, --chroot <path> chroot the daemon to <path> + --pidfile <path> create pidfile under <path> + --facility <f> syslog facility + --socktype <s> syslog socktype + -l, --logname <label> label for syslog messages + --loglen <int> truncates syslogs after <int> chars Caching: - -c, --cache <int> sets the request-cache timeout to <int> seconds - --cache-no-size ignores size attribute for caching - --cache-no-sender ignores sender address in cache - --cache-rdomain-only ignores localpart of recipient address in cache - --cache-rbl-timeout default rbl timeout, if not specified in ruleset - --cache-rbl-default default rbl response pattern to match (regexp) - --cacheid <item>, .. list of attributes for request cache identifier - --cleanup-requests cleanup interval in seconds for request cache - --cleanup-rbls cleanup interval in seconds for rbl cache - --cleanup-rates cleanup interval in seconds for rate cache + -c, --cache <int> sets the request-cache timeout to <int> seconds + --cache-no-size ignores size attribute for caching + --cache-no-sender ignores sender address in cache + --cache-rdomain-only ignores localpart of recipient address in cache + --cache-rbl-timeout default rbl timeout, if not specified in ruleset + --cache-rbl-default default rbl response pattern to match (regexp) + --cacheid <item>, .. list of attributes for request cache identifier + --cleanup-requests cleanup interval in seconds for request cache + --cleanup-rbls cleanup interval in seconds for rbl cache + --cleanup-rates cleanup interval in seconds for rate cache Optional: - -t, --test testing, always returns "dunno" - -v, --verbose verbose logging, use twice (-vv) to increase level - -S, --summary <int> show some usage statistics every <int> seconds - --norulelog disbles rule logging - --norulestats disables per rule statistics - --noidlestats disables statistics when idle - -n, --nodns disable dns - --nodnslog disable dns logging - --dns_async_txt perform dnsbl A and TXT lookups simultaneously - --dns_timeout timeout in seconds for asynchonous dns queries - --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated - --dns_timeout_interval interval in seconds for dns timeout maximum counter - --dns_max_ns_lookups max names to look up with sender_ns_addrs - --dns_max_mx_lookups max names to look up with sender_mx_addrs - -I, --instantcfg re-reads rulefiles for every new request - --config_timeout <i> parser timeout in seconds + -t, --test testing, always returns "dunno" + -v, --verbose verbose logging, use twice (-vv) to increase level + -S, --summary <int> show some usage statistics every <int> seconds + --norulelog disbles rule logging + --norulestats disables per rule statistics + --noidlestats disables statistics when idle + -n, --nodns disable dns + --nodnslog disable dns logging + --dns_async_txt perform dnsbl A and TXT lookups simultaneously + --dns_timeout timeout in seconds for asynchonous dns queries + --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated + --dns_timeout_interval interval in seconds for dns timeout maximum counter + --dns_max_ns_lookups max names to look up with sender_ns_addrs + --dns_max_mx_lookups max names to look up with sender_mx_addrs + -I, --instantcfg re-reads rulefiles for every new request + --config_timeout <i> parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates <file> save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed ++ Plugins: + --plugins <file> loads postfwd plugins from file Informational (use only at command-line!): -C, --showconfig shows ruleset summary, -v for verbose @@ -107,9 +123,6 @@ -V, --version shows program version -h, --help shows usage -m, --manual shows program manual -- Plugins: - --plugins <file> loads plugins from <file> @@ -138,7 +151,7 @@ A configuration line consists of optional item=value pairs, separated by semicolons (`;`) and the appropriate desired action: - [ <item1>[=><~]=<value>; <item2>[=><~]=<value>; ... ] action=<result> + [ <item1>=<value>; <item2>=<value>; ... ] action=<result> Example: client_address=192.168.1.1 ; sender==no@bad.local ; action=REJECT @@ -167,10 +180,19 @@ appreciate. A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic. -Rules can span multiple lines by adding a trailing backslash ``\'' character: +Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros): - id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \ - action=REJECT please use your relay from there + id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access +postfwd versions prior to 1.30 require trailing ';' and '\'-characters: ++ id=RULE001; \ + client_address=192.168.1.0/24; \ + sender==no@bad.local; \ + action=REJECT no access ITEMS @@ -236,8 +258,14 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access ++ ratecount - only available for rate(), size() and rcpt() actions. + contains the actual limit counter: + id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) + id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below). Most values can be specified as regular expressions (PCRE). Please see the table below @@ -287,34 +315,33 @@ encryption_keysize=256 mask = numeric, will match if keysize >= 256 ... the current list can be found at http://www.postfix.org/SMTPD_POLICY_README.html. Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected: - id=TRUST001; action=OK; encryption_keysize=64; \ - ccert_fingerprint=11:22:33:44:55:66:77:88:99; \ - ccert_fingerprint=22:33:44:55:66:77:88:99:00; \ - ccert_fingerprint=33:44:55:66:77:88:99:00:11; \ + id=TRUST001; action=OK; encryption_keysize=64 + ccert_fingerprint=11:22:33:44:55:66:77:88:99 + ccert_fingerprint=22:33:44:55:66:77:88:99:00 + ccert_fingerprint=33:44:55:66:77:88:99:00:11 sender=@domain\.local$ client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: - id=SKIP01; action=dunno; \ + id=SKIP01; action=dunno client_address=192.168.1.0/24, 172.16.254.23 - id=SKIP02; action=dunno; \ - client_address= 10.10.3.32 \ - 10.216.222.0/27 + id=SKIP02; action=dunno + client_address=10.10.3.32 10.216.222.0/27 The following items currently have to be unique: id, minimum and maximum values, rblcount and rhsblcount Any item can be negated by preceeding '!!' to it, e.g.: - id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please + id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please or using the right compare operator: - id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? + id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please To avoid confusion with regexps or simply for better visibility you can use '!!(...)': - id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that? + id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that? Request attributes can be compared by preceeding '$$' characters, e.g.: id=R-003 ; client_name = !! $$helo_name ; action=WARN helo does not match DNS @@ -322,6 +349,29 @@ id=R-003 ; client_name = !!($$(helo_name)) ; action=WARN helo does not match DNS This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match. Use the '-vv' option to debug. +These special items will be reset for any new rule: ++ rblcount - contains the number of RBL answers + rhsblcount - contains the number of RHSBL answers + matches - contains the number of matched items + dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form + rbltype:rblname:<txt>; rbltype:rblname:<txt>; ... +These special items will be changed for any matching rule: ++ request_hits - contains ids of all matching rules +This means that it might be necessary to save them, if you plan to use these values in later rules: ++ # set vals + id=RBL01 ; rhsblcount=all; rblcount=all + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) + rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org + rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ++ # compare + id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] + id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] + id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] FILES @@ -341,15 +391,15 @@ id=R001 ; ccert_fingerprint==table:/etc/postfwd/wl_ccerts ; action=DUNNO This will ignore the right-hand value. Items can be mixed: - id=R002 ; action=REJECT \ - client_name==unknown; \ + id=R002 ; action=REJECT + client_name==unknown client_name==file:/etc/postfwd/blacklisted and for non pcre (comma separated) items: - id=R003 ; action=REJECT \ + id=R003 ; action=REJECT client_address==10.1.1.1, file:/etc/postfwd/blacklisted - id=R004 ; action=REJECT \ + id=R004 ; action=REJECT rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing You can check your configuration with the --show_config option at the command line: @@ -447,16 +497,25 @@ please note that <action> is currently limited to postfix actions (no postfwd actions)! # no more than 3 requests per 5 minutes # from the same "unknown" client - id=RATE01 ; client_name==unknown ; \ - action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + Please note also that the order of rate limits in your ruleset is important, which means + that this: + # works as expected + id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) + id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + leads to different results than this: + # rule R002 never gets executed + id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) size (<item>/<max>/<time>/<action>) this command works similar to the rate() command with the difference, that the rate counter is increased by the request's size attribute. to do this reliably you should call postfwd from smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # size limit 1.5mb per hour per client - id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) + id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) rcpt (<item>/<max>/<time>/<action>) this command works similar to the rate() command with the difference, that the rate counter is @@ -464,8 +523,8 @@ from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # recipient count limit 3 per hour per client - id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) + id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) ask (<addr>:<port>[:<ignore>]) allows to delegate the policy decision to another policy service (e.g. postgrey). the first @@ -473,17 +532,22 @@ specified to tell postfwd to ignore certain answers and go on parsing the ruleset: # example1: query postgrey and return it's answer to postfix id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031) - # example2: query postgrey but ignore it's answer, if it matches 'DUNNO' + # example2: query postgrey but ignore the answer, if it matches 'DUNNO' # and continue parsing postfwd's ruleset id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) + mail(server/helo/from/to/subject/body) + Very basic mail command, that sends a message with the given arguments. LIMITATIONS: + This basically performs a telnet. No authentication or TLS are available. Additionally it does + not track notification state and will notify you any time, the corresponding rule hits. + wait (<delay>) pauses the program execution for <delay> seconds. use this for delaying or throtteling connections. note (<string>) just logs the given string and continues parsing the ruleset. - if the string is empty, nothing will be logged. + if the string is empty, nothing will be logged (noop). quit (<code>) terminates the program with the given exit-code. postfix doesn`t @@ -491,29 +555,6 @@ You can reference to request attributes, like id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name' -These special attributes will be reset for any new rule: -- rblcount - contains the number of RBL answers - rhsblcount - contains the number of RHSBL answers - matches - contains the number of matched items - dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form - rbltype:rblname:<txt>; rbltype:rblname:<txt>; ... -These special attributes will be changed for any matching rule: -- request_hits - contains ids of all matching rules -This means that it might be necessary to save them, if you plan to use these values in later rules: -- # set vals - id=RBL01 ; rhsblcount=all ; rblcount=all ; \ - rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \ - rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) -- # compare - id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] - id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] - id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] MACROS/ACLS @@ -536,18 +577,18 @@ &&GONOW ; &&RBLS ; client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] Macros can contain macros, too: - # definition (note the trailing "\" characters) - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + # definition + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&DYNAMIC { \ - client_name=^unknown$ ; \ - client_name=(\d+[\.-_]){4} ; \ - client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name=^unknown$ + client_name=(\d+[\.-_]){4} + client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] }; &&GOAWAY { &&RBLS; &&DYNAMIC; }; # rules @@ -556,7 +597,141 @@ PLUGINS -Please visit http://www.postfwd.org/postfwd.plugins +Description +The plugin interface allow you to define your own checks and enhance postfwd's +functionality. Feel free to share useful things! +Warning +Note that the plugin interface is still at devel stage. Please test your plugins +carefully, because errors may cause postfwd to break! It is also +allowed to override attributes or built-in functions, but be sure that you know +what you do because some of them are used internally. +Please keep security in mind, when you access sensible ressources and never, ever +run postfwd as privileged user! Also never trust your input (especially hostnames, +and e-mail addresses). +ITEMS +Item plugins are perl subroutines which integrate additional attributes to requests +before they are evaluated against postfwd's ruleset like any other item of the +policy delegation protocol. This allows you to create your own checks. +plugin-items can not be used selective. these functions will be executed for every +request postfwd receives, so keep performance in mind. ++ SYNOPSIS: %result = postfwd_items_plugin{<name>}(%request) +means that your subroutine, called <name>, has access to a hash called %request, +which contains all request attributes, like $request{client_name} and must +return a value in the following form: ++ save: $result{<item>} = <value> +this creates the new item <item> containing <value>, which will be integrated in +the policy delegation request and therefore may be used in postfwd's ruleset. ++ # do NOT remove the next line + %postfwd_items_plugin = ( ++ # EXAMPLES - integrated in postfwd. no need to activate them here. + + # allows to check postfwd version in ruleset + "version" => sub { + my(%request) = @_; + my(%result) = ( + "version" => $NAME." ".$VERSION, + ); + return %result; + }, + + # sender_domain and recipient_domain + "address_parts" => sub { + my(%request) = @_; + my(%result) = (); + $request{sender} =~ /@([^@]*)$/; + $result{sender_domain} = ($1 || ''); + $request{recipient} =~ /@([^@]*)$/; + $result{recipient_domain} = ($1 || ''); + return %result; + }, ++ # do NOT remove the next line + ); +COMPARE +Compare plugins allow you to define how your new items should be compared to the ruleset. +These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...) +will be used. ++ SYNOPSIS: <item> => sub { return &{$postfwd_compare{<type>}}(@_); }, ++ # do NOT remove the next line + %postfwd_compare_plugin = ( ++ EXAMPLES - integrated in postfwd. no need to activate them here. + + # Simple example + # SYNOPSIS: <result> = <item> (return &{$postfwd_compare{<type>}}(@_)) + "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + + # Complex example + # SYNOPSIS: <result> = <item>(<operator>, <ruleset value>, <request value>, <request>) + "numeric" => sub { + my($cmp,$val,$myitem,%request) = @_; + my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + if ($cmp eq '==') { + $myresult = ($myitem == $val); + } elsif ($cmp eq '=<') { + $myresult = ($myitem <= $val); + } elsif ($cmp eq '=>') { + $myresult = ($myitem >= $val); + } elsif ($cmp eq '!=') { + $myresult = not($myitem == $val); + } elsif ($cmp eq '!<') { + $myresult = not($myitem <= $val); + } elsif ($cmp eq '!>') { + $myresult = not($myitem >= $val); + } else { + $myresult = ($myitem >= $val); + }; + return $myresult; + }, ++ # do NOT remove the next line + ); +ACTIONS +Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to +continue or to stop parsing the ruleset. ++ SYNOPSIS: (<stop rule parsing>, <next rule index>, <return action>, <logprefix>, <request>) = + <action> (<current rule index>, <current time>, <command name>, <argument>, <logprefix>, <request>) ++ # do NOT remove the next line + %postfwd_actions_plugin = ( ++ # EXAMPLES - integrated in postfwd. no need to activate them here. + + # note(<logstring>) command + "note" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + return ($stop,$index,$myaction,$myline,%request); + }, + + # skips next <myarg> rules + "skip" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + return ($stop,$index,$myaction,$myline,%request); + }, + + # dumps current request contents to syslog + "dumprequest" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + return ($stop,$index,$myaction,$myline,%request); + }, ++ # do NOT remove the next line + ); COMMAND LINE @@ -571,30 +746,52 @@ -r, --rule <rule> Adds <rule> to ruleset. Remember that you might have to quote strings that contain whitespaces or shell characters. -Plugins -- --plugins - A file containing plugin routines for postfwd. Please see the - PLUGINS section for more information. Scoring -s, --scores <val>=<action> Returns <action> to postfix, when the request's score exceeds <val> Multiple usage is allowed. Just chain your arguments, like: - postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> --plugins <file> ... + postfwd -r "<item>=<value>;action=<result>" -f <file> -f <file> ... or postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ... In case of multiple scores, the highest match will count. The order of the arguments will be reflected in the postfwd ruleset. -Networking -postfwd can be run as daemon so that it listens on the network for incoming requests. -The following arguments will control it's behaviour in this case. +Control -d, --daemon postfwd will run as daemon and listen on the network for incoming queries (default 127.0.0.1:10040). + -k, --kill + Stops a running postfwd daemon. ++ --reload + Reloads configuration. ++ --dumpstats + Displays program usage statistics. ++ --dumpcache + Displays cache contents. ++ --delcache <item> + Removes an item from the request cache. Use --dumpcache to identify objects. + E.g.: + # postfwd --dumpcache + ... + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' + ... + # postfwd --delrate="sender=gmato@jqvo.org" + rate cache item 'sender=gmato@jqvo.org' removed ++ --delrate <item> + Removes an item from the rate cache. Use --dumpcache to identify objects. +Networking +postfwd can be run as daemon so that it listens on the network for incoming requests. +The following arguments will control it's behaviour in this case. + -i, --interface <dev> Bind postfwd to the specified interface (default 127.0.0.1). @@ -624,12 +821,24 @@ --pidfile <path> The process id will be saved in the specified file. + --facility <f> + sets the syslog facility, default is 'mail' ++ --socktype <s> + sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. + Default is to auto-detect this depening on module version and os. + -l, --logname <label> Labels the syslog messages. Useful when running multiple instances of postfwd. --loglen <int> Truncates any syslog message after <int> characters. +Plugins ++ --plugins <file> + Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins + or the plugins.postfwd.sample that is available from the tarball for more info. Optional arguments These parameters influence the way postfwd is working. Any of them can be combined. @@ -754,7 +963,23 @@ --config_timeout (default=3) timeout in seconds to parse a single configuration line. if exceeded, the rule will - be skipped. this is used to prevent problems due to large files or loops. + be skipped. this is used to prevent problems due to large files or loops. + + --keep_rates (default=0) + With this option set postfwd does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. ++ --save_rates (default=none) + With this option postfwd saves existing rate limit counters to disk and reloads them + on program start. This allows persistent rate limits across program restarts or reboots. + Please note that postfwd needs read and write access to the specified file. ++ --fast_limit_evaluation (default=0) + Once a ratelimit was set by the ruleset, future requests will be evaluated against it + before consulting the ruleset. This mode was the default behaviour until v1.30. + With this mode rate limits will be faster, but also eventually set up + whitelisting-rules within the ruleset might not work as expected. Informational arguments These arguments are for command line usage only. Never ever use them with postfix spawn! @@ -812,18 +1037,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large ## Selective Greylisting + ## + ## Note that postfwd does not include greylisting. This setup requires a running postgrey service + ## at port 10031 and the following postfix restriction class in your main.cf: + ## + ## smtpd_restriction_classes = check_postgrey, ... + ## check_postgrey = check_policy_service inet:127.0.0.1:10031 + # # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s # 2. Client has no rDNS # 3. Client comes from several dialin domains - id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 - id=GR002; action=greylisting ; client_name=^unknown$ - id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ + id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ ## Date Time date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas @@ -831,7 +1063,7 @@ time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim months=-Apr ; action=450 4.7.1 see you in may - days=!!Mon-Fri ; action=greylist + days=!!Mon-Fri ; action=check_postgrey ## Usage of jump # The following allows a message size of 30MB for different @@ -841,8 +1073,8 @@ id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... - id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 - id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 + id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 ## Usage of score # The following rejects a mail, if the client @@ -850,7 +1082,7 @@ # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS # - other clients without correct rDNS will be greylist-checked # - some whitelists are used to lower the score - id=S01 ; score=2.6 ; action=greylisting + id=S01 ; score=2.6 ; action=check_postgrey id=S02 ; score=5.0 ; action=REJECT postfwd score too high id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net @@ -863,10 +1095,10 @@ # The following temporary rejects requests from "unknown" clients, if they # 1. exceeded 30 requests per hour or # 2. tried to send more than 1.5mb within 10 minutes - id=RATE01 ; client_name==unknown ; state==RCPT ; \ - action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) - id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \ - action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) + id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) ## Macros # definition @@ -879,34 +1111,34 @@ ## Groups # definition - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&RHSBLS { \ + &&RHSBLS{ ... }; - &&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\d+[\.-_]){4} ; \ - client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name==unknown + client_name~=(\d+[\.-_]){4} + client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ... }; - &&BAD_HELO { \ - helo_name==my.name.tld; \ - helo_name~=^([^\.]+)$; \ - helo_name~=\.(local|lan)$; \ + &&BAD_HELO{ + helo_name==my.name.tld + helo_name~=^([^\.]+)$ + helo_name~=\.(local|lan)$ ... }; - &&MAINTENANCE { \ - date=15.01.2007 ; \ - date=15.04.2007 ; \ - date=15.07.2007 ; \ - date=15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ + &&MAINTENANCE{ + date=15.01.2007 + date=15.04.2007 + date=15.07.2007 + date=15.10.2007 + time=03:00:00 - 04:00:00 }; # rules id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -923,7 +1155,7 @@ ## combined with enhanced rbl features # - id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \ + id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] diff -Nru postfwd-1.20/doc/postfwd.txt postfwd-1.32/doc/postfwd.txt --- postfwd-1.20/doc/postfwd.txt 2010-11-14 21:51:23.000000000 +0000 +++ postfwd-1.32/doc/postfwd.txt 2011-12-18 12:34:41.000000000 +0000 @@ -5,54 +5,70 @@ postfwd [OPTIONS] [SOURCE1, SOURCE2, ...] Ruleset: (at least one, multiple use is allowed): - -f, --file reads rules from - -r, --rule adds to config + -f, --file reads rules from + -r, --rule adds to config Scoring: - -s, --scores = returns when score exceeds + -s, --scores = returns when score exceeds + + Control: + -d, --daemon run postfwd as daemon + -k, --kill stops daemon + --reload reloads configuration + --dumpstats displays usage statistics + --dumpcache displays cache contents + --delcache removes an item from the request cache + --delrate removes an item from the rate cache Networking: - -d, --daemon run postfwd as daemon - -i, --interface listen on interface - -p, --port listen on port - --proto socket type (tcp or unix) - -u, --user set uid to user - -g, --group set gid to group - --umask set umask for file permissions - -R, --chroot chroot the daemon to - --pidfile create pidfile under - -l, --logname label for syslog messages - --loglen truncates syslogs after chars + -i, --interface listen on interface + -p, --port listen on port + --proto socket type (tcp or unix) + -u, --user set uid to user + -g, --group set gid to group + --umask set umask for file permissions + -R, --chroot chroot the daemon to + --pidfile create pidfile under + --facility syslog facility + --socktype syslog socktype + -l, --logname label for syslog messages + --loglen truncates syslogs after chars Caching: - -c, --cache sets the request-cache timeout to seconds - --cache-no-size ignores size attribute for caching - --cache-no-sender ignores sender address in cache - --cache-rdomain-only ignores localpart of recipient address in cache - --cache-rbl-timeout default rbl timeout, if not specified in ruleset - --cache-rbl-default default rbl response pattern to match (regexp) - --cacheid , .. list of attributes for request cache identifier - --cleanup-requests cleanup interval in seconds for request cache - --cleanup-rbls cleanup interval in seconds for rbl cache - --cleanup-rates cleanup interval in seconds for rate cache + -c, --cache sets the request-cache timeout to seconds + --cache-no-size ignores size attribute for caching + --cache-no-sender ignores sender address in cache + --cache-rdomain-only ignores localpart of recipient address in cache + --cache-rbl-timeout default rbl timeout, if not specified in ruleset + --cache-rbl-default default rbl response pattern to match (regexp) + --cacheid , .. list of attributes for request cache identifier + --cleanup-requests cleanup interval in seconds for request cache + --cleanup-rbls cleanup interval in seconds for rbl cache + --cleanup-rates cleanup interval in seconds for rate cache Optional: - -t, --test testing, always returns "dunno" - -v, --verbose verbose logging, use twice (-vv) to increase level - -S, --summary show some usage statistics every seconds - --norulelog disbles rule logging - --norulestats disables per rule statistics - --noidlestats disables statistics when idle - -n, --nodns disable dns - --nodnslog disable dns logging - --dns_async_txt perform dnsbl A and TXT lookups simultaneously - --dns_timeout timeout in seconds for asynchonous dns queries - --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated - --dns_timeout_interval interval in seconds for dns timeout maximum counter - --dns_max_ns_lookups max names to look up with sender_ns_addrs - --dns_max_mx_lookups max names to look up with sender_mx_addrs - -I, --instantcfg re-reads rulefiles for every new request - --config_timeout parser timeout in seconds + -t, --test testing, always returns "dunno" + -v, --verbose verbose logging, use twice (-vv) to increase level + -S, --summary show some usage statistics every seconds + --norulelog disbles rule logging + --norulestats disables per rule statistics + --noidlestats disables statistics when idle + -n, --nodns disable dns + --nodnslog disable dns logging + --dns_async_txt perform dnsbl A and TXT lookups simultaneously + --dns_timeout timeout in seconds for asynchonous dns queries + --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated + --dns_timeout_interval interval in seconds for dns timeout maximum counter + --dns_max_ns_lookups max names to look up with sender_ns_addrs + --dns_max_mx_lookups max names to look up with sender_mx_addrs + -I, --instantcfg re-reads rulefiles for every new request + --config_timeout parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed + + Plugins: + --plugins loads postfwd plugins from file Informational (use only at command-line!): -C, --showconfig shows ruleset summary, -v for verbose @@ -62,9 +78,6 @@ -h, --help shows usage -m, --manual shows program manual - Plugins: - --plugins loads plugins from - DESCRIPTION INTRODUCTION postfwd is written to combine complex postfix restrictions in a ruleset @@ -101,7 +114,7 @@ A configuration line consists of optional item=value pairs, separated by semicolons (`;`) and the appropriate desired action: - [ [=><~]=; [=><~]=; ... ] action= + [ =; =; ... ] action= *Example:* @@ -142,11 +155,21 @@ files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic. - Rules can span multiple lines by adding a trailing backslash "\" - character: - - id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \ - action=REJECT please use your relay from there + Since postfwd version 1.30 rules spanning span multiple lines can be + defined by prefixing the following lines with one or multiple whitespace + characters (or '}' for macros): + + id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access + + postfwd versions prior to 1.30 require trailing ';' and '\'-characters: + + id=RULE001; \ + client_address=192.168.1.0/24; \ + sender==no@bad.local; \ + action=REJECT no access ITEMS id - a unique rule id, which can be used for log analysis @@ -210,9 +233,15 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access + ratecount - only available for rate(), size() and rcpt() actions. + contains the actual limit counter: + id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) + id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) + Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below). @@ -267,26 +296,25 @@ the current list can be found at . Please read carefully about which attribute can be used at which level of the smtp transaction - (e.g. size will only work reliably at END_OF_DATA level). Pattern + (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected: - id=TRUST001; action=OK; encryption_keysize=64; \ - ccert_fingerprint=11:22:33:44:55:66:77:88:99; \ - ccert_fingerprint=22:33:44:55:66:77:88:99:00; \ - ccert_fingerprint=33:44:55:66:77:88:99:00:11; \ + id=TRUST001; action=OK; encryption_keysize=64 + ccert_fingerprint=11:22:33:44:55:66:77:88:99 + ccert_fingerprint=22:33:44:55:66:77:88:99:00 + ccert_fingerprint=33:44:55:66:77:88:99:00:11 sender=@domain\.local$ client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: - id=SKIP01; action=dunno; \ + id=SKIP01; action=dunno client_address=192.168.1.0/24, 172.16.254.23 - id=SKIP02; action=dunno; \ - client_address= 10.10.3.32 \ - 10.216.222.0/27 + id=SKIP02; action=dunno + client_address=10.10.3.32 10.216.222.0/27 The following items currently have to be unique: @@ -294,16 +322,16 @@ Any item can be negated by preceeding '!!' to it, e.g.: - id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please + id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please or using the right compare operator: - id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? + id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please To avoid confusion with regexps or simply for better visibility you can use '!!(...)': - id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that? + id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that? Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -315,6 +343,33 @@ be performed as case insensitive exact match. Use the '-vv' option to debug. + These special items will be reset for any new rule: + + rblcount - contains the number of RBL answers + rhsblcount - contains the number of RHSBL answers + matches - contains the number of matched items + dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form + rbltype:rblname:; rbltype:rblname:; ... + + These special items will be changed for any matching rule: + + request_hits - contains ids of all matching rules + + This means that it might be necessary to save them, if you plan to use + these values in later rules: + + # set vals + id=RBL01 ; rhsblcount=all; rblcount=all + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) + rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org + rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + + # compare + id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] + id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] + id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] + FILES Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files: @@ -337,16 +392,16 @@ This will ignore the right-hand value. Items can be mixed: - id=R002 ; action=REJECT \ - client_name==unknown; \ + id=R002 ; action=REJECT + client_name==unknown client_name==file:/etc/postfwd/blacklisted and for non pcre (comma separated) items: - id=R003 ; action=REJECT \ + id=R003 ; action=REJECT client_address==10.1.1.1, file:/etc/postfwd/blacklisted - id=R004 ; action=REJECT \ + id=R004 ; action=REJECT rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing You can check your configuration with the --show_config option at the @@ -468,16 +523,25 @@ please note that is currently limited to postfix actions (no postfwd actions)! # no more than 3 requests per 5 minutes # from the same "unknown" client - id=RATE01 ; client_name==unknown ; \ - action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + Please note also that the order of rate limits in your ruleset is important, which means + that this: + # works as expected + id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) + id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + leads to different results than this: + # rule R002 never gets executed + id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) size (///) this command works similar to the rate() command with the difference, that the rate counter is increased by the request's size attribute. to do this reliably you should call postfwd from smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # size limit 1.5mb per hour per client - id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) + id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) rcpt (///) this command works similar to the rate() command with the difference, that the rate counter is @@ -485,8 +549,8 @@ from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # recipient count limit 3 per hour per client - id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) + id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) ask (:[:]) allows to delegate the policy decision to another policy service (e.g. postgrey). the first @@ -494,17 +558,22 @@ specified to tell postfwd to ignore certain answers and go on parsing the ruleset: # example1: query postgrey and return it's answer to postfix id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031) - # example2: query postgrey but ignore it's answer, if it matches 'DUNNO' + # example2: query postgrey but ignore the answer, if it matches 'DUNNO' # and continue parsing postfwd's ruleset id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) + mail(server/helo/from/to/subject/body) + Very basic mail command, that sends a message with the given arguments. LIMITATIONS: + This basically performs a telnet. No authentication or TLS are available. Additionally it does + not track notification state and will notify you any time, the corresponding rule hits. + wait () pauses the program execution for seconds. use this for delaying or throtteling connections. note () just logs the given string and continues parsing the ruleset. - if the string is empty, nothing will be logged. + if the string is empty, nothing will be logged (noop). quit () terminates the program with the given exit-code. postfix doesn`t @@ -514,33 +583,6 @@ id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name' - These special attributes will be reset for any new rule: - - rblcount - contains the number of RBL answers - rhsblcount - contains the number of RHSBL answers - matches - contains the number of matched items - dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form - rbltype:rblname:; rbltype:rblname:; ... - - These special attributes will be changed for any matching rule: - - request_hits - contains ids of all matching rules - - This means that it might be necessary to save them, if you plan to use - these values in later rules: - - # set vals - id=RBL01 ; rhsblcount=all ; rblcount=all ; \ - rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \ - rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) - - # compare - id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] - id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] - id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] - MACROS/ACLS Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters). First the @@ -565,18 +607,18 @@ Macros can contain macros, too: - # definition (note the trailing "\" characters) - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + # definition + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&DYNAMIC { \ - client_name=^unknown$ ; \ - client_name=(\d+[\.-_]){4} ; \ - client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name=^unknown$ + client_name=(\d+[\.-_]){4} + client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] }; &&GOAWAY { &&RBLS; &&DYNAMIC; }; # rules @@ -586,7 +628,156 @@ section for more information. PLUGINS - Please visit + Description + + The plugin interface allow you to define your own checks and enhance + postfwd's functionality. Feel free to share useful things! + + Warning + + Note that the plugin interface is still at devel stage. Please test your + plugins carefully, because errors may cause postfwd to break! It is also + allowed to override attributes or built-in functions, but be sure that + you know what you do because some of them are used internally. + + Please keep security in mind, when you access sensible ressources and + never, ever run postfwd as privileged user! Also never trust your input + (especially hostnames, and e-mail addresses). + + ITEMS + + Item plugins are perl subroutines which integrate additional attributes + to requests before they are evaluated against postfwd's ruleset like any + other item of the policy delegation protocol. This allows you to create + your own checks. + + plugin-items can not be used selective. these functions will be executed + for every request postfwd receives, so keep performance in mind. + + SYNOPSIS: %result = postfwd_items_plugin{}(%request) + + means that your subroutine, called , has access to a hash called + %request, which contains all request attributes, like + $request{client_name} and must return a value in the following form: + + save: $result{} = + + this creates the new item containing , which will be + integrated in the policy delegation request and therefore may be used in + postfwd's ruleset. + + # do NOT remove the next line + %postfwd_items_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # allows to check postfwd version in ruleset + "version" => sub { + my(%request) = @_; + my(%result) = ( + "version" => $NAME." ".$VERSION, + ); + return %result; + }, + + # sender_domain and recipient_domain + "address_parts" => sub { + my(%request) = @_; + my(%result) = (); + $request{sender} =~ /@([^@]*)$/; + $result{sender_domain} = ($1 || ''); + $request{recipient} =~ /@([^@]*)$/; + $result{recipient_domain} = ($1 || ''); + return %result; + }, + + # do NOT remove the next line + ); + + COMPARE + + Compare plugins allow you to define how your new items should be + compared to the ruleset. These are optional. If you don't specify one, + the default (== for exact match, =~ for PCRE, ...) will be used. + + SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, + + # do NOT remove the next line + %postfwd_compare_plugin = ( + + EXAMPLES - integrated in postfwd. no need to activate them here. + + # Simple example + # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) + "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + + # Complex example + # SYNOPSIS: = (, , , ) + "numeric" => sub { + my($cmp,$val,$myitem,%request) = @_; + my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + if ($cmp eq '==') { + $myresult = ($myitem == $val); + } elsif ($cmp eq '=<') { + $myresult = ($myitem <= $val); + } elsif ($cmp eq '=>') { + $myresult = ($myitem >= $val); + } elsif ($cmp eq '!=') { + $myresult = not($myitem == $val); + } elsif ($cmp eq '!<') { + $myresult = not($myitem <= $val); + } elsif ($cmp eq '!>') { + $myresult = not($myitem >= $val); + } else { + $myresult = ($myitem >= $val); + }; + return $myresult; + }, + + # do NOT remove the next line + ); + + ACTIONS + + Action plugins allow to define new postfwd actions. By setting the + $stop-flag you can decide to continue or to stop parsing the ruleset. + + SYNOPSIS: (, , , , ) = + (, , , , , ) + + # do NOT remove the next line + %postfwd_actions_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # note() command + "note" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + return ($stop,$index,$myaction,$myline,%request); + }, + + # skips next rules + "skip" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + return ($stop,$index,$myaction,$myline,%request); + }, + + # dumps current request contents to syslog + "dumprequest" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + return ($stop,$index,$myaction,$myline,%request); + }, + + # do NOT remove the next line + ); COMMAND LINE *Ruleset* @@ -603,12 +794,6 @@ Adds to ruleset. Remember that you might have to quote strings that contain whitespaces or shell characters. - *Plugins* - - --plugins - A file containing plugin routines for postfwd. Please see the - PLUGINS section for more information. - *Scoring* -s, --scores = @@ -616,23 +801,51 @@ Multiple usage is allowed. Just chain your arguments, like: - postfwd -r "=;action=" -f -f --plugins ... + postfwd -r "=;action=" -f -f ... or postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ... In case of multiple scores, the highest match will count. The order of the arguments will be reflected in the postfwd ruleset. + *Control* + + -d, --daemon + postfwd will run as daemon and listen on the network for incoming + queries (default 127.0.0.1:10040). + + -k, --kill + Stops a running postfwd daemon. + + --reload + Reloads configuration. + + --dumpstats + Displays program usage statistics. + + --dumpcache + Displays cache contents. + + --delcache + Removes an item from the request cache. Use --dumpcache to identify objects. + E.g.: + # postfwd --dumpcache + ... + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' + ... + # postfwd --delrate="sender=gmato@jqvo.org" + rate cache item 'sender=gmato@jqvo.org' removed + + --delrate + Removes an item from the rate cache. Use --dumpcache to identify objects. + *Networking* postfwd can be run as daemon so that it listens on the network for incoming requests. The following arguments will control it's behaviour in this case. - -d, --daemon - postfwd will run as daemon and listen on the network for incoming - queries (default 127.0.0.1:10040). - -i, --interface Bind postfwd to the specified interface (default 127.0.0.1). @@ -662,6 +875,13 @@ --pidfile The process id will be saved in the specified file. + --facility + sets the syslog facility, default is 'mail' + + --socktype + sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. + Default is to auto-detect this depening on module version and os. + -l, --logname Labels the syslog messages. Useful when running multiple instances of postfwd. @@ -669,6 +889,12 @@ --loglen Truncates any syslog message after characters. + *Plugins* + + --plugins + Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins + or the plugins.postfwd.sample that is available from the tarball for more info. + *Optional arguments* These parameters influence the way postfwd is working. Any of them can @@ -797,6 +1023,22 @@ timeout in seconds to parse a single configuration line. if exceeded, the rule will be skipped. this is used to prevent problems due to large files or loops. + --keep_rates (default=0) + With this option set postfwd does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. + + --save_rates (default=none) + With this option postfwd saves existing rate limit counters to disk and reloads them + on program start. This allows persistent rate limits across program restarts or reboots. + Please note that postfwd needs read and write access to the specified file. + + --fast_limit_evaluation (default=0) + Once a ratelimit was set by the ruleset, future requests will be evaluated against it + before consulting the ruleset. This mode was the default behaviour until v1.30. + With this mode rate limits will be faster, but also eventually set up + whitelisting-rules within the ruleset might not work as expected. + *Informational arguments* These arguments are for command line usage only. Never ever use them @@ -854,18 +1096,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large ## Selective Greylisting + ## + ## Note that postfwd does not include greylisting. This setup requires a running postgrey service + ## at port 10031 and the following postfix restriction class in your main.cf: + ## + ## smtpd_restriction_classes = check_postgrey, ... + ## check_postgrey = check_policy_service inet:127.0.0.1:10031 + # # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s # 2. Client has no rDNS # 3. Client comes from several dialin domains - id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 - id=GR002; action=greylisting ; client_name=^unknown$ - id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ + id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ ## Date Time date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas @@ -873,7 +1122,7 @@ time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim months=-Apr ; action=450 4.7.1 see you in may - days=!!Mon-Fri ; action=greylist + days=!!Mon-Fri ; action=check_postgrey ## Usage of jump # The following allows a message size of 30MB for different @@ -883,8 +1132,8 @@ id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... - id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 - id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 + id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 ## Usage of score # The following rejects a mail, if the client @@ -892,7 +1141,7 @@ # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS # - other clients without correct rDNS will be greylist-checked # - some whitelists are used to lower the score - id=S01 ; score=2.6 ; action=greylisting + id=S01 ; score=2.6 ; action=check_postgrey id=S02 ; score=5.0 ; action=REJECT postfwd score too high id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net @@ -905,10 +1154,10 @@ # The following temporary rejects requests from "unknown" clients, if they # 1. exceeded 30 requests per hour or # 2. tried to send more than 1.5mb within 10 minutes - id=RATE01 ; client_name==unknown ; state==RCPT ; \ - action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) - id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \ - action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) + id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) ## Macros # definition @@ -921,34 +1170,34 @@ ## Groups # definition - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&RHSBLS { \ + &&RHSBLS{ ... }; - &&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\d+[\.-_]){4} ; \ - client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name==unknown + client_name~=(\d+[\.-_]){4} + client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ... }; - &&BAD_HELO { \ - helo_name==my.name.tld; \ - helo_name~=^([^\.]+)$; \ - helo_name~=\.(local|lan)$; \ + &&BAD_HELO{ + helo_name==my.name.tld + helo_name~=^([^\.]+)$ + helo_name~=\.(local|lan)$ ... }; - &&MAINTENANCE { \ - date=15.01.2007 ; \ - date=15.04.2007 ; \ - date=15.07.2007 ; \ - date=15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ + &&MAINTENANCE{ + date=15.01.2007 + date=15.04.2007 + date=15.07.2007 + date=15.10.2007 + time=03:00:00 - 04:00:00 }; # rules id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -965,7 +1214,7 @@ ## combined with enhanced rbl features # - id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \ + id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] diff -Nru postfwd-1.20/doc/quick.html postfwd-1.32/doc/quick.html --- postfwd-1.20/doc/quick.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/quick.html 2011-08-15 16:44:51.000000000 +0000 @@ -0,0 +1,113 @@ + + + +postfwd - quickstart guide + + + + + + + + + postfwd quickstart guide + To use postfwd you have to perform the following steps: + + + Get postfwd or postfwd2 + Create your own postfwd ruleset + Optional: Create a dedicated user/group for postfwd + Launch postfwd + Tell postfix to use postfwd + Finished! How to go on? + + + + Get postfwd or postfwd2 + You may skip this step, if your operating system distribution contains a version of postfwd, but it is recommended to use a recent version from postfwd.org. It is also recommended to use recent versions of the perl modules Net::DNS and Net::Server (see required perl modules for more information). + + Create your own postfwd ruleset + postfwd is not a dedicated antispam tool (although it may be used as such). Instead of that it is basically a restriction language for postfix which allows to place complex policy expressions into a simple ruleset. For reasonable operation you have to create your own ruleset, like: + + + # reject @domain.local if request comes from outside 10.0.0.0/8 network + id=RULE-01 ; sender_domain=domain.local ; client_address=!!(10.0.0.0/8) ; action=REJECT not allowed + + # reject if sender equals recipient + id=RULE-02 ; sender==$$recipient ; action=REJECT not allowed + + # check some rbls and reject, if listed on >= 2 of them + id=RULE-03 ; rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ; rblcount>=2 ; action=REJECT not allowed + + Now save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the documentation for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like: + + + # postfwd -f /etc/postfwd.cf -C + Rule 0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)" + Rule 1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient" + Rule 2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net" + + If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too. + + Optional: Create a dedicated user/group for postfwd + By default postfwd will try to use user 'nobody' and group 'nobody'. So it should be safe to skip this step in most environments. If you run a system that is exposed to dangerous networks and feel paranoid you may want to create a dedicated user and group for the postfwd process. On unix systems enter: + + + # groupadd postfwd + # useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd + # passwd -l postfwd + + Launch postfwd + Start postfwd with your ruleset. Leave out the --user and --group options, if you have skipped step 3 and want to run postfwd as nobody/nobody. + + + # postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd + + Now watch your logs (default facility: mail) for lines like: + + + Jun 8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting + Jun 8 12:14:33 jupiter postfwd[20271]: Process Backgrounded + Jun 8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271) + Jun 8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1 + Jun 8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003" + Jun 8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010" + Jun 8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for input + + To control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the documentation for more information. + + Tell postfix to use postfwd + Open your main.cf (usually located at /etc/postfix) and find or add a line starting with: + + + smtpd_recipient_restrictions = ... + + To place the postfwd check here, modify this as follows: + + + # note the leading whitespaces from the 2nd line! + smtpd_recipient_restrictions = permit_mynetworks, # recommended + ..., # optional + reject_unauth_destination, # recommended + check_policy_service inet:127.0.0.1:10040, # **postfwd integration** + ... # optional + + Please note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the postfix documentation. + + Finished! How to go on? + A good point to start is postfwd's manual. You should be able to view it using the `postfwd -m` command or visit the documentation page. There are also some configuration examples on the webpage. Another very useful source of information is the Postfix SMTP Access Policy Delegation documentation. + + + + + + + http://www.postfwd.org/ + 2007 - 2009 by Jan Peter Kessler + info (AT) postfwd (DOT) org + + + + + + diff -Nru postfwd-1.20/doc/versions.html postfwd-1.32/doc/versions.html --- postfwd-1.20/doc/versions.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/doc/versions.html 2011-08-17 09:00:43.000000000 +0000 @@ -0,0 +1,82 @@ + + + + +postfwd - version differences + + + + + + + + + + postfwd1 vs postfwd2 +As you might have noticed, there are two different versions of postfwd available - postfwd(1) and postfwd2. +Which version fits best for you depends on your setup. Both versions use the same ruleset parser*. They also share the basic command line arguments (use both with --help for details). This allows to switch easily between them. + +The following table might help you to decide which version to use. Basically you should stick with postfwd1 for the moment unless you encounter performance issues with dns based checks or very complex rulesets with thousands +of checks. Please note that, due to implementation, rate limits are handled faster by postfwd1 at the moment. If performance really matters and you use a complex ruleset with rate limits and lots of dns based checks you should consider +running two instances at different ports/sockets: postfwd1 for the rate limits and postfwd2 for the rest. + + + + + + + + + Version + postfwd1 + postfwd2 + + Specs + + + Single process (Multiplexer) + Default port: tcp/10040 + Small memory footprint + + + + Multiple processes (Preforker) + Default port: tcp/10045 + Scales with multiple cpus/cores + Builtin watchdog function + Debug classes + + + Usage + + + Fits for most setups + Any single core system + Rate-limit-only rulesets + + + + High throughput setups with lots of requests per second and + + + rulesets that use a lot of dnsbl lookups + really huge rulesets containing tons of checks + + + + *Issues + + + + postfwd2 versions below 1.30 do not support multiple rate limits for the same item: + +# reject on 300+ connections/hour, warn at 200+ +id=R01; client_address=1.2.3.4; action=rate(client_address/300/3600/REJECT state RED) +id=R02; client_address=1.2.3.4; action=rate(client_address/200/3600/WARN state YELLOW) + + + + + + + diff -Nru postfwd-1.20/etc/postfwd.cf.sample postfwd-1.32/etc/postfwd.cf.sample --- postfwd-1.20/etc/postfwd.cf.sample 2009-06-03 21:13:51.000000000 +0000 +++ postfwd-1.32/etc/postfwd.cf.sample 2011-08-20 23:29:12.000000000 +0000 @@ -2,8 +2,11 @@ ################################################################################################### ## -## ATTENTION: Do NOT use this configuration without your own customizations! -## Please see the manual ('postfwd -m') for more information. +## ATTENTION: This example configuration uses features which require at least postfwd 1.30! +## Please see the manual ('postfwd -m') for example syntax for prior versions. +## +## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without +## modifications to suit your environment! ## ################################################################################################### @@ -12,77 +15,71 @@ ## Definitions ## -# Greylisting with postgrey @ 127.0.0.1:10031 -&&GREYLIST { \ - action=ask(127.0.0.1:10031); \ -}; - # Maintenance times -&&MAINTENANCE { \ - date=15.01.2007 - 15.01.2007 ; \ - date=15.04.2007 - 15.04.2007 ; \ - date=15.07.2007 - 15.07.2007 ; \ - date=15.10.2007 - 15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ -}; +&&MAINTENANCE { + date=15.01.2007 + date=15.10.2007 - 17.10.2007 + days=Sat-Sun + time=03:00:00 - 04:00:00 +} # Whitelists -&&TRUSTED_NETS { \ - client_address=192.168.1.0/22 ; \ - client_address=172.16.128.32/27 ; \ -}; -&&TRUSTED_HOSTS { \ - client_name~=\.domain1\.net$ ; \ - client_name~=\.domain2\.de$ ; \ -}; -&&TRUSTED_USERS { \ - sasl_username==bob ; \ - sasl_username==alice ; \ -}; -&&TRUSTED_TLS { \ - ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \ - ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \ - encryption_keysize>=64 ; \ -}; -&&FREEMAIL { \ - client_name~=\.gmx\.net$ ; \ - client_name~=\.web\.de$ ; \ - client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \ -}; -&&STATIC { \ +&&TRUSTED_NETS { + client_address=192.168.1.0/22 + client_address=172.16.128.32/27 +} +&&TRUSTED_HOSTS { + client_name~=\.domain1\.net$ + client_name~=\.domain2\.de$ +} +&&TRUSTED_USERS { + sasl_username==bob + sasl_username==alice +} +&&TRUSTED_TLS { + ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF + ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 + encryption_keysize>=64 +} +&&FREEMAIL { + client_name~=\.gmx\.net$ + client_name~=\.web\.de$ + client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ +} +&&STATIC { # contains freemailers - &&FREEMAIL ; \ - client_name~=[\.\-]static[[\.\-] ; \ - client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \ -}; -&&DNSWLS { \ - rbl=list.dnswl.org ; \ - rbl=exemptions.ahbl.org ; \ - rbl=query.bondedsender.org ; \ - rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ - rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ -}; + &&FREEMAIL + client_name~=[\.\-]static[[\.\-] + client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. +} +&&DNSWLS { + rbl=list.dnswl.org + rbl=exemptions.ahbl.org + rbl=query.bondedsender.org + rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 + rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 +} # Spamchecks -&&BADHELO { \ - client_name==!!($$(helo_name)) ; \ -}; -&&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\-.+){4} ; \ - client_name~=\d{5} ; \ - client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \ -}; -&&DNSBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ - rhsbl=rddn.dnsbl.net.au ; \ - rhsbl=rhsbl.ahbl.org ; \ - rhsbl=rhsbl.sorbs.net ; \ -}; +&&BADHELO { + client_name==!!($$(helo_name)) +} +&&DYNAMIC { + client_name==unknown + client_name~=(\-.+){4} + client_name~=\d{5} + client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] +} +&&DNSBLS { + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net + rhsbl=rddn.dnsbl.net.au + rhsbl=rhsbl.ahbl.org + rhsbl=rhsbl.sorbs.net +} ## @@ -90,49 +87,96 @@ ## # temporary reject and drop connection during maintenance window -id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later +id=M_001 + &&MAINTENANCE + action=421 maintenance - please try again later # stress-friendly behaviour (will not match on postfix version pre 2.5) -id=STRESS ; stress==yes ; action=dunno +id=STRESS + stress==yes + action=dunno # Whitelists -id=WL_001 ; &&TRUSTED_NETS ; action=dunno -id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno -id=WL_003 ; &&TRUSTED_USERS ; action=dunno -id=WL_004 ; &&TRUSTED_TLS ; action=dunno +id=WL_001 + &&TRUSTED_NETS + action=dunno +id=WL_002 + &&TRUSTED_HOSTS + action=dunno +id=WL_003 + &&TRUSTED_USERS + action=dunno +id=WL_004 + &&TRUSTED_TLS + action=dunno # DNSWL checks - lookup -id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \ +id=RWL_001 + &&DNSWLS + rhsblcount=all ; rblcount=all action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext) # DNSWL - whitelisting -id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] -id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC -id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$ +id=RWL_002 + HIT_dnswls>=2 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] +id=RWL_003 + HIT_dnswls>=1 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC +id=RWL_004 + HIT_dnswls>=1 + action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$ # DNSBL checks - lookup -id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \ +id=RBL_001 + &&DNSBLS + rhsblcount=all ; rblcount=all action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext) # DNSBL checks - evaluation -id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text] -id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text] -id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text] +id=RBL_002 + HIT_dnsbls>=2 + action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text] +id=RBL_003 + HIT_dnsbls>=1 + &&DYNAMIC + action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text] +id=RBL_004 + HIT_dnsbls>=1 + &&BADHELO + action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text] # Rate limits -id=RATE_001 ; HIT_dnsbls>=1; \ +id=RATE_001 + HIT_dnsbls>=1 action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) -id=RATE_002 ; &&DYNAMIC ; \ +id=RATE_002 + &&DYNAMIC action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) # Selective greylisting -id=GREY_001 ; action=dunno ; &&STATIC -id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$ -id=GREY_003 ; action=dunno ; HIT_dnswls>=1 -id=GREY_004 ; action=&&GREYLIST ; &&DYNAMIC -id=GREY_005 ; action=&&GREYLIST ; HIT_dnsbls>=1 +id=GREY_001 + action=dunno + &&STATIC +id=GREY_002 + action=dunno + $$client_name~=$$(sender_domain)$ +id=GREY_003 + action=dunno + HIT_dnswls>=1 +id=GREY_004 + action=greylisting + &&DYNAMIC +id=GREY_005 + action=greylisting + HIT_dnsbls>=1 # Greylisting should be safe during out-of-office times -id=GREY_006 ; action=&&GREYLIST ; days=Sat-Sun -id=GREY_007 ; action=&&GREYLIST ; days=Mon-Fri ; time=!!06:00:00-20:00:00 +id=GREY_006 + action=greylisting + days=Sat-Sun +id=GREY_007 + action=greylisting + days=Mon-Fri + time=!!06:00:00-20:00:00 diff -Nru postfwd-1.20/etc/postfwd-old.cf.sample postfwd-1.32/etc/postfwd-old.cf.sample --- postfwd-1.20/etc/postfwd-old.cf.sample 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/etc/postfwd-old.cf.sample 2011-08-20 23:28:22.000000000 +0000 @@ -0,0 +1,135 @@ + + +################################################################################################### +## +## ATTENTION: This example configuration uses features which require at least postfwd 1.10pre8! +## Please see the manual ('postfwd -m') for example syntax for prior versions. +## +## WARNING: Only provided to show some capabilities of postfwd. Do NOT use this without +## modifications to suit your environment! +## +################################################################################################### + + +## +## Definitions +## + +# Maintenance times +&&MAINTENANCE { \ + date=15.01.2007 ; \ + date=15.04.2007 ; \ + date=15.10.2007 - 17.10.2007 ; \ + time=03:00:00 - 04:00:00 ; \ +}; + +# Whitelists +&&TRUSTED_NETS { \ + client_address=192.168.1.0/22 ; \ + client_address=172.16.128.32/27 ; \ +}; +&&TRUSTED_HOSTS { \ + client_name~=\.domain1\.net$ ; \ + client_name~=\.domain2\.de$ ; \ +}; +&&TRUSTED_USERS { \ + sasl_username==bob ; \ + sasl_username==alice ; \ +}; +&&TRUSTED_TLS { \ + ccert_fingerprint==11:22:33:44:55:66:AA:BB:CC:DD:EE:FF ; \ + ccert_fingerprint==AA:BB:CC:DD:EE:FF:11:22:33:44:55:66 ; \ + encryption_keysize>=64 ; \ +}; +&&FREEMAIL { \ + client_name~=\.gmx\.net$ ; \ + client_name~=\.web\.de$ ; \ + client_name~=\.(aol|yahoo|h(ush|ot)mail)\.com$ ; \ +}; +&&STATIC { \ + # contains freemailers + &&FREEMAIL ; \ + client_name~=[\.\-]static[[\.\-] ; \ + client_name~=^(mail|smtp|mout|mx)[\-]*[0-9]*\. ; \ +}; +&&DNSWLS { \ + rbl=list.dnswl.org ; \ + rbl=exemptions.ahbl.org ; \ + rbl=query.bondedsender.org ; \ + rbl=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ + rhsbl_client=hostkarma.junkemailfilter.com/^127\.0\.0\.1$/3600 ; \ +}; + +# Spamchecks +&&BADHELO { \ + client_name==!!($$(helo_name)) ; \ +}; +&&DYNAMIC { \ + client_name==unknown ; \ + client_name~=(\-.+){4} ; \ + client_name~=\d{5} ; \ + client_name~=[_\.\-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|ADSL|dial(up|in)|pool|dhcp|leased)[_\.\-] ; \ +}; +&&DNSBLS { \ + rbl=zen.spamhaus.org ; \ + rbl=list.dsbl.org ; \ + rbl=bl.spamcop.net ; \ + rbl=dnsbl.sorbs.net ; \ + rbl=ix.dnsbl.manitu.net ; \ + rhsbl=rddn.dnsbl.net.au ; \ + rhsbl=rhsbl.ahbl.org ; \ + rhsbl=rhsbl.sorbs.net ; \ +}; + + +## +## Ruleset +## + +# temporary reject and drop connection during maintenance window +id=M_001 ; &&MAINTENANCE ; action=421 maintenance - please try again later + +# stress-friendly behaviour (will not match on postfix version pre 2.5) +id=STRESS ; stress==yes ; action=dunno + +# Whitelists +id=WL_001 ; &&TRUSTED_NETS ; action=dunno +id=WL_002 ; &&TRUSTED_HOSTS ; action=dunno +id=WL_003 ; &&TRUSTED_USERS ; action=dunno +id=WL_004 ; &&TRUSTED_TLS ; action=dunno + +# DNSWL checks - lookup +id=RWL_001 ; &&DNSWLS ; rhsblcount=all ; rblcount=all ; \ + action=set(HIT_dnswls=$$rhsblcount,HIT_dnswls+=$$rblcount,DSWL_text=$$dnsbltext) + +# DNSWL - whitelisting +id=RWL_002 ; HIT_dnswls>=2 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] +id=RWL_003 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; &&STATIC +id=RWL_004 ; HIT_dnswls>=1 ; action=PREPEND X-PFW-STATE: INFO: [$$DSWL_text] ; $$client_name~=$$(sender_domain)$ + +# DNSBL checks - lookup +id=RBL_001 ; &&DNSBLS ; rhsblcount=all ; rblcount=all ; \ + action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,DSBL_text=$$dnsbltext) + +# DNSBL checks - evaluation +id=RBL_002 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$DSBL_count dnsbls, INFO: [$$DSBL_text] +id=RBL_003 ; HIT_dnsbls>=1 ; &&DYNAMIC ; action=REJECT listed on dnsbl and $$client_name looks like dynip, INFO: [$$DSBL_text] +id=RBL_004 ; HIT_dnsbls>=1 ; &&BADHELO ; action=REJECT listed on dnsbl and $$helo_name does not match $$client_name, INFO: [$$DSBL_text] + +# Rate limits +id=RATE_001 ; HIT_dnsbls>=1; \ + action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) +id=RATE_002 ; &&DYNAMIC ; \ + action=rate($$client_address/1/300/450 4.7.1 please do not try more than once per 5 minutes) + +# Selective greylisting +id=GREY_001 ; action=dunno ; &&STATIC +id=GREY_002 ; action=dunno ; $$client_name~=$$(sender_domain)$ +id=GREY_003 ; action=dunno ; HIT_dnswls>=1 +id=GREY_004 ; action=greylisting ; &&DYNAMIC +id=GREY_005 ; action=greylisting ; HIT_dnsbls>=1 + +# Greylisting should be safe during out-of-office times +id=GREY_006 ; action=greylisting ; days=Sat-Sun +id=GREY_007 ; action=greylisting ; days=Mon-Fri ; time=!!06:00:00-20:00:00 + diff -Nru postfwd-1.20/man/man8/postfwd2.8 postfwd-1.32/man/man8/postfwd2.8 --- postfwd-1.20/man/man8/postfwd2.8 2010-11-14 21:52:42.000000000 +0000 +++ postfwd-1.32/man/man8/postfwd2.8 2011-12-18 12:34:42.000000000 +0000 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "POSTFWD2 1" -.TH POSTFWD2 1 "2010-11-14" "perl v5.8.5" "User Contributed Perl Documentation" +.IX Title "POSTFWD2-ALL-IN-ONE 1" +.TH POSTFWD2-ALL-IN-ONE 1 "2011-12-18" "perl v5.8.5" "User Contributed Perl Documentation" .SH "NAME" postfwd2 \- postfix firewall daemon .SH "SYNOPSIS" @@ -175,7 +175,7 @@ \& --cache-no-size skip size for cache-id \& --no_parent_request_cache disable parent request cache \& --no_parent_rate_cache disable parent rate cache -\& --no_parent_dns_cache disable parent dns cache +\& --no_parent_dns_cache disable parent dns cache (default) \& --no_parent_cache disable all parent caches .Ve .PP @@ -184,7 +184,7 @@ \& --cleanup-rates cleanup interval in seconds for rate cache .Ve .PP -.Vb 9 +.Vb 12 \& Control: \& -k, --kill, --stop terminate postfwd2 \& --reload, --hup reload postfwd2 @@ -194,6 +194,9 @@ \& --daemons list of daemons to start \& --dumpcache show cache contents \& --dumpstats show statistics +\& -R, --chroot chroot to before start +\& --delcache removes an item from the request cache +\& --delrate removes an item from the rate cache .Ve .PP .Vb 11 @@ -210,7 +213,7 @@ \& --dns_max_mx_lookups max names to look up with sender_mx_addrs .Ve .PP -.Vb 7 +.Vb 10 \& Optional: \& -t, --test testing, always returns "dunno" \& -S, --summary show stats every seconds @@ -218,12 +221,21 @@ \& --norulestats disables per rule statistics \& -I, --instantcfg reloads ruleset on every new request \& --config_timeout parser timeout in seconds +\& --keep_rates do not clear rate limit counters on reload +\& --save_rates save and load rate limits on disk +\& --fast_limit_evaluation evaluate rate limits before ruleset is parsed .Ve .PP -.Vb 9 +.Vb 2 +\& Plugins: +\& --plugins loads postfwd plugins from file +.Ve +.PP +.Vb 10 \& Logging: \& -l, --logname label for syslog messages \& --facility use syslog facility +\& --socktype use syslog socktype \& --nodnslog do not log dns results \& --anydnslog log any dns (even cached) results \& --norulelog do not log rule actions @@ -282,7 +294,7 @@ (`;`) and the appropriate desired action: .PP .Vb 1 -\& [ [=><~]=; [=><~]=; ... ] action= +\& [ =; =; ... ] action= .Ve .PP \&\fIExample:\fR @@ -327,11 +339,23 @@ A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the \s-1COMMAND\s0 \s-1LINE\s0 section below for more information on this topic. .PP -Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" character: +Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros): .PP -.Vb 2 -\& id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \e -\& action=REJECT please use your relay from there +.Vb 4 +\& id=RULE001 +\& client_address=192.168.1.0/24 +\& sender==no@bad.local +\& action=REJECT no access +.Ve +.PP +postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters: +.PP +.Vb 4 +\& id=RULE001; \e +\& client_address=192.168.1.0/24; \e +\& sender==no@bad.local; \e +\& action=REJECT no access .Ve .Sh "\s-1ITEMS\s0" .IX Subsection "ITEMS" @@ -416,15 +440,23 @@ \& (whitelisting), as it might be forged. .Ve .PP -.Vb 6 +.Vb 7 \& version - postfwd2 version, contains "postfwd2 n.nn" \& this enables version based checks in your rulesets \& (e.g. for migration). works with old versions too, \& because a non-existing item always returns false: -\& id=R01; version~=1.10; sender_domain==some.org \e +\& # version >= 1.10 +\& id=R01; version~=1\e.[1-9][0-9]; sender_domain==some.org \e \& ; action=REJECT sorry no access .Ve .PP +.Vb 4 +\& ratecount - only available for rate(), size() and rcpt() actions. +\& contains the actual limit counter: +\& id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) +\& id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) +.Ve +.PP Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the \s-1EXAMPLES\s0 section below). .PP @@ -478,27 +510,26 @@ .Ve .PP the current list can be found at . Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at \s-1END_OF_DATA\s0 level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. .PP Multiple use of the same item is allowed and will compared as logical \s-1OR\s0, which means that this will work as expected: .PP .Vb 5 -\& id=TRUST001; action=OK; encryption_keysize=64; \e -\& ccert_fingerprint=11:22:33:44:55:66:77:88:99; \e -\& ccert_fingerprint=22:33:44:55:66:77:88:99:00; \e -\& ccert_fingerprint=33:44:55:66:77:88:99:00:11; \e +\& id=TRUST001; action=OK; encryption_keysize=64 +\& ccert_fingerprint=11:22:33:44:55:66:77:88:99 +\& ccert_fingerprint=22:33:44:55:66:77:88:99:00 +\& ccert_fingerprint=33:44:55:66:77:88:99:00:11 \& sender=@domain\e.local$ .Ve .PP client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: .PP -.Vb 5 -\& id=SKIP01; action=dunno; \e +.Vb 4 +\& id=SKIP01; action=dunno \& client_address=192.168.1.0/24, 172.16.254.23 -\& id=SKIP02; action=dunno; \e -\& client_address= 10.10.3.32 \e -\& 10.216.222.0/27 +\& id=SKIP02; action=dunno +\& client_address= 10.10.3.32 10.216.222.0/27 .Ve .PP The following items must be unique: @@ -510,19 +541,19 @@ Any item can be negated by preceeding '!!' to it, e.g.: .PP .Vb 1 -\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please +\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please .Ve .PP or using the right compare operator: .PP .Vb 1 -\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? +\& id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please .Ve .PP To avoid confusion with regexps or simply for better visibility you can use '!!(...)': .PP .Vb 1 -\& id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that? +\& id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that? .Ve .PP Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -535,6 +566,40 @@ .PP This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match. Use the '\-vv' option to debug. +.PP +These special items will be reset for any new rule: +.PP +.Vb 5 +\& rblcount - contains the number of RBL answers +\& rhsblcount - contains the number of RHSBL answers +\& matches - contains the number of matched items +\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form +\& rbltype:rblname:; rbltype:rblname:; ... +.Ve +.PP +These special items will be changed for any matching rule: +.PP +.Vb 1 +\& request_hits - contains ids of all matching rules +.Ve +.PP +This means that it might be necessary to save them, if you plan to use these values in later rules: +.PP +.Vb 6 +\& # set vals +\& id=RBL01 ; rhsblcount=all; rblcount=all +\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) +\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org +\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net +\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net +.Ve +.PP +.Vb 4 +\& # compare +\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] +\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] +\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] +.Ve .Sh "\s-1FILES\s0" .IX Subsection "FILES" Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files: @@ -563,20 +628,20 @@ This will ignore the right-hand value. Items can be mixed: .PP .Vb 3 -\& id=R002 ; action=REJECT \e -\& client_name==unknown; \e +\& id=R002 ; action=REJECT +\& client_name==unknown \& client_name==file:/etc/postfwd/blacklisted .Ve .PP and for non pcre (comma separated) items: .PP .Vb 2 -\& id=R003 ; action=REJECT \e +\& id=R003 ; action=REJECT \& client_address==10.1.1.1, file:/etc/postfwd/blacklisted .Ve .PP .Vb 2 -\& id=R004 ; action=REJECT \e +\& id=R004 ; action=REJECT \& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing .Ve .PP @@ -720,8 +785,8 @@ \& please note that is currently limited to postfix actions (no postfwd actions)! \& # no more than 3 requests per 5 minutes \& # from the same "unknown" client -\& id=RATE01 ; client_name==unknown ; \e -\& action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) +\& id=RATE01 ; client_name==unknown +\& action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) .Ve .PP .Vb 7 @@ -730,8 +795,8 @@ \& increased by the request's size attribute. to do this reliably you should call postfwd2 from \& smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: \& # size limit 1.5mb per hour per client -\& id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e -\& action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) +\& id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) +\& action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) .Ve .PP .Vb 8 @@ -741,8 +806,8 @@ \& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could \& check it within the ruleset: \& # recipient count limit 3 per hour per client -\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e -\& action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) +\& id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) +\& action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) .Ve .PP .Vb 9 @@ -757,6 +822,13 @@ \& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) .Ve .PP +.Vb 4 +\& mail(server/helo/from/to/subject/body) +\& Very basic mail command, that sends a message with the given arguments. LIMITATIONS: +\& This basically performs a telnet. No authentication or TLS are available. Additionally it does +\& not track notification state and will notify you any time, the corresponding rule hits. +.Ve +.PP .Vb 3 \& wait () \& pauses the program execution for seconds. use this for @@ -766,7 +838,7 @@ .Vb 3 \& note () \& just logs the given string and continues parsing the ruleset. -\& if the string is empty, nothing will be logged. +\& if the string is empty, nothing will be logged (noop). .Ve .PP .Vb 3 @@ -780,40 +852,6 @@ .Vb 1 \& id=R-HELO ; helo_name=^[^\e.]+$ ; action=REJECT invalid helo '$$helo_name' .Ve -.PP -These special attributes will be reset for any new rule: -.PP -.Vb 5 -\& rblcount - contains the number of RBL answers -\& rhsblcount - contains the number of RHSBL answers -\& matches - contains the number of matched items -\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form -\& rbltype:rblname:; rbltype:rblname:; ... -.Ve -.PP -These special attributes will be changed for any matching rule: -.PP -.Vb 1 -\& request_hits - contains ids of all matching rules -.Ve -.PP -This means that it might be necessary to save them, if you plan to use these values in later rules: -.PP -.Vb 6 -\& # set vals -\& id=RBL01 ; rhsblcount=all ; rblcount=all ; \e -\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e -\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e -\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e -\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) -.Ve -.PP -.Vb 4 -\& # compare -\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] -\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] -\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] -.Ve .Sh "\s-1MACROS/ACLS\s0" .IX Subsection "MACROS/ACLS" Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters). @@ -845,18 +883,18 @@ Macros can contain macros, too: .PP .Vb 16 -\& # definition (note the trailing "\e" characters) -\& &&RBLS { \e -\& rbl=zen.spamhaus.org ; \e -\& rbl=list.dsbl.org ; \e -\& rbl=bl.spamcop.net ; \e -\& rbl=dnsbl.sorbs.net ; \e -\& rbl=ix.dnsbl.manitu.net ; \e +\& # definition +\& &&RBLS{ +\& rbl=zen.spamhaus.org +\& rbl=list.dsbl.org +\& rbl=bl.spamcop.net +\& rbl=dnsbl.sorbs.net +\& rbl=ix.dnsbl.manitu.net \& }; -\& &&DYNAMIC { \e -\& client_name=^unknown$ ; \e -\& client_name=(\ed+[\e.-_]){4} ; \e -\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e +\& &&DYNAMIC{ +\& client_name=^unknown$ +\& client_name=(\ed+[\e.-_]){4} +\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] \& }; \& &&GOAWAY { &&RBLS; &&DYNAMIC; }; \& # rules @@ -866,7 +904,194 @@ Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information. .Sh "\s-1PLUGINS\s0" .IX Subsection "PLUGINS" -Please visit +\&\fBDescription\fR +.PP +The plugin interface allow you to define your own checks and enhance postfwd's +functionality. Feel free to share useful things! +.PP +\&\fBWarning\fR +.PP +Note that the plugin interface is still at devel stage. Please test your plugins +carefully, because errors may cause postfwd to break! It is also +allowed to override attributes or built-in functions, but be sure that you know +what you do because some of them are used internally. +.PP +Please keep security in mind, when you access sensible ressources and never, ever +run postfwd as privileged user! Also never trust your input (especially hostnames, +and e\-mail addresses). +.PP +\&\fB\s-1ITEMS\s0\fR +.PP +Item plugins are perl subroutines which integrate additional attributes to requests +before they are evaluated against postfwd's ruleset like any other item of the +policy delegation protocol. This allows you to create your own checks. +.PP +plugin-items can not be used selective. these functions will be executed for every +request postfwd receives, so keep performance in mind. +.PP +.Vb 1 +\& SYNOPSIS: %result = postfwd_items_plugin{}(%request) +.Ve +.PP +means that your subroutine, called , has access to a hash called \f(CW%request\fR, +which contains all request attributes, like \f(CW$request\fR{client_name} and must +return a value in the following form: +.PP +.Vb 1 +\& save: $result{} = +.Ve +.PP +this creates the new item containing , which will be integrated in +the policy delegation request and therefore may be used in postfwd's ruleset. +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_items_plugin = ( +.Ve +.PP +.Vb 1 +\& # EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 8 +\& # allows to check postfwd version in ruleset +\& "version" => sub { +\& my(%request) = @_; +\& my(%result) = ( +\& "version" => $NAME." ".$VERSION, +\& ); +\& return %result; +\& }, +.Ve +.PP +.Vb 10 +\& # sender_domain and recipient_domain +\& "address_parts" => sub { +\& my(%request) = @_; +\& my(%result) = (); +\& $request{sender} =~ /@([^@]*)$/; +\& $result{sender_domain} = ($1 || ''); +\& $request{recipient} =~ /@([^@]*)$/; +\& $result{recipient_domain} = ($1 || ''); +\& return %result; +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve +.PP +\&\fB\s-1COMPARE\s0\fR +.PP +Compare plugins allow you to define how your new items should be compared to the ruleset. +These are optional. If you don't specify one, the default (== for exact match, =~ for \s-1PCRE\s0, ...) +will be used. +.PP +.Vb 1 +\& SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_compare_plugin = ( +.Ve +.PP +.Vb 1 +\& EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 5 +\& # Simple example +\& # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) +\& "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, +\& "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, +\& "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, +.Ve +.PP +.Vb 22 +\& # Complex example +\& # SYNOPSIS: = (, , , ) +\& "numeric" => sub { +\& my($cmp,$val,$myitem,%request) = @_; +\& my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; +\& if ($cmp eq '==') { +\& $myresult = ($myitem == $val); +\& } elsif ($cmp eq '=<') { +\& $myresult = ($myitem <= $val); +\& } elsif ($cmp eq '=>') { +\& $myresult = ($myitem >= $val); +\& } elsif ($cmp eq '!=') { +\& $myresult = not($myitem == $val); +\& } elsif ($cmp eq '!<') { +\& $myresult = not($myitem <= $val); +\& } elsif ($cmp eq '!>') { +\& $myresult = not($myitem >= $val); +\& } else { +\& $myresult = ($myitem >= $val); +\& }; +\& return $myresult; +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve +.PP +\&\fB\s-1ACTIONS\s0\fR +.PP +Action plugins allow to define new postfwd actions. By setting the \f(CW$stop\fR\-flag you can decide to +continue or to stop parsing the ruleset. +.PP +.Vb 2 +\& SYNOPSIS: (, , , , ) = +\& (, , , , , ) +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_actions_plugin = ( +.Ve +.PP +.Vb 1 +\& # EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 7 +\& # note() command +\& "note" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 7 +\& # skips next rules +\& "skip" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 7 +\& # dumps current request contents to syslog +\& "dumprequest" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve .Sh "\s-1COMMAND\s0 \s-1LINE\s0" .IX Subsection "COMMAND LINE" \&\fIRuleset\fR @@ -886,14 +1111,6 @@ \& strings that contain whitespaces or shell characters. .Ve .PP -\&\fIPlugins\fR -.PP -.Vb 3 -\& --plugins -\& A file containing plugin routines for postfwd. Please see the -\& PLUGINS section for more information. -.Ve -.PP \&\fIScoring\fR .PP .Vb 2 @@ -904,7 +1121,7 @@ Multiple usage is allowed. Just chain your arguments, like: .PP .Vb 3 -\& postfwd2 -r "=;action=" -f -f --plugins ... +\& postfwd2 -r "=;action=" -f -f ... \& or \& postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ... .Ve @@ -920,7 +1137,7 @@ .Vb 3 \& -d, --daemon \& postfwd2 will run as daemon and listen on the network for incoming -\& queries (default 127.0.0.1:10040). +\& queries (default 127.0.0.1:10045). .Ve .PP .Vb 2 @@ -930,7 +1147,7 @@ .PP .Vb 2 \& -p, --port -\& postfwd2 listens on the specified port (default tcp/10040). +\& postfwd2 listens on the specified port (default tcp/10045). .Ve .PP .Vb 4 @@ -970,7 +1187,7 @@ .Vb 3 \& -R, --chroot \& Chroot the process to the specified path. -\& Test this before using - you might need some libs there. +\& Please look at http://postfwd.org/postfwd2-chroot.html before use! .Ve .PP .Vb 2 @@ -978,6 +1195,17 @@ \& The process id will be saved in the specified file. .Ve .PP +.Vb 2 +\& --facility +\& sets the syslog facility, default is 'mail' +.Ve +.PP +.Vb 3 +\& --socktype +\& sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. +\& Default is to auto-detect this depening on module version and os. +.Ve +.PP .Vb 3 \& -l, --logname \& Labels the syslog messages. Useful when running multiple @@ -989,6 +1217,14 @@ \& Truncates any syslog message after characters. .Ve .PP +\&\fIPlugins\fR +.PP +.Vb 3 +\& --plugins +\& Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins +\& or the plugins.postfwd.sample that is available from the tarball for more info. +.Ve +.PP \&\fIOptional arguments\fR .PP These parameters influence the way postfwd2 is working. Any of them can be combined. @@ -1168,6 +1404,28 @@ \& be skipped. this is used to prevent problems due to large files or loops. .Ve .PP +.Vb 4 +\& --keep_rates (default=0) +\& With this option set postfwd2 does not clear the rate limit counters on reload. Please +\& note that you have to restart (not reload) postfwd with this option if you change +\& any rate limit rules. +.Ve +.PP +.Vb 4 +\& --save_rates (default=none) +\& With this option postfwd saves existing rate limit counters to disk and reloads them +\& on program start. This allows persistent rate limits across program restarts or reboots. +\& Please note that postfwd needs read and write access to the specified file. +.Ve +.PP +.Vb 5 +\& --fast_limit_evaluation (default=0) +\& Once a ratelimit was set by the ruleset, future requests will be evaluated against it +\& before consulting the ruleset. This mode was the default behaviour until v1.30. +\& With this mode rate limits will be faster, but also eventually set up +\& whitelisting-rules within the ruleset might not work as expected. +.Ve +.PP \&\fIInformational arguments\fR .PP These arguments are for command line usage only. Never ever use them with postfix! @@ -1202,6 +1460,34 @@ \& This option turns of any syslogging and output. It is included \& for performance testing. .Ve +.PP +.Vb 2 +\& --dumpstats +\& Displays program usage statistics. +.Ve +.PP +.Vb 2 +\& --dumpcache +\& Displays cache contents. +.Ve +.PP +.Vb 10 +\& --delcache +\& Removes an item from the request cache. Use --dumpcache to identify objects. +\& E.g.: +\& # postfwd --dumpcache +\& ... +\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' +\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' +\& ... +\& # postfwd --delrate="sender=gmato@jqvo.org" +\& rate cache item 'sender=gmato@jqvo.org' removed +.Ve +.PP +.Vb 2 +\& --delrate +\& Removes an item from the rate cache. Use --dumpcache to identify objects. +.Ve .Sh "\s-1REFRESH\s0" .IX Subsection "REFRESH" In daemon mode postfwd2 reloads it's ruleset after receiving a \s-1HUP\s0 signal. Please see the description of @@ -1245,20 +1531,27 @@ \& # 1. 30MB for systems in *.customer1.tld \& # 2. 20MB for SASL user joejob \& # 3. 10MB default -\& id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$ -\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob -\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 -\& id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large +\& id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$ +\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob +\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 +\& id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large .Ve .PP -.Vb 7 +.Vb 14 \& ## Selective Greylisting +\& ## +\& ## Note that postfwd does not include greylisting. This setup requires a running postgrey service +\& ## at port 10031 and the following postfix restriction class in your main.cf: +\& ## +\& ## smtpd_restriction_classes = check_postgrey, ... +\& ## check_postgrey = check_policy_service inet:127.0.0.1:10031 +\& # \& # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s \& # 2. Client has no rDNS \& # 3. Client comes from several dialin domains -\& id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 -\& id=GR002; action=greylisting ; client_name=^unknown$ -\& id=GR003; action=greylisting ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$ +\& id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 +\& id=GR002; action=check_postgrey ; client_name=^unknown$ +\& id=GR003; action=check_postgrey ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$ .Ve .PP .Vb 7 @@ -1268,7 +1561,7 @@ \& time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim \& time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim \& months=-Apr ; action=450 4.7.1 see you in may -\& days=!!Mon-Fri ; action=greylist +\& days=!!Mon-Fri ; action=check_postgrey .Ve .PP .Vb 10 @@ -1280,8 +1573,8 @@ \& id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... \& id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... \& id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... -\& id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 -\& id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 +\& id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 +\& id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 .Ve .PP .Vb 14 @@ -1291,8 +1584,8 @@ \& # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS \& # - other clients without correct rDNS will be greylist-checked \& # - some whitelists are used to lower the score -\& id=S01 ; score=2.6 ; action=greylisting -\& id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high +\& id=S01 ; score=2.6 ; action=check_postgrey +\& id=S02 ; score=5.0 ; action=REJECT postfwd score too high \& id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org \& id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net \& id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net @@ -1306,10 +1599,10 @@ \& # The following temporary rejects requests from "unknown" clients, if they \& # 1. exceeded 30 requests per hour or \& # 2. tried to send more than 1.5mb within 10 minutes -\& id=RATE01 ; client_name==unknown ; state==RCPT ; \e -\& action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) -\& id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \e -\& action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) +\& id=RATE01 ; client_name==unknown ; protocol_state==RCPT +\& action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) +\& id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE +\& action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) .Ve .PP .Vb 8 @@ -1326,34 +1619,34 @@ .Vb 34 \& ## Groups \& # definition -\& &&RBLS { \e -\& rbl=zen.spamhaus.org ; \e -\& rbl=list.dsbl.org ; \e -\& rbl=bl.spamcop.net ; \e -\& rbl=dnsbl.sorbs.net ; \e -\& rbl=ix.dnsbl.manitu.net ; \e +\& &&RBLS{ +\& rbl=zen.spamhaus.org +\& rbl=list.dsbl.org +\& rbl=bl.spamcop.net +\& rbl=dnsbl.sorbs.net +\& rbl=ix.dnsbl.manitu.net \& }; -\& &&RHSBLS { \e +\& &&RHSBLS{ \& ... \& }; -\& &&DYNAMIC { \e -\& client_name==unknown ; \e -\& client_name~=(\ed+[\e.-_]){4} ; \e -\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e +\& &&DYNAMIC{ +\& client_name==unknown +\& client_name~=(\ed+[\e.-_]){4} +\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] \& ... \& }; -\& &&BAD_HELO { \e -\& helo_name==my.name.tld; \e -\& helo_name~=^([^\e.]+)$; \e -\& helo_name~=\e.(local|lan)$; \e +\& &&BAD_HELO{ +\& helo_name==my.name.tld +\& helo_name~=^([^\e.]+)$ +\& helo_name~=\e.(local|lan)$ \& ... \& }; -\& &&MAINTENANCE { \e -\& date=15.01.2007 ; \e -\& date=15.04.2007 ; \e -\& date=15.07.2007 ; \e -\& date=15.10.2007 ; \e -\& time=03:00:00 - 04:00:00 ; \e +\& &&MAINTENANCE{ +\& date=15.01.2007 +\& date=15.04.2007 +\& date=15.07.2007 +\& date=15.10.2007 +\& time=03:00:00 - 04:00:00 \& }; \& # rules \& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -1374,7 +1667,7 @@ .Vb 5 \& ## combined with enhanced rbl features \& # -\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e +\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS \& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) \& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] .Ve @@ -1526,7 +1819,7 @@ the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters: .PP .Vb 1 -\& postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S +\& postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S .Ve .PP For efficient caching you should check if you can use the options \-\-cacheid, \-\-cache\-rdomain\-only, @@ -1538,19 +1831,19 @@ \& Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input .Ve .PP -and use `netstat \-an|grep 10040` to check for something like +and use `netstat \-an|grep 10045` to check for something like .PP .Vb 1 -\& tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN +\& tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN .Ve .PP If everything works, open your postfix main.cf and insert the following .PP .Vb 4 -\& 127.0.0.1:10040_time_limit = 3600 <--- integration +\& 127.0.0.1:10045_time_limit = 3600 <--- integration \& smtpd_recipient_restrictions = permit_mynetworks <--- recommended \& reject_unauth_destination <--- recommended -\& check_policy_service inet:127.0.0.1:10040 <--- integration +\& check_policy_service inet:127.0.0.1:10045 <--- integration .Ve .PP Reload your configuration with `postfix reload` and watch your logs. In it works you should see @@ -1575,11 +1868,11 @@ .Vb 3 \& # Restriction Classes \& smtpd_restriction_classes = postfwdcheck, ... <--- integration -\& postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration +\& postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration .Ve .PP .Vb 6 -\& 127.0.0.1:10040_time_limit = 3600 <--- integration +\& 127.0.0.1:10045_time_limit = 3600 <--- integration \& smtpd_recipient_restrictions = permit_mynetworks, <--- recommended \& reject_unauth_destination, <--- recommended \& ... <--- optional @@ -1612,7 +1905,7 @@ For network tests I use netcat: .PP .Vb 1 -\& nc 127.0.0.1 10040 reads rules from -\& -r, --rule adds to config +\& -f, --file reads rules from +\& -r, --rule adds to config .Ve .PP .Vb 2 \& Scoring: -\& -s, --scores = returns when score exceeds +\& -s, --scores = returns when score exceeds .Ve .PP -.Vb 12 +.Vb 8 +\& Control: +\& -d, --daemon run postfwd as daemon +\& -k, --kill stops daemon +\& --reload reloads configuration +\& --dumpstats displays usage statistics +\& --dumpcache displays cache contents +\& --delcache removes an item from the request cache +\& --delrate removes an item from the rate cache +.Ve +.PP +.Vb 13 \& Networking: -\& -d, --daemon run postfwd as daemon -\& -i, --interface listen on interface -\& -p, --port listen on port -\& --proto socket type (tcp or unix) -\& -u, --user set uid to user -\& -g, --group set gid to group -\& --umask set umask for file permissions -\& -R, --chroot chroot the daemon to -\& --pidfile create pidfile under -\& -l, --logname label for syslog messages -\& --loglen truncates syslogs after chars +\& -i, --interface listen on interface +\& -p, --port listen on port +\& --proto socket type (tcp or unix) +\& -u, --user set uid to user +\& -g, --group set gid to group +\& --umask set umask for file permissions +\& -R, --chroot chroot the daemon to +\& --pidfile create pidfile under +\& --facility syslog facility +\& --socktype syslog socktype +\& -l, --logname label for syslog messages +\& --loglen truncates syslogs after chars .Ve .PP .Vb 11 \& Caching: -\& -c, --cache sets the request-cache timeout to seconds -\& --cache-no-size ignores size attribute for caching -\& --cache-no-sender ignores sender address in cache -\& --cache-rdomain-only ignores localpart of recipient address in cache -\& --cache-rbl-timeout default rbl timeout, if not specified in ruleset -\& --cache-rbl-default default rbl response pattern to match (regexp) -\& --cacheid , .. list of attributes for request cache identifier -\& --cleanup-requests cleanup interval in seconds for request cache -\& --cleanup-rbls cleanup interval in seconds for rbl cache -\& --cleanup-rates cleanup interval in seconds for rate cache +\& -c, --cache sets the request-cache timeout to seconds +\& --cache-no-size ignores size attribute for caching +\& --cache-no-sender ignores sender address in cache +\& --cache-rdomain-only ignores localpart of recipient address in cache +\& --cache-rbl-timeout default rbl timeout, if not specified in ruleset +\& --cache-rbl-default default rbl response pattern to match (regexp) +\& --cacheid , .. list of attributes for request cache identifier +\& --cleanup-requests cleanup interval in seconds for request cache +\& --cleanup-rbls cleanup interval in seconds for rbl cache +\& --cleanup-rates cleanup interval in seconds for rate cache .Ve .PP -.Vb 17 +.Vb 20 \& Optional: -\& -t, --test testing, always returns "dunno" -\& -v, --verbose verbose logging, use twice (-vv) to increase level -\& -S, --summary show some usage statistics every seconds -\& --norulelog disbles rule logging -\& --norulestats disables per rule statistics -\& --noidlestats disables statistics when idle -\& -n, --nodns disable dns -\& --nodnslog disable dns logging -\& --dns_async_txt perform dnsbl A and TXT lookups simultaneously -\& --dns_timeout timeout in seconds for asynchonous dns queries -\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated -\& --dns_timeout_interval interval in seconds for dns timeout maximum counter -\& --dns_max_ns_lookups max names to look up with sender_ns_addrs -\& --dns_max_mx_lookups max names to look up with sender_mx_addrs -\& -I, --instantcfg re-reads rulefiles for every new request -\& --config_timeout parser timeout in seconds +\& -t, --test testing, always returns "dunno" +\& -v, --verbose verbose logging, use twice (-vv) to increase level +\& -S, --summary show some usage statistics every seconds +\& --norulelog disbles rule logging +\& --norulestats disables per rule statistics +\& --noidlestats disables statistics when idle +\& -n, --nodns disable dns +\& --nodnslog disable dns logging +\& --dns_async_txt perform dnsbl A and TXT lookups simultaneously +\& --dns_timeout timeout in seconds for asynchonous dns queries +\& --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated +\& --dns_timeout_interval interval in seconds for dns timeout maximum counter +\& --dns_max_ns_lookups max names to look up with sender_ns_addrs +\& --dns_max_mx_lookups max names to look up with sender_mx_addrs +\& -I, --instantcfg re-reads rulefiles for every new request +\& --config_timeout parser timeout in seconds +\& --keep_rates do not clear rate limit counters on reload +\& --save_rates save and load rate limits on disk +\& --fast_limit_evaluation evaluate rate limits before ruleset is parsed +.Ve +.PP +.Vb 2 +\& Plugins: +\& --plugins loads postfwd plugins from file .Ve .PP .Vb 7 @@ -205,11 +225,6 @@ \& -h, --help shows usage \& -m, --manual shows program manual .Ve -.PP -.Vb 2 -\& Plugins: -\& --plugins loads plugins from -.Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" .Sh "\s-1INTRODUCTION\s0" @@ -245,7 +260,7 @@ (`;`) and the appropriate desired action: .PP .Vb 1 -\& [ [=><~]=; [=><~]=; ... ] action= +\& [ =; =; ... ] action= .Ve .PP \&\fIExample:\fR @@ -290,11 +305,23 @@ A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the \s-1COMMAND\s0 \s-1LINE\s0 section below for more information on this topic. .PP -Rules can span multiple lines by adding a trailing backslash \*(L"\e\*(R" character: +Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros): .PP -.Vb 2 -\& id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \e -\& action=REJECT please use your relay from there +.Vb 4 +\& id=RULE001 +\& client_address=192.168.1.0/24 +\& sender==no@bad.local +\& action=REJECT no access +.Ve +.PP +postfwd versions prior to 1.30 require trailing ';' and '\e'\-characters: +.PP +.Vb 4 +\& id=RULE001; \e +\& client_address=192.168.1.0/24; \e +\& sender==no@bad.local; \e +\& action=REJECT no access .Ve .Sh "\s-1ITEMS\s0" .IX Subsection "ITEMS" @@ -379,15 +406,23 @@ \& (whitelisting), as it might be forged. .Ve .PP -.Vb 6 +.Vb 7 \& version - postfwd version, contains "postfwd n.nn" \& this enables version based checks in your rulesets \& (e.g. for migration). works with old versions too, \& because a non-existing item always returns false: -\& id=R01; version~=1.10; sender_domain==some.org \e +\& # version >= 1.10 +\& id=R01; version~=1\e.[1-9][0-9]; sender_domain==some.org \e \& ; action=REJECT sorry no access .Ve .PP +.Vb 4 +\& ratecount - only available for rate(), size() and rcpt() actions. +\& contains the actual limit counter: +\& id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) +\& id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) +.Ve +.PP Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the \s-1EXAMPLES\s0 section below). .PP @@ -441,27 +476,26 @@ .Ve .PP the current list can be found at . Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at \s-1END_OF_DATA\s0 level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. .PP Multiple use of the same item is allowed and will compared as logical \s-1OR\s0, which means that this will work as expected: .PP .Vb 5 -\& id=TRUST001; action=OK; encryption_keysize=64; \e -\& ccert_fingerprint=11:22:33:44:55:66:77:88:99; \e -\& ccert_fingerprint=22:33:44:55:66:77:88:99:00; \e -\& ccert_fingerprint=33:44:55:66:77:88:99:00:11; \e +\& id=TRUST001; action=OK; encryption_keysize=64 +\& ccert_fingerprint=11:22:33:44:55:66:77:88:99 +\& ccert_fingerprint=22:33:44:55:66:77:88:99:00 +\& ccert_fingerprint=33:44:55:66:77:88:99:00:11 \& sender=@domain\e.local$ .Ve .PP client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: .PP -.Vb 5 -\& id=SKIP01; action=dunno; \e +.Vb 4 +\& id=SKIP01; action=dunno \& client_address=192.168.1.0/24, 172.16.254.23 -\& id=SKIP02; action=dunno; \e -\& client_address= 10.10.3.32 \e -\& 10.216.222.0/27 +\& id=SKIP02; action=dunno +\& client_address=10.10.3.32 10.216.222.0/27 .Ve .PP The following items currently have to be unique: @@ -473,19 +507,19 @@ Any item can be negated by preceeding '!!' to it, e.g.: .PP .Vb 1 -\& id=TLS001 ; hostname=!!^secure\e.trust\e.local$ ; action=REJECT only secure.trust.local please +\& id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please .Ve .PP or using the right compare operator: .PP .Vb 1 -\& id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? +\& id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please .Ve .PP To avoid confusion with regexps or simply for better visibility you can use '!!(...)': .PP .Vb 1 -\& id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that? +\& id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that? .Ve .PP Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -498,6 +532,40 @@ .PP This is only valid for \s-1PCRE\s0 values (see list above). The comparison will be performed as case insensitive exact match. Use the '\-vv' option to debug. +.PP +These special items will be reset for any new rule: +.PP +.Vb 5 +\& rblcount - contains the number of RBL answers +\& rhsblcount - contains the number of RHSBL answers +\& matches - contains the number of matched items +\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form +\& rbltype:rblname:; rbltype:rblname:; ... +.Ve +.PP +These special items will be changed for any matching rule: +.PP +.Vb 1 +\& request_hits - contains ids of all matching rules +.Ve +.PP +This means that it might be necessary to save them, if you plan to use these values in later rules: +.PP +.Vb 6 +\& # set vals +\& id=RBL01 ; rhsblcount=all; rblcount=all +\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) +\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org +\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net +\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net +.Ve +.PP +.Vb 4 +\& # compare +\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] +\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] +\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] +.Ve .Sh "\s-1FILES\s0" .IX Subsection "FILES" Since postfwd1 v1.15 and postfwd2 v0.18 long item lists can be stored in separate files: @@ -526,20 +594,20 @@ This will ignore the right-hand value. Items can be mixed: .PP .Vb 3 -\& id=R002 ; action=REJECT \e -\& client_name==unknown; \e +\& id=R002 ; action=REJECT +\& client_name==unknown \& client_name==file:/etc/postfwd/blacklisted .Ve .PP and for non pcre (comma separated) items: .PP .Vb 2 -\& id=R003 ; action=REJECT \e +\& id=R003 ; action=REJECT \& client_address==10.1.1.1, file:/etc/postfwd/blacklisted .Ve .PP .Vb 2 -\& id=R004 ; action=REJECT \e +\& id=R004 ; action=REJECT \& rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing .Ve .PP @@ -675,7 +743,7 @@ \& by "," characters. .Ve .PP -.Vb 9 +.Vb 18 \& rate (///) \& this command creates a counter for the given , which will be increased any time a request \& containing it arrives. if it exceeds within seconds it will return to postfix. @@ -683,8 +751,17 @@ \& please note that is currently limited to postfix actions (no postfwd actions)! \& # no more than 3 requests per 5 minutes \& # from the same "unknown" client -\& id=RATE01 ; client_name==unknown ; \e -\& action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) +\& id=RATE01 ; client_name==unknown +\& action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) +\& Please note also that the order of rate limits in your ruleset is important, which means +\& that this: +\& # works as expected +\& id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) +\& id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) +\& leads to different results than this: +\& # rule R002 never gets executed +\& id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) +\& id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) .Ve .PP .Vb 7 @@ -693,8 +770,8 @@ \& increased by the request's size attribute. to do this reliably you should call postfwd from \& smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: \& # size limit 1.5mb per hour per client -\& id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e -\& action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) +\& id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 +\& action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) .Ve .PP .Vb 8 @@ -704,8 +781,8 @@ \& from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could \& check it within the ruleset: \& # recipient count limit 3 per hour per client -\& id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \e -\& action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) +\& id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 +\& action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) .Ve .PP .Vb 9 @@ -715,11 +792,18 @@ \& specified to tell postfwd to ignore certain answers and go on parsing the ruleset: \& # example1: query postgrey and return it's answer to postfix \& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031) -\& # example2: query postgrey but ignore it's answer, if it matches 'DUNNO' +\& # example2: query postgrey but ignore the answer, if it matches 'DUNNO' \& # and continue parsing postfwd's ruleset \& id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) .Ve .PP +.Vb 4 +\& mail(server/helo/from/to/subject/body) +\& Very basic mail command, that sends a message with the given arguments. LIMITATIONS: +\& This basically performs a telnet. No authentication or TLS are available. Additionally it does +\& not track notification state and will notify you any time, the corresponding rule hits. +.Ve +.PP .Vb 3 \& wait () \& pauses the program execution for seconds. use this for @@ -729,7 +813,7 @@ .Vb 3 \& note () \& just logs the given string and continues parsing the ruleset. -\& if the string is empty, nothing will be logged. +\& if the string is empty, nothing will be logged (noop). .Ve .PP .Vb 3 @@ -743,40 +827,6 @@ .Vb 1 \& id=R-HELO ; helo_name=^[^\e.]+$ ; action=REJECT invalid helo '$$helo_name' .Ve -.PP -These special attributes will be reset for any new rule: -.PP -.Vb 5 -\& rblcount - contains the number of RBL answers -\& rhsblcount - contains the number of RHSBL answers -\& matches - contains the number of matched items -\& dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form -\& rbltype:rblname:; rbltype:rblname:; ... -.Ve -.PP -These special attributes will be changed for any matching rule: -.PP -.Vb 1 -\& request_hits - contains ids of all matching rules -.Ve -.PP -This means that it might be necessary to save them, if you plan to use these values in later rules: -.PP -.Vb 6 -\& # set vals -\& id=RBL01 ; rhsblcount=all ; rblcount=all ; \e -\& rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \e -\& rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e -\& rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \e -\& action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) -.Ve -.PP -.Vb 4 -\& # compare -\& id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] -\& id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] -\& id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] -.Ve .Sh "\s-1MACROS/ACLS\s0" .IX Subsection "MACROS/ACLS" Multiple use of long items or combinations of them may be abbreviated by macros. Those must be prefixed by '&&' (two '&' characters). @@ -808,18 +858,18 @@ Macros can contain macros, too: .PP .Vb 16 -\& # definition (note the trailing "\e" characters) -\& &&RBLS { \e -\& rbl=zen.spamhaus.org ; \e -\& rbl=list.dsbl.org ; \e -\& rbl=bl.spamcop.net ; \e -\& rbl=dnsbl.sorbs.net ; \e -\& rbl=ix.dnsbl.manitu.net ; \e +\& # definition +\& &&RBLS{ +\& rbl=zen.spamhaus.org +\& rbl=list.dsbl.org +\& rbl=bl.spamcop.net +\& rbl=dnsbl.sorbs.net +\& rbl=ix.dnsbl.manitu.net \& }; -\& &&DYNAMIC { \e -\& client_name=^unknown$ ; \e -\& client_name=(\ed+[\e.-_]){4} ; \e -\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e +\& &&DYNAMIC{ +\& client_name=^unknown$ +\& client_name=(\ed+[\e.-_]){4} +\& client_name=[\e.-_](adsl|dynamic|ppp|)[\e.-_] \& }; \& &&GOAWAY { &&RBLS; &&DYNAMIC; }; \& # rules @@ -829,7 +879,194 @@ Basically macros are simple text substitutions \- see the \*(L"\s-1PARSER\s0\*(R" section for more information. .Sh "\s-1PLUGINS\s0" .IX Subsection "PLUGINS" -Please visit +\&\fBDescription\fR +.PP +The plugin interface allow you to define your own checks and enhance postfwd's +functionality. Feel free to share useful things! +.PP +\&\fBWarning\fR +.PP +Note that the plugin interface is still at devel stage. Please test your plugins +carefully, because errors may cause postfwd to break! It is also +allowed to override attributes or built-in functions, but be sure that you know +what you do because some of them are used internally. +.PP +Please keep security in mind, when you access sensible ressources and never, ever +run postfwd as privileged user! Also never trust your input (especially hostnames, +and e\-mail addresses). +.PP +\&\fB\s-1ITEMS\s0\fR +.PP +Item plugins are perl subroutines which integrate additional attributes to requests +before they are evaluated against postfwd's ruleset like any other item of the +policy delegation protocol. This allows you to create your own checks. +.PP +plugin-items can not be used selective. these functions will be executed for every +request postfwd receives, so keep performance in mind. +.PP +.Vb 1 +\& SYNOPSIS: %result = postfwd_items_plugin{}(%request) +.Ve +.PP +means that your subroutine, called , has access to a hash called \f(CW%request\fR, +which contains all request attributes, like \f(CW$request\fR{client_name} and must +return a value in the following form: +.PP +.Vb 1 +\& save: $result{} = +.Ve +.PP +this creates the new item containing , which will be integrated in +the policy delegation request and therefore may be used in postfwd's ruleset. +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_items_plugin = ( +.Ve +.PP +.Vb 1 +\& # EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 8 +\& # allows to check postfwd version in ruleset +\& "version" => sub { +\& my(%request) = @_; +\& my(%result) = ( +\& "version" => $NAME." ".$VERSION, +\& ); +\& return %result; +\& }, +.Ve +.PP +.Vb 10 +\& # sender_domain and recipient_domain +\& "address_parts" => sub { +\& my(%request) = @_; +\& my(%result) = (); +\& $request{sender} =~ /@([^@]*)$/; +\& $result{sender_domain} = ($1 || ''); +\& $request{recipient} =~ /@([^@]*)$/; +\& $result{recipient_domain} = ($1 || ''); +\& return %result; +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve +.PP +\&\fB\s-1COMPARE\s0\fR +.PP +Compare plugins allow you to define how your new items should be compared to the ruleset. +These are optional. If you don't specify one, the default (== for exact match, =~ for \s-1PCRE\s0, ...) +will be used. +.PP +.Vb 1 +\& SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_compare_plugin = ( +.Ve +.PP +.Vb 1 +\& EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 5 +\& # Simple example +\& # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) +\& "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, +\& "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, +\& "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, +.Ve +.PP +.Vb 22 +\& # Complex example +\& # SYNOPSIS: = (, , , ) +\& "numeric" => sub { +\& my($cmp,$val,$myitem,%request) = @_; +\& my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; +\& if ($cmp eq '==') { +\& $myresult = ($myitem == $val); +\& } elsif ($cmp eq '=<') { +\& $myresult = ($myitem <= $val); +\& } elsif ($cmp eq '=>') { +\& $myresult = ($myitem >= $val); +\& } elsif ($cmp eq '!=') { +\& $myresult = not($myitem == $val); +\& } elsif ($cmp eq '!<') { +\& $myresult = not($myitem <= $val); +\& } elsif ($cmp eq '!>') { +\& $myresult = not($myitem >= $val); +\& } else { +\& $myresult = ($myitem >= $val); +\& }; +\& return $myresult; +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve +.PP +\&\fB\s-1ACTIONS\s0\fR +.PP +Action plugins allow to define new postfwd actions. By setting the \f(CW$stop\fR\-flag you can decide to +continue or to stop parsing the ruleset. +.PP +.Vb 2 +\& SYNOPSIS: (, , , , ) = +\& (, , , , , ) +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& %postfwd_actions_plugin = ( +.Ve +.PP +.Vb 1 +\& # EXAMPLES - integrated in postfwd. no need to activate them here. +.Ve +.PP +.Vb 7 +\& # note() command +\& "note" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 7 +\& # skips next rules +\& "skip" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 7 +\& # dumps current request contents to syslog +\& "dumprequest" => sub { +\& my($index,$now,$mycmd,$myarg,$myline,%request) = @_; +\& my($myaction) = $default_action; my($stop) = 0; +\& map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); +\& return ($stop,$index,$myaction,$myline,%request); +\& }, +.Ve +.PP +.Vb 2 +\& # do NOT remove the next line +\& ); +.Ve .Sh "\s-1COMMAND\s0 \s-1LINE\s0" .IX Subsection "COMMAND LINE" \&\fIRuleset\fR @@ -849,14 +1086,6 @@ \& strings that contain whitespaces or shell characters. .Ve .PP -\&\fIPlugins\fR -.PP -.Vb 3 -\& --plugins -\& A file containing plugin routines for postfwd. Please see the -\& PLUGINS section for more information. -.Ve -.PP \&\fIScoring\fR .PP .Vb 2 @@ -867,7 +1096,7 @@ Multiple usage is allowed. Just chain your arguments, like: .PP .Vb 3 -\& postfwd -r "=;action=" -f -f --plugins ... +\& postfwd -r "=;action=" -f -f ... \& or \& postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ... .Ve @@ -875,10 +1104,7 @@ In case of multiple scores, the highest match will count. The order of the arguments will be reflected in the postfwd ruleset. .PP -\&\fINetworking\fR -.PP -postfwd can be run as daemon so that it listens on the network for incoming requests. -The following arguments will control it's behaviour in this case. +\&\fIControl\fR .PP .Vb 3 \& -d, --daemon @@ -887,6 +1113,49 @@ .Ve .PP .Vb 2 +\& -k, --kill +\& Stops a running postfwd daemon. +.Ve +.PP +.Vb 2 +\& --reload +\& Reloads configuration. +.Ve +.PP +.Vb 2 +\& --dumpstats +\& Displays program usage statistics. +.Ve +.PP +.Vb 2 +\& --dumpcache +\& Displays cache contents. +.Ve +.PP +.Vb 10 +\& --delcache +\& Removes an item from the request cache. Use --dumpcache to identify objects. +\& E.g.: +\& # postfwd --dumpcache +\& ... +\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' +\& %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' +\& ... +\& # postfwd --delrate="sender=gmato@jqvo.org" +\& rate cache item 'sender=gmato@jqvo.org' removed +.Ve +.PP +.Vb 2 +\& --delrate +\& Removes an item from the rate cache. Use --dumpcache to identify objects. +.Ve +.PP +\&\fINetworking\fR +.PP +postfwd can be run as daemon so that it listens on the network for incoming requests. +The following arguments will control it's behaviour in this case. +.PP +.Vb 2 \& -i, --interface \& Bind postfwd to the specified interface (default 127.0.0.1). .Ve @@ -931,6 +1200,17 @@ \& The process id will be saved in the specified file. .Ve .PP +.Vb 2 +\& --facility +\& sets the syslog facility, default is 'mail' +.Ve +.PP +.Vb 3 +\& --socktype +\& sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. +\& Default is to auto-detect this depening on module version and os. +.Ve +.PP .Vb 3 \& -l, --logname \& Labels the syslog messages. Useful when running multiple @@ -942,6 +1222,14 @@ \& Truncates any syslog message after characters. .Ve .PP +\&\fIPlugins\fR +.PP +.Vb 3 +\& --plugins +\& Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins +\& or the plugins.postfwd.sample that is available from the tarball for more info. +.Ve +.PP \&\fIOptional arguments\fR .PP These parameters influence the way postfwd is working. Any of them can be combined. @@ -1121,6 +1409,28 @@ \& be skipped. this is used to prevent problems due to large files or loops. .Ve .PP +.Vb 4 +\& --keep_rates (default=0) +\& With this option set postfwd does not clear the rate limit counters on reload. Please +\& note that you have to restart (not reload) postfwd with this option if you change +\& any rate limit rules. +.Ve +.PP +.Vb 4 +\& --save_rates (default=none) +\& With this option postfwd saves existing rate limit counters to disk and reloads them +\& on program start. This allows persistent rate limits across program restarts or reboots. +\& Please note that postfwd needs read and write access to the specified file. +.Ve +.PP +.Vb 5 +\& --fast_limit_evaluation (default=0) +\& Once a ratelimit was set by the ruleset, future requests will be evaluated against it +\& before consulting the ruleset. This mode was the default behaviour until v1.30. +\& With this mode rate limits will be faster, but also eventually set up +\& whitelisting-rules within the ruleset might not work as expected. +.Ve +.PP \&\fIInformational arguments\fR .PP These arguments are for command line usage only. Never ever use them with postfix spawn! @@ -1193,20 +1503,27 @@ \& # 1. 30MB for systems in *.customer1.tld \& # 2. 20MB for SASL user joejob \& # 3. 10MB default -\& id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$ -\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob -\& id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 -\& id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large +\& id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\e.customer1.tld$ +\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob +\& id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 +\& id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large .Ve .PP -.Vb 7 +.Vb 14 \& ## Selective Greylisting +\& ## +\& ## Note that postfwd does not include greylisting. This setup requires a running postgrey service +\& ## at port 10031 and the following postfix restriction class in your main.cf: +\& ## +\& ## smtpd_restriction_classes = check_postgrey, ... +\& ## check_postgrey = check_policy_service inet:127.0.0.1:10031 +\& # \& # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s \& # 2. Client has no rDNS \& # 3. Client comes from several dialin domains -\& id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 -\& id=GR002; action=greylisting ; client_name=^unknown$ -\& id=GR003; action=greylisting ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$ +\& id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 +\& id=GR002; action=check_postgrey ; client_name=^unknown$ +\& id=GR003; action=check_postgrey ; client_name=\e.(t-ipconnect|alicedsl|ish)\e.de$ .Ve .PP .Vb 7 @@ -1216,7 +1533,7 @@ \& time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim \& time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim \& months=-Apr ; action=450 4.7.1 see you in may -\& days=!!Mon-Fri ; action=greylist +\& days=!!Mon-Fri ; action=check_postgrey .Ve .PP .Vb 10 @@ -1228,8 +1545,8 @@ \& id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... \& id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... \& id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... -\& id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 -\& id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 +\& id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 +\& id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 .Ve .PP .Vb 14 @@ -1239,7 +1556,7 @@ \& # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS \& # - other clients without correct rDNS will be greylist-checked \& # - some whitelists are used to lower the score -\& id=S01 ; score=2.6 ; action=greylisting +\& id=S01 ; score=2.6 ; action=check_postgrey \& id=S02 ; score=5.0 ; action=REJECT postfwd score too high \& id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org \& id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net @@ -1254,10 +1571,10 @@ \& # The following temporary rejects requests from "unknown" clients, if they \& # 1. exceeded 30 requests per hour or \& # 2. tried to send more than 1.5mb within 10 minutes -\& id=RATE01 ; client_name==unknown ; state==RCPT ; \e -\& action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) -\& id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \e -\& action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) +\& id=RATE01 ; client_name==unknown ; protocol_state==RCPT +\& action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) +\& id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE +\& action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) .Ve .PP .Vb 8 @@ -1274,34 +1591,34 @@ .Vb 34 \& ## Groups \& # definition -\& &&RBLS { \e -\& rbl=zen.spamhaus.org ; \e -\& rbl=list.dsbl.org ; \e -\& rbl=bl.spamcop.net ; \e -\& rbl=dnsbl.sorbs.net ; \e -\& rbl=ix.dnsbl.manitu.net ; \e +\& &&RBLS{ +\& rbl=zen.spamhaus.org +\& rbl=list.dsbl.org +\& rbl=bl.spamcop.net +\& rbl=dnsbl.sorbs.net +\& rbl=ix.dnsbl.manitu.net \& }; -\& &&RHSBLS { \e +\& &&RHSBLS{ \& ... \& }; -\& &&DYNAMIC { \e -\& client_name==unknown ; \e -\& client_name~=(\ed+[\e.-_]){4} ; \e -\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] ; \e +\& &&DYNAMIC{ +\& client_name==unknown +\& client_name~=(\ed+[\e.-_]){4} +\& client_name~=[\e.-_](adsl|dynamic|ppp|)[\e.-_] \& ... \& }; -\& &&BAD_HELO { \e -\& helo_name==my.name.tld; \e -\& helo_name~=^([^\e.]+)$; \e -\& helo_name~=\e.(local|lan)$; \e +\& &&BAD_HELO{ +\& helo_name==my.name.tld +\& helo_name~=^([^\e.]+)$ +\& helo_name~=\e.(local|lan)$ \& ... \& }; -\& &&MAINTENANCE { \e -\& date=15.01.2007 ; \e -\& date=15.04.2007 ; \e -\& date=15.07.2007 ; \e -\& date=15.10.2007 ; \e -\& time=03:00:00 - 04:00:00 ; \e +\& &&MAINTENANCE{ +\& date=15.01.2007 +\& date=15.04.2007 +\& date=15.07.2007 +\& date=15.10.2007 +\& time=03:00:00 - 04:00:00 \& }; \& # rules \& id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -1322,7 +1639,7 @@ .Vb 5 \& ## combined with enhanced rbl features \& # -\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \e +\& id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS \& action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) \& id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] .Ve diff -Nru postfwd-1.20/plugins/postfwd.plugins.sample postfwd-1.32/plugins/postfwd.plugins.sample --- postfwd-1.20/plugins/postfwd.plugins.sample 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/plugins/postfwd.plugins.sample 2011-08-20 23:33:55.000000000 +0000 @@ -0,0 +1,167 @@ +# +# +# Example plugin file for postfwd - see http://postfwd.org +# +# +# Description: +# +# The plugin interface allow you to define your own checks and enhance postfwd's +# functionality. Feel free to share useful things! +# +# +# Warning: +# +# Check changes carefully, because errors may cause postfwd to break! It is also +# allowed to override attributes or built-in functions, but be sure that you know +# what you do because some of them are used internally. +# Please keep security in mind, when you access sensible ressources and never, ever +# run postfwd as privileged user! Also never trust your input (especially hostnames, +# and e-mail addresses). + + +# +# ITEMS +# ===== +# +# Item plugins are perl subroutines which integrate additional attributes to requests +# before they are evaluated against postfwd's ruleset like any other item of the +# policy delegation protocol. This allows you to create your own checks. +# +# plugin-items can not be used selective. these functions will be executed for every +# request postfwd receives, so keep performance in mind. +# +# SYNOPSIS: %result = postfwd_items_plugin{}(%request) +# +# means that your subroutine, called , has access to a hash called %request, +# which contains all request attributes, like $request{client_name} and must +# return a value in the following form: +# +# save: $result{} = +# +# this creates the new item containing , which will be integrated in +# the policy delegation request and therefore may be used in postfwd's ruleset. + +# do NOT remove the next line +%postfwd_items_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + # + # # allows to check postfwd version in ruleset + # "version" => sub { + # my(%request) = @_; + # my(%result) = ( + # "version" => $NAME." ".$VERSION, + # ); + # return %result; + # }, + # + # # sender_domain and recipient_domain + # "address_parts" => sub { + # my(%request) = @_; + # my(%result) = (); + # $request{sender} =~ /@([^@]*)$/; + # $result{sender_domain} = ($1 || ''); + # $request{recipient} =~ /@([^@]*)$/; + # $result{recipient_domain} = ($1 || ''); + # return %result; + # }, + # }, + +# do NOT remove the next line +); + + +# +# COMPARE +# ======= +# +# Compare plugins allow you to define how your new items should be compared to the ruleset. +# These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...) +# will be used. +# +# SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, + +# do NOT remove the next line +%postfwd_compare_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + # + # # CIDR compare + # "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + # + # # Numeric compare + # "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + # "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + # + # # Complex example + # # SYNOPSIS: = (, , , ) + # "numeric" => sub { + # my($cmp,$val,$myitem,%request) = @_; + # my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + # if ($cmp eq '==') { + # $myresult = ($myitem == $val); + # } elsif ($cmp eq '=<') { + # $myresult = ($myitem <= $val); + # } elsif ($cmp eq '=>') { + # $myresult = ($myitem >= $val); + # } elsif ($cmp eq '!=') { + # $myresult = not($myitem == $val); + # } elsif ($cmp eq '!<') { + # $myresult = not($myitem <= $val); + # } elsif ($cmp eq '!>') { + # $myresult = not($myitem >= $val); + # } else { + # $myresult = ($myitem >= $val); + # }; + # return $myresult; + # }, + +# do NOT remove the next line +); + + +# +# ACTIONS +# ======= +# +# Action plugins allow to define new postfwd actions. +# +# SYNOPSIS: (, , , , ) = +# (, , , , , ) + +# do NOT remove the next line +%postfwd_actions_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + # + # # note() command + # "note" => sub { + # my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + # my($myaction) = $default_action; my($stop) = 0; + # mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + # return ($stop,$index,$myaction,$myline,%request); + # }, + # + # # skips next rules + # "skip" => sub { + # my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + # my($myaction) = $default_action; my($stop) = 0; + # $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + # return ($stop,$index,$myaction,$myline,%request); + # }, + # + # # dumps current request contents to syslog + # "dumprequest" => sub { + # my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + # my($myaction) = $default_action; my($stop) = 0; + # map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + # return ($stop,$index,$myaction,$myline,%request); + # }, + +# do NOT remove the next line +); + +# do NOT remove the next line +1; + +## EOF postfwd.plugins diff -Nru postfwd-1.20/sbin/postfwd postfwd-1.32/sbin/postfwd --- postfwd-1.20/sbin/postfwd 2010-11-14 21:49:28.000000000 +0000 +++ postfwd-1.32/sbin/postfwd 2011-12-18 12:34:41.000000000 +0000 @@ -21,11 +21,27 @@ use Net::Server::Multiplex; use vars qw(@ISA); @ISA = qw(Net::Server::Multiplex); - +our($TIMEHIRES); our($STORABLE); +BEGIN { + eval { require Time::HiRes }; + if ($@) { + $TIMEHIRES = '%d'; + } else { + Time::HiRes->import( qw(time) ); + $TIMEHIRES = '%.2f'; + }; + eval { require Storable }; + if ($@) { + $STORABLE = undef; + } else { + $STORABLE = Storable->VERSION; + Storable->import( qw(store retrieve) ); + }; +}; # Program constants our($NAME) = 'postfwd'; -our($VERSION) = '1.20'; +our($VERSION) = '1.32'; # Networking options (use -i, -p and -R to change) our($def_net_pid) = "/var/run/".$NAME.".pid"; @@ -43,6 +59,7 @@ our($def_dns_max_mx_a_lookups) = "100"; our($def_config_timeout) = "3"; our($reply_maxlen) = "512"; +our($max_command_recursion) = "64"; # change this, to match your POD requirements # we need pod2text for the -m switch (manual) @@ -202,25 +219,33 @@ our($SepLst) = ':::'; our($KeyVal) = qr/^([^=]+)=(.*)$/; use vars qw( - @Configs @Rules @CacheID @DNSBL_Text @Plugins @Rate_Items - %Config_Cache %DNS_Cache %Request_Cache %Rule_by_ID + @Configs @Rules @CacheID @DNSBL_Text @Plugins @Rate_Items @DEBUGLIST + %Config_Cache %DNS_Cache %Request_Cache %Rule_by_ID %DEBUG %Matches %opt_scores %ACLs %Rates %Timeouts %postfwd_items %postfwd_items_plugin %postfwd_compare %postfwd_compare_plugin %postfwd_actions %postfwd_actions_plugin $Counter_Requests $Counter_Hits $opt_max_ns_lookups $opt_max_mx_lookups $Counter_Interval $Counter_Top $Counter_Rates - $Starttime $Startdate $Cleanup_Requests - $Cleanup_RBLs $Cleanup_Rates $Cleanup_Timeouts + $Starttime $Cleanup_Requests $Cleanup_RBLs $Cleanup_Rates $Cleanup_Timeouts $opt_daemon $opt_instantconfig $opt_nodns $opt_nodnslog $opt_norulelog $opt_summary $net_interface $net_port $net_umask - $net_user $net_group $net_chroot $net_pid $net_proto - $opt_perfmon $opt_test $opt_verbose $opt_noidlestats - $opt_cache_rdomain_only $opt_cache_no_size $config_timeout - $opt_cache_no_sender $opt_no_rulestats $opt_kill $opt_hup - $opt_showconfig $opt_stdoutlog $opt_shortlog $dns_async_txt + $net_user $net_group $net_chroot $net_pid $net_proto $opt_saverates + $opt_perfmon $opt_test $opt_verbose $opt_noidlestats $opt_delcache $opt_delrate + $opt_cache_rdomain_only $opt_cache_no_size $config_timeout $opt_fast_limits + $opt_cache_no_sender $opt_no_rulestats $opt_kill $opt_hup $opt_dumpcache $opt_dumpstats + $opt_showconfig $opt_stdoutlog $opt_shortlog $dns_async_txt $opt_keep_rates_on_reload $DNS $Reload_Conf $dns_queuesize $dns_retries $dns_timeout ); +our %Name_To_Var = ( + \%Config_Cache => '%config_cache', + \%Request_Cache => '%request_cache', + \%DNS_Cache => '%dns_cache', + \%Rates => '%rate_cache', + \%ACLs => '%acl_cache', + \%Matches => '%match_cache', + \%Timeouts => '%timeout_cache', +); ### SUB tools @@ -243,7 +268,7 @@ syslog $prio, "$msg", @_; }; } else { syslog $prio, "$msg", @_; }; - } else { printf "[LOG $prio]: $msg\n", @_; }; + } else { $msg =~ s/\%/%%/g; printf "[LOG $prio]: $msg\n", @_; }; }; }; # @@ -272,6 +297,17 @@ unless $opt_perfmon; }; # +# tests debug levels +# +sub wantsdebug { + return unless %DEBUG; + foreach (@_) { return 1 if $DEBUG{$_} }; +}; +# +# prints formatted timestamp +# +sub ts { return sprintf ("$TIMEHIRES", $_[0]) }; +# # Log an error and abort. # sub fatal_exit { @@ -286,6 +322,7 @@ undef $opt_noidlestats; show_stats() if $opt_summary; $net_pid ||= $def_net_pid; unlink $net_pid if (-T $net_pid); + save_rates(); mylogs "notice", $NAME." ".$VERSION." terminated" if $opt_daemon; exit; }; @@ -340,6 +377,32 @@ }; return %result; }; # +# displays hash structure +# +sub hash_to_list { + my ($pre, %request) = @_; my @output = (); + # get longest key + my $minkey = '-'.(length((sort {length($b) <=> length($a)} (keys %request))[0] || '') + 1); + while ( my($s, $v) = each %request ) { + my $r = ref $v; + if ($r eq 'HASH') { + push @output, (%{$v}) + ? hash_to_list ( sprintf ("%s -> %".$minkey."s", $pre, '%'.$s), %{$v} ) + : sprintf ("%s -> %".$minkey."s -> %s", $pre, '%'.$s, 'undef'); + } elsif ($r eq 'ARRAY') { + push @output, sprintf ("%s -> %".$minkey."s -> %s", $pre, '@'.$s, ((@{$v}) ? "'".(join ",", @{$v})."'" : 'undef')); + } elsif ($r eq 'CODE') { + push @output, sprintf ("%s -> %".$minkey."s -> %s", $pre, '&'.$s, ((defined $v) ? "'".$v."'" : 'undef')); + } else { + push @output, sprintf ("%s -> %".$minkey."s -> %s", $pre, '$'.$s, ((defined $v) ? "'".$v."'" : 'undef')); + }; + }; + return sort { my ($c, $d) = ($a, $b); + $c =~ tr/$/1/; $c =~ tr/&/2/; $c =~ tr/@/3/; $c =~ tr/%/4/; + $d =~ tr/$/1/; $d =~ tr/&/2/; $d =~ tr/@/3/; $d =~ tr/%/4/; + return $c cmp $d; } @output; +}; +# # get ip and mask # sub cidr_parse @@ -374,16 +437,12 @@ foreach my $checkitem (keys %DNS_Cache) { # remove inclomplete objects (dns timeouts) if ( !defined($DNS_Cache{$checkitem}{"time"}) or !defined($DNS_Cache{$checkitem}{ttl}) ) { - mylogs $syslog_priority, "[CLEANUP] deleting incomplete dns-cache item $checkitem after " - .((defined $DNS_Cache{$checkitem}{"time"}) ? ($now - $DNS_Cache{$checkitem}{"time"}) : '') - ." seconds (timeout: ".((defined $DNS_Cache{$checkitem}{ttl}) ? $DNS_Cache{$checkitem}{ttl} : '')."s)" - if ($opt_verbose > 1); + mylogs $syslog_priority, "[CLEANUP] deleting incomplete dns-cache item '$checkitem'" if (wantsdebug(qw[ all cleanup ])); delete $DNS_Cache{$checkitem}; # remove timed out objects } elsif ( ($now - $DNS_Cache{$checkitem}{"time"}) > $DNS_Cache{$checkitem}{ttl} ) { - mylogs $syslog_priority, "[CLEANUP] removing rbl-cache for $checkitem after " - .($now - $DNS_Cache{$checkitem}{"time"})." seconds (timeout: ".$DNS_Cache{$checkitem}{ttl}."s)" - if ($opt_verbose > 1); + mylogs $syslog_priority, "[CLEANUP] removing dns-cache item '$checkitem' after ttl ".$DNS_Cache{$checkitem}{ttl}."s" + if (wantsdebug(qw[ all cleanup ])); delete $DNS_Cache{$checkitem}; }; }; @@ -394,10 +453,12 @@ sub cleanup_request_cache { my($now) = $_[0]; foreach my $checkitem (keys %Request_Cache) { - if ( (($now - $Request_Cache{$checkitem}{"time"}) > $REQUEST_MAX_CACHE) ) { - mylogs $syslog_priority, "[CLEANUP] removing request-cache $checkitem after " - .($now - $Request_Cache{$checkitem}{"time"})." seconds (timeout: ".$REQUEST_MAX_CACHE."s)" - if ($opt_verbose > 1); + if ( not(defined $Request_Cache{$checkitem}{'until'}) ) { + mylogs $syslog_priority, "[CLEANUP] deleting incomplete request-cache item '$checkitem'" if (wantsdebug(qw[ all cleanup ])); + delete $Request_Cache{$checkitem}; + } elsif ( $now > $Request_Cache{$checkitem}{'until'} ) { + mylogs $syslog_priority, "[CLEANUP] removing request-cache item '$checkitem' after ttl ".$REQUEST_MAX_CACHE."s" + if (wantsdebug(qw[ all cleanup ])); delete $Request_Cache{$checkitem}; }; }; @@ -408,11 +469,29 @@ sub cleanup_rate_cache { my($now) = $_[0]; foreach my $checkitem (keys %Rates) { - if ( (($now - $Rates{$checkitem}{"time"}) > $Rates{$checkitem}{ttl}) ) { - mylogs $syslog_priority, "[CLEANUP] removing rate-cache for $checkitem after " - .($now - $Rates{$checkitem}{"time"})." seconds (timeout: ".$Rates{$checkitem}{ttl}."s)" - if ($opt_verbose > 1); + unless (defined $Rates{$checkitem}{'list'}) { delete $Rates{$checkitem}; + } else { + my @i = (); + foreach my $crate (@{$Rates{$checkitem}{'list'}}) { + if ( not(defined $Rates{$checkitem}{$crate}{'until'}) ) { + mylogs $syslog_priority, "[CLEANUP] deleting incomplete rate-cache item '$checkitem'->'$crate'" if (wantsdebug(qw[ all cleanup ])); + delete $Rates{$checkitem}{$crate}; + } elsif ( $now > $Rates{$checkitem}{$crate}{'until'} ) { + mylogs $syslog_priority, "[CLEANUP] removing rate-cache item '$checkitem'->'$crate' after ttl ".$Rates{$checkitem}{$crate}{ttl}."s" + if (wantsdebug(qw[ all cleanup ])); + delete $Rates{$checkitem}{$crate}; + } else { + push @i, $crate; + }; + }; + unless ($i[0]) { + mylogs $syslog_priority, "[CLEANUP] deleting complete rate-cache item '$checkitem'" if (wantsdebug(qw[ all cleanup ])); + delete $Rates{$checkitem}; + } else { + mylogs $syslog_priority, "[CLEANUP] new index list for rate-cache item '$checkitem': ".(join ', ', @i) if (wantsdebug(qw[ all cleanup ])); + @{$Rates{$checkitem}{'list'}} = @i; + }; }; }; }; @@ -425,44 +504,74 @@ ( exists($MAX_SCORES{$myscore}) ) ? mylogs "notice", "redefined score $myscore with action=\"$myaction\"" : mylogs "notice", "setting new score $myscore with action=\"$myaction\"" - if $opt_verbose; + if wantsdebug(qw[ all thisrequest verbose score ]); $MAX_SCORES{$myscore} = $myaction; }; + # -# displays program usage statistics +# dump cache contents # -sub show_stats { - my($now) = time; +sub dump_cache { + my @dump = (); my @list = (\%Request_Cache, \%Rates); + @list = (@list, \%DNS_Cache) unless $opt_nodns; + @list = (@list, \%Config_Cache, \%ACLs, \%Matches, \%Timeouts) if wantsdebug(qw[ all verbose ]); + map { @dump = ( @dump, hash_to_list ($Name_To_Var{$_}, %{$_}) ) } @list; + return @dump; +}; + +# +# creates program usage statistics +# +sub list_stats { + my $now = time(); my @output = (); + my $uptime = $now - $Starttime; $Counter_Requests ||= 0; $Counter_Interval ||= 0; $Counter_Top ||= 0; $Counter_Hits ||= 0; $Counter_Rates ||= 0; - my($totalreqpermin) = ( ((($now - $Starttime) > 0) ? ($Counter_Requests / ($now - $Starttime)) : 0 ) * 60); + my($totalreqpermin) = ( (($uptime > 0) ? ($Counter_Requests / $uptime) : 0 ) * 60); my($lastreqpermin) = ($Counter_Interval / (((defined $Stat_Interval_Time) and ($Stat_Interval_Time > 0)) ? $Stat_Interval_Time : 1)) * 60; $Counter_Top = $lastreqpermin if ($lastreqpermin > $Counter_Top); if (not($opt_noidlestats) or ($Counter_Interval > 0) ) { - mylog "notice", "[STATS] Counters: %d seconds uptime since %s", - ($now - $Starttime), $Startdate; - mylog "notice", "[STATS] Requests: %d overall, %d last interval, %.2f%% cache hits, %.2f%% rate hits", + push @output, sprintf ( + "%s %s: up since %d days, %02d:%02d:%02d hours", + $NAME, $VERSION, + ($uptime / 60 / 60 / 24), + (($uptime / 60 / 60) % 24), + (($uptime / 60) % 60), + ($uptime % 60)); + + push @output, sprintf ("Requests: %d overall, %d last interval, %.1f%% cache hits, %.1f%% rate hits", $Counter_Requests, $Counter_Interval, ($Counter_Requests > 0) ? (($Counter_Hits / $Counter_Requests) * 100) : 0, - ($Counter_Requests > 0) ? (($Counter_Rates / $Counter_Requests) * 100) : 0; + ($Counter_Requests > 0) ? (($Counter_Rates / $Counter_Requests) * 100) : 0); - mylog "notice", "[STATS] Averages: %.2f overall, %.2f last interval, %.2f top", - $totalreqpermin, $lastreqpermin, $Counter_Top; + push @output, sprintf ("Averages: %.1f overall, %.1f last interval, %.1f top", + $totalreqpermin, $lastreqpermin, $Counter_Top); - mylog "notice", "[STATS] Contents: %d rules, %d cached requests, %d cached dns results, %d rate limits", - $#Rules, scalar keys %Request_Cache, scalar keys %DNS_Cache, scalar keys %Rates; + push @output, sprintf ("Contents: %d rules, %d cached requests, %d cached dns results, %d rate limits", + $#Rules, scalar keys %Request_Cache, scalar keys %DNS_Cache, scalar keys %Rates); # per rule stats - map { mylogs "notice", "[STATS] Rule ID: $_ matched: $Matches{$_} times" } (sort keys %Matches) unless $opt_no_rulestats; + if (not($opt_no_rulestats) and @Rules and %Matches) { + my @rulecharts = (sort { ($Matches{$b} || 0) <=> ($Matches{$a} || 0) } (keys %Matches)); my $cntln = length(($Matches{$rulecharts[0]} || 2)) + 2; + map { push @output, sprintf ("%".$cntln."d matches for id: %s", ($Matches{$_} || 0), $_) } @rulecharts; + }; }; + return @output; +}; +# +# shows program usage statistics via syslog +# +sub show_stats { + map { mylog 'notice', "[STATS] $_" } list_stats(); $Counter_Interval = 0; }; + # # returns content of !!() negation # @@ -475,6 +584,7 @@ # sub devar_item { my($cmp,$val,$myitem,%request) = @_; + return '' unless $val and $myitem; my($pre,$post,$var,$myresult) = ''; while ( ($val =~ /(.*)$COMP_VAR\s*(\w+)(.*)/g) or ($val =~ /(.*)$COMP_VAR\s*$(\w+)$(.*)/g) ) { ($pre,$var,$post) = ($1,$2,$3); @@ -484,7 +594,7 @@ $myresult=$val=$pre.$request{$var}.$post; }; mylogs $syslog_priority, "substitute : \"$myitem\" \"$cmp\" \"$val\"" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest devar ])); }; return $myresult; }; @@ -497,7 +607,7 @@ # sub acl_parser { my($file,$num,$myline) = @_; - if ( $myline =~ /^\s*($COMP_ACL[\-\w]+)\s*{\s*(.*?)\s*;\s*}[\s;]*$/ ) { + if ( $myline =~ /^\s*($COMP_ACL[\-\w]+)\s*{\s*(.*?)\s*;?\s*}[\s;]*$/ ) { $ACLs{$1} = $2; $myline = ""; } else { while ( $myline =~ /($COMP_ACL[\-\w]+)/) { @@ -541,14 +651,14 @@ if ( not($forced_reload) and (defined $Config_Cache{$file}{lastread}) and ($Config_Cache{$file}{lastread} > (stat $file)[9]) ) { mylogs $syslog_priority, "$type:$file unchanged - using cached content (mtime: " .(stat $file)[9].", cache: $Config_Cache{$file}{lastread})" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest config ])); return @{$Config_Cache{$file}{content}}; }; unless (open ($fh, "<$file")) { mylogs 'warning', "error: could not open $type:$file - $! - will be ignored"; return @result; }; - mylogs $syslog_priority, "reading $type:$file" if ($opt_verbose > 1); + mylogs $syslog_priority, "reading $type:$file" if (wantsdebug(qw[ all thisrequest config ])); while (<$fh>) { chomp; s/#.*//g; @@ -558,9 +668,9 @@ push @result, prepare_item($forced_reload, $cmp, $_); }; close ($fh); # update Config_Cache - $Config_Cache{$file}{lastread} = time; + $Config_Cache{$file}{lastread} = time(); @{$Config_Cache{$file}{content}} = @result; - mylogs $syslog_priority, "read ".($#result + 1)." items from $type:$file" if ($opt_verbose > 1); + mylogs $syslog_priority, "read ".($#result + 1)." items from $type:$file" if (wantsdebug(qw[ all thisrequest config ])); return @result; }; # @@ -589,7 +699,7 @@ $myarg = $1; $myvalue = "$mycmd($myarg)"; mylogs "notice", "notice: Rule $myindex ($myfile line $mynum): " - ."removing obsolete '\$\$' for $mycmd limit index. See man page for new syntax." if $opt_verbose; + ."removing obsolete '\$\$' for $mycmd limit index. See man page for new syntax." if wantsdebug(qw[ all thisrequest verbose config ]); }; push @Rate_Items, (split '/', $myarg)[0]; }; @@ -638,9 +748,9 @@ }; unless (exists($myrule{$COMP_ID})) { $myrule{$COMP_ID} = "R-".$myindex; - mylogs 'notice', "notice: Rule $myindex ($myfile line $mynum): contains no rule identifier - will use \"$myrule{id}\"" if $opt_verbose; + mylogs 'notice', "notice: Rule $myindex ($myfile line $mynum): contains no rule identifier - will use \"$myrule{id}\"" if wantsdebug(qw[ all thisrequest verbose config ]); }; - mylogs $syslog_priority, "loaded: Rule $myindex ($myfile line $mynum): id->\"$myrule{id}\" action->\"$myrule{action}\"" if $opt_verbose; + mylogs $syslog_priority, "loaded: Rule $myindex ($myfile line $mynum): id->\"$myrule{id}\" action->\"$myrule{action}\"" if wantsdebug(qw[ all thisrequest verbose config ]); }; }; alarm($prevalert) if $config_timeout; @@ -652,7 +762,7 @@ # sub read_config_file { my($forced_reload, $myindex, $myfile) = @_; - my(%myrule, @myruleset) = (); + my(%myrule, @myruleset, @lines) = (); my($mybuffer) = ""; undef my $fh; unless (-e $myfile) { @@ -661,18 +771,27 @@ unless (open ($fh, "<$myfile")) { warn "error: could not open ".$myfile." - $! - file will be ignored"; } else { - mylogs $syslog_priority, "reading file $myfile" if $opt_verbose; + mylogs $syslog_priority, "reading file $myfile" if wantsdebug(qw[ all thisrequest verbose config ]); while (<$fh>) { chomp; s/(\"|#.*)//g; next if /^\s*$/; - if (/(.*)\\\s*$/) { $mybuffer = $mybuffer.$1; next; }; - %myrule = parse_config_line ($forced_reload, $myfile, $., ($#myruleset+$myindex+1), $mybuffer.$_); - push ( @myruleset, { %myrule } ) if (%myrule); + if ( /(.*)\\\s*$/ or /(.*\{)\s*$/ ) { $mybuffer = $mybuffer.$1; next; }; + $mybuffer .= $_; + if ( $lines[0] and $mybuffer =~ /^(\}|\s+\S)/ ) { + my $last = pop(@lines); $last .= ';' unless $last =~ /;\s*$/; + $mybuffer = $last.$mybuffer; + }; + push @lines, $mybuffer; $mybuffer = ""; }; + map { + mylogs $syslog_priority, "parsing line: '$_'" if wantsdebug(qw[ all thisrequest config ]); + %myrule = parse_config_line ($forced_reload, $myfile, $., ($#myruleset+$myindex+1), $_); + push ( @myruleset, { %myrule } ) if (%myrule); + } @lines; close ($fh); - mylogs $syslog_priority, "loaded: Rules $myindex - ".($myindex + $#myruleset)." from file \"$myfile\"" if $opt_verbose; + mylogs $syslog_priority, "loaded: Rules $myindex - ".($myindex + $#myruleset)." from file \"$myfile\"" if wantsdebug(qw[ all thisrequest verbose config ]); }; }; return @myruleset; @@ -686,7 +805,8 @@ my($mytype,$myitem,$config); # init, cleanup cache and config vars - @Rules = %Rule_by_ID = %Request_Cache = %Rates = @Rate_Items = (); + @Rules = %Rule_by_ID = %Request_Cache = @Rate_Items = (); + %Rates = () unless $opt_keep_rates_on_reload; # parse configurations for $config (@Configs) { @@ -699,13 +819,13 @@ mylogs $syslog_priority, "file \"$myitem\" unchanged - using cached ruleset (mtime: ".(stat $myitem)[9].", cache: $Config_Cache{$myitem}{lastread})" - if $opt_verbose; + if wantsdebug(qw[ all thisrequest verbose config ]); push ( @Rules, @{$Config_Cache{$myitem}{ruleset}} ); } else { @myruleset = read_config_file ($forced_reload, ($#Rules+1), $myitem); if (@myruleset) { push ( @Rules, @myruleset ); - $Config_Cache{$myitem}{lastread} = time; + $Config_Cache{$myitem}{lastread} = time(); @{$Config_Cache{$myitem}{ruleset}} = @myruleset; }; }; @@ -716,8 +836,16 @@ } else { # update Rule by ID hash map { $Rule_by_ID{$Rules[$_]{$COMP_ID}} = $_ } (0 .. $#Rules); - @Rate_Items = uniq(@Rate_Items) if @Rate_Items; - mylogs $syslog_priority, "rate items: ".(join ', ', @Rate_Items) if $opt_verbose; + if (@Rate_Items) { + @Rate_Items = uniq(@Rate_Items); + mylogs $syslog_priority, "rate items: ".(join ', ', @Rate_Items) if wantsdebug(qw[ all thisrequest verbose config rates ]); + # disable request cache with ratelimits unless --fast_limit_evaluation is set + unless ($opt_fast_limits) { + $REQUEST_MAX_CACHE = 0; + mylogs "notice", "disabling request cache due to ratelimits in configuration. may be changed with the --fast_limit_evaluation option" + if wantsdebug (qw[ all thisrequest verbose ]); + }; + }; }; } # @@ -725,7 +853,7 @@ # sub show_config { my($index,$line,$mykey); - if ($opt_verbose) { + if (wantsdebug(qw[ all verbose ])) { myprint "=" x 75, "\n"; myprintf "Rule count: %s\n", ($#Rules + 1); myprint "=" x 75, "\n"; @@ -733,22 +861,49 @@ for $index (0 .. $#Rules) { next unless exists $Rules[$index]; myprintf "Rule %3d: id->\"%s\"; action->\"%s\"", $index, $Rules[$index]{$COMP_ID}, $Rules[$index]{$COMP_ACTION}; - $line = ($opt_verbose) ? "\n\t " : ""; + $line = (wantsdebug(qw[ all verbose ])) ? "\n\t " : ""; for $mykey ( reverse sort keys %{$Rules[$index]} ) { unless (($mykey eq $COMP_ACTION) or ($mykey eq $COMP_ID)) { - $line .= "; " unless $opt_verbose; + $line .= "; " unless wantsdebug(qw[ all verbose ]); $line .= ($mykey =~ /^$COMP_SINGLE$/) ? $mykey."->\"".$Rules[$index]{$mykey}."\"" : $mykey."->\"".(join ', ', @{$Rules[$index]{$mykey}})."\""; - $line .= " ; " if $opt_verbose; + $line .= " ; " if wantsdebug(qw[ all verbose ]); }; }; - $line =~ s/\s*\;\s*$// if $opt_verbose; + $line =~ s/\s*\;\s*$// if wantsdebug(qw[ all verbose ]); myprintf "%s\n", $line; - myprint "-" x 75, "\n" if $opt_verbose; + myprint "-" x 75, "\n" if wantsdebug(qw[ all verbose ]); }; } - +# +# saves rate limits to disk +# +sub save_rates { + return unless ($STORABLE and $opt_saverates and %Rates); + umask oct('0177'); + eval { store (\%Rates, $opt_saverates) }; + if ( $@ ) { + mylogs 'notice', "ERROR: Could not store rate limits to ".$opt_saverates." ('$!': '@_')"; + } else { + mylogs $syslog_priority, "Saved ".(scalar %Rates)." rates to ".$opt_saverates + if wantsdebug(qw[ all verbose rates loadrates saverates ]); + }; + umask oct($net_umask); +}; +# +# loads rate limits from disk +# +sub load_rates { + return unless ($STORABLE and $opt_saverates and (-f $opt_saverates)); + eval { %Rates = %{ retrieve($opt_saverates) } }; + if ( $@ ) { + mylogs 'notice', "Could not load rate limits from ".$opt_saverates." ('$!': '@_')"; + } else { + mylogs $syslog_priority, "Fetched ".(scalar %Rates)." rates from ".$opt_saverates + if wantsdebug(qw[ all verbose rates loadrates saverates ]); + }; +}; ## sub DNS @@ -764,7 +919,7 @@ # sub rbl_read_dns { my($myresult) = shift; - my($now) = time; + my($now) = time(); my($que,$ttl,$res,$typ) = undef; my(@addrs) = (); @@ -796,7 +951,7 @@ : $DNS_Cache{$que}{value} ) ." listed on ".$DNS_Cache{$que}{type}.":".$DNS_Cache{$que}{name} ." (answer: ".(join ", ", @addrs) - .", time: ".($now - $DNS_Cache{$que}{starttime})."s" + .", time: ".ts($now - $DNS_Cache{$que}{starttime})."s" .", ttl: ".$ttl."s)" if ( @addrs and not($opt_nodnslog) ); @{$DNS_Cache{$que}{A}} = @addrs; @@ -817,7 +972,7 @@ }; }; } else { - syslog "notice", "[DNSBL] dns timeout"; + mylogs "notice", "[DNSBL] dns timeout"; }; return $que if (@addrs || $res); }; @@ -853,18 +1008,19 @@ last ANSWER if $myresult = ( $_ =~ /$myrblans/ ); }; mylogs $syslog_priority, "[DNSQUERY] cached $mytype: $myrbl $myval ($myquery) - answer: \'".(join ", ", @{$DNS_Cache{$myquery}{A}})."\'" - if ( ($myresult and $opt_verbose) or ($opt_verbose > 1) ); + if ( ($myresult and wantsdebug(qw[ verbose ])) or (wantsdebug(qw[ all thisrequest ])) ); # not found -> prepare dns query } else { + my $now = time(); $DNS_Cache{$myquery} = { - starttime => time, + starttime => $now, ttl => $myrbltime, name => $myrbl, value => $myval, type => $mytype, }; - mylogs $syslog_priority, "[DNSQUERY] query $mytype: $myrbl $myval ($myquery)" if ($opt_verbose > 1); + mylogs $syslog_priority, "[DNSQUERY] query $mytype: $myrbl $myval ($myquery)" if (wantsdebug(qw[ all thisrequest ])); push @lookups, $myquery; }; }; @@ -878,7 +1034,7 @@ my($mytype,$myrbl,$myval) = @_; my($myanswer,$myrblans,$myrbltime,$myresult,$mystart,$myend); my($m1,$m2,$myrbltype,$m4,$myrbltxt,$myquery); - my($now) = time; + my($now) = time(); # separate rbl-name and answer ($myrbl, $myrblans, $myrbltime) = split /\//, $myrbl; @@ -895,8 +1051,8 @@ if ( $myresult = ( ($_) and ($_ =~ /$myrblans/)) ) { mylogs $syslog_priority, "[DNSBL] query $myval listed on " .uc($mytype).":$myrbl (answer: ".(join ", ", @{$DNS_Cache{$myquery}{A}}) - .", cached: ".($now - $DNS_Cache{$myquery}{"time"})."s ago)" - if $opt_verbose; + .", cached: ".ts($now - $DNS_Cache{$myquery}{"time"})."s ago)" + if wantsdebug(qw[ all thisrequest verbose ]); push @DNSBL_Text, $DNS_Cache{$myquery}{type}.':'.$DNS_Cache{$myquery}{name}.':<'.($DNS_Cache{$myquery}{TXT} || '').'>' if (defined $DNS_Cache{$myquery}{type} and defined $DNS_Cache{$myquery}{name}); last ANSWER; @@ -935,10 +1091,10 @@ # query child cache if ( (defined $DNS_Cache{$item}{$type}) and (defined $DNS_Cache{$item}{'until'}) and ($DNS_Cache{$item}{'until'} >= time()) ) { $DNS_Cache{$item}{$type} = [ $DNS_Cache{$item}{$type} ] unless (ref $DNS_Cache{$item}{$type} eq 'ARRAY'); - mylogs $syslog_priority, "dnsccache: item=$item, type=$type -> ".(join ',', @{$DNS_Cache{$item}{$type}})." (ttl: ".($DNS_Cache{$item}{ttl} || 0).")" if ($opt_verbose); + mylogs $syslog_priority, "dnsccache: item=$item, type=$type -> ".(join ',', @{$DNS_Cache{$item}{$type}})." (ttl: ".($DNS_Cache{$item}{ttl} || 0).")" if (wantsdebug(qw[ all thisrequest verbose ])); push @result, @{$DNS_Cache{$item}{$type}}; } else { - mylogs $syslog_priority, "dnsquery: item=$item, type=$type" if ($opt_verbose); + mylogs $syslog_priority, "dnsquery: item=$item, type=$type" if (wantsdebug(qw[ all thisrequest verbose ])); $bgsock = $dns->bgsend ($item, $type); $ownsel->add($bgsock); $ownsock{$bgsock} = $item.','.$type; @@ -957,7 +1113,7 @@ # sort MX records by preference @rrs = sort { $a->preference <=> $b->preference } @rrs if ($type eq 'MX'); foreach my $rr (@rrs) { - mylogs $syslog_priority, "dnsanswer: item=$item, type=$type -> $rname=".$rr->$rname." (ttl: ".$rr->ttl.")" if $opt_verbose; + mylogs $syslog_priority, "dnsanswer: item=$item, type=$type -> $rname=".$rr->$rname." (ttl: ".$rr->ttl.")" if wantsdebug(qw[ all thisrequest verbose ]); push @ans, $rr->$rname; }; push @result, @ans; @@ -1017,11 +1173,11 @@ my(%result) = (); foreach (sort keys %postfwd_items) { mylogs $syslog_priority, "[PLUGIN] executing postfwd-item ".$_ - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); %result = (%result, &{$postfwd_items{$_}}((%request,%result))) if (defined $postfwd_items{$_}); }; - map { $result{$_} = '' unless $result{$_}; mylogs $syslog_priority, "[PLUGIN] Added key: $_=$result{$_}" if ($opt_verbose > 1) } (keys %result); + map { $result{$_} = '' unless $result{$_}; mylogs $syslog_priority, "[PLUGIN] Added key: $_=$result{$_}" if (wantsdebug(qw[ all thisrequest ])) } (keys %result); return %result; }; # @@ -1032,7 +1188,7 @@ "cidr" => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = ($val and $myitem); - mylogs $syslog_priority, "type cidr : \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type cidr : \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); if ($myresult) { # always true $myresult = ($val eq '0.0.0.0/0'); @@ -1043,7 +1199,7 @@ $val .= '/32' unless ($val =~ /\/\d{1,2}$/); $myresult = cidr_match((cidr_parse($val)),$myitem); } else { - mylogs $syslog_priority, "Non IPv4 address. Using type default" if ($opt_verbose > 1); + mylogs $syslog_priority, "Non IPv4 address. Using type default" if (wantsdebug(qw[ all thisrequest ])); return &{$postfwd_compare{default}}($cmp,$val,$myitem,%request); }; }; @@ -1054,7 +1210,7 @@ "numeric" => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = undef; - mylogs $syslog_priority, "type numeric : \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type numeric : \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); $myitem ||= "0"; $val ||= "0"; if ($cmp eq '==') { $myresult = ($myitem == $val); @@ -1076,7 +1232,7 @@ $COMP_RBL_KEY => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = not($opt_nodns); - mylogs $syslog_priority, "type rbl : \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type rbl : \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); $myresult = ( rbl_check ($COMP_RBL_KEY, $val, $myitem) ) if $myresult; $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1084,7 +1240,7 @@ $COMP_RHSBL_KEY => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = not($opt_nodns); - mylogs $syslog_priority, "type rhsbl : \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type rhsbl : \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); $myresult = ( rbl_check ($COMP_RHSBL_KEY, $val, $myitem) ) if $myresult; $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1097,7 +1253,7 @@ $rmin = ($rmin) ? (($rmin =~ /^\d$/) ? $rmin : $months{$rmin}) : $imon; $rmax = ($rmax) ? (($rmax =~ /^\d$/) ? $rmax : $months{$rmax}) : (($val =~ /-/) ? $imon : $rmin); mylogs $syslog_priority, "type months : \"$imon\" \"$cmp\" \"$rmin\"-\"$rmax\"" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); $myresult = (($rmin <= $imon) and ($rmax >= $imon)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1110,7 +1266,7 @@ $rmin = ($rmin) ? (($rmin =~ /^\d$/) ? $rmin : $weekdays{$rmin}) : $iday; $rmax = ($rmax) ? (($rmax =~ /^\d$/) ? $rmax : $weekdays{$rmax}) : (($val =~ /-/) ? $iday : $rmin); mylogs $syslog_priority, "type days : \"$iday\" \"$cmp\" \"$rmin\"-\"$rmax\"" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); $myresult = (($rmin <= $iday) and ($rmax >= $iday)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1124,7 +1280,7 @@ $rmin = ($rmin) ? join ('', reverse split ('\.', $rmin)) : $idat; $rmax = ($rmax) ? join ('', reverse split ('\.', $rmax)) : (($val =~ /-/) ? $idat : $rmin); mylogs $syslog_priority, "type date : \"$idat\" \"$cmp\" \"$rmin\"-\"$rmax\"" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); $myresult = (($rmin <= $idat) and ($rmax >= $idat)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1138,7 +1294,7 @@ $rmin = ($rmin) ? join ('', split ('\:', $rmin)) : $idat; $rmax = ($rmax) ? join ('', split ('\:', $rmax)) : (($val =~ /-/) ? $idat : $rmin); mylogs $syslog_priority, "type time : \"$idat\" \"$cmp\" \"$rmin\"-\"$rmax\"" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); $myresult = (($rmin <= $idat) and ($rmax >= $idat)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1149,7 +1305,7 @@ return $myresult if $opt_nodns; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,A") ) { - mylogs $syslog_priority, "type $COMP_HELO_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type $COMP_HELO_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; return $myresult; @@ -1160,7 +1316,7 @@ return $myresult if $opt_nodns; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,NS") ) { - mylogs $syslog_priority, "type $COMP_NS_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type $COMP_NS_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); map { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; } else { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,'',%request)) ); @@ -1173,7 +1329,7 @@ return $myresult if $opt_nodns; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,MX") ) { - mylogs $syslog_priority, "type $COMP_MX_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type $COMP_MX_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); map { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; } else { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,'',%request)) ); @@ -1188,7 +1344,7 @@ if ( my @answers = dns_query ("$myitem,NS") ) { splice (@answers, $opt_max_ns_lookups) if $opt_max_ns_lookups and $#answers > $opt_max_ns_lookups; if ( @answers = dns_query (@answers) ) { - mylogs $syslog_priority, "type $COMP_NS_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type $COMP_NS_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; }; @@ -1202,7 +1358,7 @@ if ( my @answers = dns_query ("$myitem,MX") ) { splice (@answers, $opt_max_mx_lookups) if $opt_max_mx_lookups and $#answers > $opt_max_mx_lookups; if ( @answers = dns_query (@answers) ) { - mylogs $syslog_priority, "type $COMP_MX_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type $COMP_MX_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; }; @@ -1211,15 +1367,11 @@ "default" => sub { my($cmp,$val,$myitem,%request) = @_; my($var,$myresult) = undef; - mylogs $syslog_priority, "type default : \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "type default : \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); # backward compatibility $cmp = '==' if ( ($var) and ($cmp eq '=') ); if ($cmp eq '==') { $myresult = ( lc($myitem) eq lc($val) ) if $myitem; - } elsif ( $cmp eq '=~' ) { - $myresult = ( $myitem =~ /$val/i ); - } elsif ( $cmp eq '!~' ) { - $myresult = ( $myitem !~ /$val/i ); } elsif ($cmp eq '!=') { $myresult = not( lc($myitem) eq lc($val) ) if $myitem; } elsif ($cmp eq '=<') { @@ -1230,10 +1382,14 @@ $myresult = (($myitem || 0) >= $val); } elsif ($cmp eq '!>') { $myresult = not(($myitem || 0) >= $val); + } elsif ($cmp eq '=~') { + $myresult = ($myitem =~ /$val/i); + } elsif ($cmp eq '!~') { + $myresult = ($myitem !~ /$val/i); } else { # allow // regex $val =~ s/^\/?(.*?)\/?$/$1/; - $myresult = ( $myitem =~ /$val/i ); + $myresult = $myitem =~ /$val/i; }; return $myresult; }, @@ -1266,7 +1422,7 @@ my($ruleno) = $Rule_by_ID{$myarg}; mylogs $syslog_priority, "[RULES] ".$myline .", jump to rule $ruleno (id $myarg)" - if $opt_verbose; + if wantsdebug(qw[ all thisrequest verbose ]); $index = $ruleno - 1; } else { warn "[RULES] ".$myline." - error: jump failed, can not find rule-id ".$myarg." - ignoring"; @@ -1297,11 +1453,11 @@ } else { $m_val = $r_val; }; - $m_val = $1.((defined $2) ? $2 : '') if ( $m_val =~ /^(\-?\d+)([\.,]\d\d?)?/ ); + $m_val = $1.($2 || '').($3 || '') if ( $m_val =~ /^(\-?\d+)([\.,]\d+)?(.*)$/ ); (defined $request{$r_var}) ? mylogs "notice", "[RULES] ".$myline.", redefining existing ".$r_var."=".$request{$r_var}." with ".$r_var."=".$m_val : mylogs $syslog_priority, "[RULES] ".$myline.", defining ".$r_var."=".$m_val - if $opt_verbose; + if wantsdebug(qw[ all thisrequest verbose ]); $request{$r_var} = $m_val; } else { warn "[RULES] ".$myline.", ignoring unknown set() attribute ".$_; @@ -1329,7 +1485,7 @@ }; $score = $1.((defined $2) ? $2 : '.0') if ( $score =~ /^(\-?\d+)([\.,]\d\d?)?/ ); mylogs $syslog_priority, "[SCORE] ".$myline.", modifying score about ".$myarg." points to ". $score - if $opt_verbose; + if wantsdebug(qw[ all thisrequest verbose ]); $request{score} = $request{request_score} = $score; } elsif ($myarg) { warn "[RULES] ".$myline.", invalid value for score \"$myarg\" - ignoring"; @@ -1343,34 +1499,102 @@ }; return ($stop,$index,$myaction,$myline,%request); }, + # mail() command + "mail" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + my($mserver,$mhelo,$mfrom,$mto,$msubject,$mbody) = split "/", $myarg, 6; + ($mserver, my $mport) = split ":", $mserver; my $res = ""; + my @talk = ( + "HELO $mhelo", + "MAIL FROM: $mfrom", + "RCPT TO: $mto", + "DATA", + "Subject: $msubject\r\n$mbody\r\n.", + "QUIT", + ); + if ( my $socket = IO::Socket::INET->new( + PeerAddr => $mserver, + PeerPort => ($mport || 25), + Proto => 'tcp', + Timeout => 30, + Type => SOCK_STREAM, + ) ) { + SMTP: foreach (@talk) { + print $socket "$_\r\n"; $res = <$socket>; chomp($res); + last SMTP unless $res =~ /^[23][0-9][0-9] /; + }; + close($socket); + mylogs $syslog_priority, "[MAIL] ".$myline.", mail server=<$mserver:$mport>, from=<$mfrom>, to=<$mto>, subject=<$msubject>, status=<$res>"; + } else { + mylogs 'notice', "[MAIL] ".$myline.", could not open socket to $mserver:$mport: '$!'"; + }; + return ($stop,$index,$myaction,$myline,%request); + }, # rate() command "rate" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; my($myaction) = $default_action; my($stop) = 0; my($ratetype,$ratecount,$ratetime,$ratecmd) = split "/", $myarg, 4; - if ($ratetype and $ratecount and $ratetime and $ratecmd) { + my($rcount) = ( ($mycmd eq 'size') ? $request{size} : (($mycmd eq 'rcpt') ? $request{recipient_count} : 1 ) ); + if ($ratetype and $ratecount and $ratetime and $ratecmd and $rcount) { + my $crate = $Rules[$index]{$COMP_ID}.'+'.$ratecount.'_'.$ratetime; if ( defined $request{$ratetype} ) { $ratetype .= "=".$request{$ratetype}; - unless ( defined $Rates{$ratetype} ) { - $Rates{$ratetype} = { - type => $mycmd, - maxcount => $ratecount, - ttl => $ratetime, - count => ( ($mycmd eq 'size') ? $request{size} : (($mycmd eq 'rcpt') ? $request{recipient_count} : 1 ) ), - time => $now, - rule => $Rules[$index]{$COMP_ID}, - action => $ratecmd, + unless ( defined $Rates{$ratetype}{$crate} ) { + # create rate object + push @{$Rates{$ratetype}{'list'}}, $crate; + $Rates{$ratetype}{$crate} = { + 'type' => $mycmd, + 'maxcount' => $ratecount, + 'ttl' => $ratetime, + 'count' => $rcount, + 'time' => $now, + 'until' => $now + $ratetime, + 'rule' => $Rules[$index]{$COMP_ID}, + 'action' => $ratecmd, }; - mylogs $syslog_priority, "[RULES] ".$myline + mylogs $syslog_priority, "[RATES] ".$myline .", creating rate object ".$ratetype ." [type: ".$mycmd.", max: ".$ratecount.", time: ".$ratetime."s]" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest rates ])); + } elsif (not $opt_fast_limits) { + if ( $now > $Rates{$ratetype}{$crate}{'until'} ) { + # renew rate + $Rates{$ratetype}{$crate}{'count'} = $rcount; + $Rates{$ratetype}{$crate}{'time'} = $now; + $Rates{$ratetype}{$crate}{'until'} = $now + $Rates{$ratetype}{$crate}{ttl}; + mylogs $syslog_priority, "[RATES] ".$myline + .", renewing rate object '".$ratetype."/".$crate."'" + ." [type: ".$Rates{$ratetype}{$crate}{type} + .", max: ".$Rates{$ratetype}{$crate}{maxcount} + .", time: ".$Rates{$ratetype}{$crate}{ttl}."s]" + if (wantsdebug(qw[ all thisrequest rates ])); + } elsif (not (($rcount+=$Rates{$ratetype}{$crate}{count}) > $Rates{$ratetype}{$crate}{maxcount})) { + # increase rate + $Rates{$ratetype}{$crate}{count} = $rcount; + mylogs $syslog_priority, "[RATES] ".$myline + .", increasing rate object '".$ratetype."/".$crate."'" + ." to ".$Rates{$ratetype}{$crate}{count} + ." [type: ".$Rates{$ratetype}{$crate}{type} + .", max: ".$Rates{$ratetype}{$crate}{maxcount} + .", time: ".$Rates{$ratetype}{$crate}{ttl}."s]" + if (wantsdebug(qw[ all thisrequest rates ])); + }; + }; + # rate exceeded + $stop = ($rcount > $Rates{$ratetype}{$crate}{maxcount}); + if ($stop) { + $Counter_Rates++; + $myaction=$Rates{$ratetype}{$crate}{action}; + $request{'ratecount'} = $rcount; + $myline .= ", rate=".$Rates{$ratetype}{$crate}{type}."/".$rcount."/".ts($now - $Rates{$ratetype}{$crate}{'time'})."s"; }; } else { - mylogs $syslog_priority, "[RULES] ".$myline.", ignoring empty index for ".$mycmd." limit '".$ratetype."'" if ($opt_verbose > 1); + mylogs $syslog_priority, "[RULES] ".$myline.", ignoring empty index for ".$mycmd." limit '".$ratetype."'" if (wantsdebug(qw[ all thisrequest ])); }; } else { - mylogs "notice", "[RULES] ".$myline.", ignoring unknown ".$mycmd."() attribute \'".$myarg."\'"; + mylogs "notice", "[RULES] ".$myline.(($rcount) ? ", ignoring unknown ".$mycmd."() attribute \'".$myarg."\'" : ", ignoring empty counter"); }; return ($stop,$index,$myaction,$myline,%request); }, @@ -1393,6 +1617,14 @@ mylogs $syslog_priority, "[RULES] ".$myline." - note: ".$myarg if $myarg; return ($stop,$index,$myaction,$myline,%request); }, + # debug() command + "debug" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs $syslog_priority, "[RULES] ".$myline.", DEBUG=$myarg"; + ($myarg =~ /^(1|y(es)?|on)$/i) ? $DEBUG{thisrequest} = 1 : delete $DEBUG{thisrequest}; + return ($stop,$index,$myaction,$myline,%request); + }, # quit() command "quit" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; @@ -1410,7 +1642,7 @@ "ask" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; my($myaction) = $default_action; my($stop) = 0; - mylogs ('info', "Opening socket to '$myarg'") if ($opt_verbose > 1); + mylogs ('info', "Opening socket to '$myarg'") if (wantsdebug(qw[ all thisrequest ])); my($addr,$port,$ignore) = split ':', $myarg; my %orig = str_to_hash ($request{orig}); if ( ($addr and $port) and my $socket = new IO::Socket::INET ( @@ -1425,15 +1657,15 @@ $sendstr .= $_."=".$orig{$_}."\n"; }; $sendstr .= "\n"; - mylogs ('info', "Asking service $myarg -> '$sendstr'") if ($opt_verbose > 1); + mylogs ('info', "Asking service $myarg -> '$sendstr'") if (wantsdebug(qw[ all thisrequest ])); print $socket "$sendstr"; $sendstr = <$socket>; chomp($sendstr); - mylogs ('info', "Answer from $myarg -> '$sendstr'") if ($opt_verbose > 1); + mylogs ('info', "Answer from $myarg -> '$sendstr'") if (wantsdebug(qw[ all thisrequest ])); $sendstr =~ s/^(action=)//; if ($1 and $sendstr) { if ($ignore and ($sendstr =~ /$ignore/i)) { - mylogs ('info', "ignoring answer '$sendstr' from $myarg") if ($opt_verbose > 1); + mylogs ('info', "ignoring answer '$sendstr' from $myarg") if (wantsdebug(qw[ all thisrequest ])); } else { $stop = $myaction = $sendstr; }; @@ -1506,24 +1738,24 @@ push @items, prepare_file (0, $1, $cmp, $2); next ITEM; }; - mylogs $syslog_priority, "compare $mykey: \"$myitem\" \"$cmp\" \"$val\"" if ($opt_verbose > 1); + mylogs $syslog_priority, "compare $mykey: \"$myitem\" \"$cmp\" \"$val\"" if (wantsdebug(qw[ all thisrequest ])); $val = $neg if ($neg = deneg_item($val)); - mylogs $syslog_priority, "deneg $mykey: \"$myitem\" \"$cmp\" \"$val\"" if ($neg and ($opt_verbose > 1)); + mylogs $syslog_priority, "deneg $mykey: \"$myitem\" \"$cmp\" \"$val\"" if ($neg and (wantsdebug(qw[ all thisrequest ]))); next ITEM unless $val; # substitute check for $$vars in rule item if ( $var = devar_item ($cmp,$val,$myitem,%request) ) { $val = $var; $val =~ s/([^-_@\.\w\s])/\\$1/g unless ($cmp eq '=='); }; $myresult = &{$postfwd_compare{$postfwd_compare_proc}}($cmp,$val,$myitem,%request); - mylogs $syslog_priority, "match $mykey: ".($myresult ? "TRUE" : "FALSE") if ($opt_verbose > 1); + mylogs $syslog_priority, "match $mykey: ".($myresult ? "TRUE" : "FALSE") if (wantsdebug(qw[ all thisrequest ])); if ($neg) { $myresult = not($myresult); - mylogs $syslog_priority, "negate match $mykey: ".($myresult ? "TRUE" : "FALSE") if ($opt_verbose > 1); + mylogs $syslog_priority, "negate match $mykey: ".($myresult ? "TRUE" : "FALSE") if (wantsdebug(qw[ all thisrequest ])); }; $rcount++ if $myresult; $myresult = not($mymin eq 'all'); $myresult = ( $rcount >= $mymin ) if $myresult; - mylogs $syslog_priority, "count $mykey: request=$rcount minimum: $mymin result: ".($myresult ? "TRUE" : "FALSE") if ($opt_verbose > 1); + mylogs $syslog_priority, "count $mykey: request=$rcount minimum: $mymin result: ".($myresult ? "TRUE" : "FALSE") if (wantsdebug(qw[ all thisrequest ])); last ITEM if $myresult; }; $myresult = $rcount if ($myresult or ($mymin eq 'all')); @@ -1560,7 +1792,7 @@ my @ownready = (); my $bgsock = undef; - mylogs $syslog_priority, "[RULES] rule: $index, id: $Rules[$index]{$COMP_ID}, items: '".((@ruleitems) ? join ';', @ruleitems: '')."'" if ($opt_verbose > 1); + mylogs $syslog_priority, "[RULES] rule: $index, id: $Rules[$index]{$COMP_ID}, items: '".((@ruleitems) ? join ';', @ruleitems: '')."'" if (wantsdebug(qw[ all thisrequest ])); # COMPARE-ITEMS # check all non-dns items @@ -1616,7 +1848,7 @@ @queries = uniq(@queries); foreach my $query (@queries) { mylogs $syslog_priority, "[SENDDNS] sending query \'$query\'" - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); # send A query $bgsock = $ownres->bgsend($query, 'A'); $ownsel->add($bgsock); @@ -1629,7 +1861,7 @@ }; }; mylogs $syslog_priority, "[SENDDNS] rule: $index, id: $Rules[$index]{$COMP_ID}, lookups: ".($#queries + 1) - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); }; # DNSRESULT-SECTION @@ -1641,7 +1873,7 @@ foreach my $sock (@ownready) { if (defined $ownsock{$sock}) { mylogs ('notice', "[DNSBL] answer for ".$ownsock{$sock}) - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); my $packet = $ownres->bgread($sock); push @queries, (split ':', $ownsock{$sock})[1] if rbl_read_dns ($packet); delete $ownsock{$sock}; @@ -1662,15 +1894,15 @@ ? $Timeouts{$DNS_Cache{$_}{name}} + 1 : 1 if ( $MAX_DNSBL_TIMEOUTS > 0 ); - mylogs ('notice', "[DNSBL] warning: timeout (".$Timeouts{$DNS_Cache{$_}{name}}."/".$MAX_DNSBL_TIMEOUTS.") for ".$DNS_Cache{$_}{name}." after ".(time() - $ownstart)." seconds"); + mylogs ('notice', "[DNSBL] warning: timeout (".$Timeouts{$DNS_Cache{$_}{name}}."/".$MAX_DNSBL_TIMEOUTS.") for ".$DNS_Cache{$_}{name}." after ".ts(time() - $ownstart)." seconds"); }; # perform outstanding TXT queries unless --dns_async_txt is set if (not($dns_async_txt) and @queries) { @queries = uniq(@queries); - mylogs $syslog_priority, "[DNSBL] sending TXT queries for ".(join ',', @queries) if ($opt_verbose > 1); + mylogs $syslog_priority, "[DNSBL] sending TXT queries for ".(join ',', @queries) if (wantsdebug(qw[ all thisrequest ])); foreach my $query (@queries) { - mylogs $syslog_priority, "[SENDDNS] sending TXT query \'$query\'" if ($opt_verbose > 1); + mylogs $syslog_priority, "[SENDDNS] sending TXT query \'$query\'" if (wantsdebug(qw[ all thisrequest ])); # send TXT query $bgsock = $ownres->bgsend($query, 'TXT'); $ownsel->add($bgsock); @@ -1680,7 +1912,7 @@ foreach my $sock (@ownready) { if (defined $ownsock{$sock}) { mylogs ('notice', "[DNSBL] answer for ".$ownsock{$sock}) - if ($opt_verbose > 1); + if (wantsdebug(qw[ all thisrequest ])); my $packet = $ownres->bgread($sock); rbl_read_dns ($packet); delete $ownsock{$sock}; @@ -1793,7 +2025,7 @@ }; }; }; - if ($opt_verbose > 1) { + if (wantsdebug(qw[ all thisrequest ])) { $myline = "[RULES] RULE: ".$index." MATCHES: ".((($myresult[0] - 2) > 0) ? ($myresult[0] - 2) : 0); $myline .= " RBLCOUNT: ".$myresult[1] if ($myresult[1] > 0); $myline .= " RHSBLCOUNT: ".$myresult[2] if ($myresult[2] > 0); @@ -1813,10 +2045,11 @@ my(%request) = @_; my($myaction) = $default_action; my($index) = 1; - my($now) = time; + my($stop) = 1; + my($now) = time(); my($date) = join(',', localtime($now)); - my($matched,$rblcnt,$rhlcnt,$t1,$t2,$t3,$stop) = 0; - my($mykey,$cacheid,$myline,$checkreq,$var,$ratehit) = ""; + my($matched,$rblcnt,$rhlcnt,$t1,$t2,$t3,$rcount,$ai) = 0; + my($mykey,$cacheid,$myline,$checkreq,$var,$ratehit,$rateitem) = ""; # save original request $request{orig} = hash_to_str (%request); @@ -1840,52 +2073,60 @@ # clear dnsbl timeout counters if ( ($MAX_DNSBL_INTERVAL > 0) and (($now - $Cleanup_Timeouts) > $MAX_DNSBL_INTERVAL) ) { undef %Timeouts; - mylogs $syslog_priority, "[CLEANUP] clearing dnsbl timeout counters" if $opt_verbose; + mylogs $syslog_priority, "[CLEANUP] clearing dnsbl timeout counters" if wantsdebug(qw[ all thisrequest verbose ]); $Cleanup_Timeouts = $now; }; # wipe out old cache items if ( ($CLEANUP_RATE_CACHE > 0) and (scalar keys %Rates > 0) and (($now - $Cleanup_Rates) > $CLEANUP_RATE_CACHE) ) { - $t1 = time; + $t1 = time(); $t3 = scalar keys %Rates; cleanup_rate_cache($now); - $t2 = time; - mylogs $syslog_priority, "[CLEANUP] needed ".($t2 - $t1) + $t2 = time(); + mylogs $syslog_priority, "[CLEANUP] needed ".ts($t2 - $t1) ." seconds for rate cleanup of " .($t3 - scalar keys %Rates)." out of ".$t3 - ." cached items after ".($now - $Cleanup_Rates) - ." seconds (min ".$CLEANUP_RATE_CACHE."s)" if ( $opt_verbose or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$CLEANUP_RATE_CACHE."s" + if ( wantsdebug(qw[ all thisrequest verbose ]) or (($t2 - $t1) >= 1) ); $Cleanup_Rates = $t1; }; # increase rate limits - if (@Rate_Items) { + if (@Rate_Items and $opt_fast_limits) { RATES: foreach $checkreq (@Rate_Items) { next RATES unless $request{$checkreq}; my $checkval = $checkreq."=".$request{$checkreq}; - next RATES unless ( defined $Rates{$checkval}); - if ( ($now - $Rates{$checkval}{"time"}) > $Rates{$checkval}{ttl} ) { - # renew rate - $Rates{$checkval}{count} = ( ($Rates{$checkval}{type} eq 'size') ? $request{size} : - (($Rates{$checkval}{type} eq 'rcpt') ? $request{recipient_count} : 1 ) ); - $Rates{$checkval}{"time"} = $now; - mylogs $syslog_priority, "[RATE] renewing rate object '".$checkval."'" - ." [type: ".$Rates{$checkval}{type} - .", max: ".$Rates{$checkval}{maxcount} - .", time: ".$Rates{$checkval}{ttl}."s]" - if ($opt_verbose > 1); - } else { - # increase rate - $Rates{$checkval}{count} += ( ($Rates{$checkval}{type} eq 'size') ? $request{size} : - (($Rates{$checkval}{type} eq 'rcpt') ? $request{recipient_count} : 1 ) ); - mylogs $syslog_priority, "[RATE] increasing rate object '".$checkval."'" - ." to ".$Rates{$checkval}{count} - ." [type: ".$Rates{$checkval}{type} - .", max: ".$Rates{$checkval}{maxcount} - .", time: ".$Rates{$checkval}{ttl}."s]" - if ($opt_verbose > 1); + next RATES unless ( defined $Rates{$checkval} and defined $Rates{$checkval}{'list'} ); + CRATE: foreach my $crate (@{$Rates{$checkval}{'list'}}) { + $rcount = ( ($Rates{$checkval}{$crate}{type} eq 'size') ? $request{size} : + (($Rates{$checkval}{$crate}{type} eq 'rcpt') ? $request{recipient_count} : 1 ) ); + if ( $now > $Rates{$checkval}{$crate}{'until'} ) { + # renew rate + $Rates{$checkval}{$crate}{'count'} = $rcount; + $Rates{$checkval}{$crate}{'time'} = $now; + $Rates{$checkval}{$crate}{'until'} = $now + $Rates{$checkval}{$crate}{ttl}; + mylogs $syslog_priority, "[RATES] renewing rate object '".$checkval."/".$crate."'" + ." [type: ".$Rates{$checkval}{$crate}{type} + .", max: ".$Rates{$checkval}{$crate}{maxcount} + .", time: ".$Rates{$checkval}{$crate}{ttl}."s]" + if (wantsdebug(qw[ all thisrequest ])); + } elsif (not (($rcount+=$Rates{$checkval}{$crate}{count}) > $Rates{$checkval}{$crate}{maxcount})) { + # increase rate + $Rates{$checkval}{$crate}{count} = $rcount; + mylogs $syslog_priority, "[RATES] increasing rate object '".$checkval."/".$crate."'" + ." to ".$Rates{$checkval}{$crate}{count} + ." [type: ".$Rates{$checkval}{$crate}{type} + .", max: ".$Rates{$checkval}{$crate}{maxcount} + .", time: ".$Rates{$checkval}{$crate}{ttl}."s]" + if (wantsdebug(qw[ all thisrequest ])); + }; + $ratehit = ($rcount > $Rates{$checkval}{$crate}{maxcount}) ? $checkval : undef; + if ($ratehit) { + $request{'ratecount'} = $rcount; + $rateitem = $crate; + last CRATE; + }; }; - $ratehit = ($Rates{$checkval}{count} > $Rates{$checkval}{maxcount}) ? $checkval : undef; last RATES if $ratehit; }; }; @@ -1909,62 +2150,67 @@ }; }; }; - mylogs $syslog_priority, "created cache-id: $cacheid" if ($opt_verbose > 1); + mylogs $syslog_priority, "created cache-id: $cacheid" if (wantsdebug(qw[ all thisrequest ])); # wipe out old cache entries if ( (scalar keys %Request_Cache > 0) and (($now - $Cleanup_Requests) > $CLEANUP_REQUEST_CACHE) ) { - $t1 = time; + $t1 = time(); $t3 = scalar keys %Request_Cache; cleanup_request_cache($now); - $t2 = time; - mylogs $syslog_priority, "[CLEANUP] needed ".($t2 - $t1) + $t2 = time(); + mylogs $syslog_priority, "[CLEANUP] needed ".ts($t2 - $t1) ." seconds for request cleanup of " .($t3 - scalar keys %Request_Cache)." out of ".$t3 - ." cached items after ".($now - $Cleanup_Requests) - ." seconds (min ".$CLEANUP_REQUEST_CACHE."s)" if ( $opt_verbose or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$CLEANUP_REQUEST_CACHE."s" + if ( wantsdebug(qw[ all thisrequest verbose ]) or (($t2 - $t1) >= 1) ); $Cleanup_Requests = $t1; }; }; # check rate - if ( $ratehit ) { + if ( $ratehit and $opt_fast_limits ) { $Counter_Rates++; - $Matches{$Rates{$ratehit}{rule}}++; - $myaction = $Rates{$ratehit}{action}; - mylogs $syslog_priority, "[RATE] rule=".$Rule_by_ID{$Rates{$ratehit}{rule}} - . ", id=".$Rates{$ratehit}{rule} + $Matches{$Rates{$ratehit}{$rateitem}{rule}}++; + $myaction = $Rates{$ratehit}{$rateitem}{action}; + # substitute check for $$vars in action + $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); + mylogs $syslog_priority, "[RATES] rule=".$Rule_by_ID{$Rates{$ratehit}{$rateitem}{rule}} + . ", id=".$Rates{$ratehit}{$rateitem}{rule} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state} - . ", delay=".(time - $now)."s" + . ", delay=".ts(time() - $now)."s" . ", action=".$myaction." (item: '".$ratehit."'" - . ", type: ".$Rates{$ratehit}{type} - . ", count: ".$Rates{$ratehit}{count}."/".$Rates{$ratehit}{maxcount} - . ", time: ".($now - $Rates{$ratehit}{"time"})."/".$Rates{$ratehit}{ttl}."s)" + . ", type: ".$Rates{$ratehit}{$rateitem}{type} + . ", count: ".$request{ratecount}."/".$Rates{$ratehit}{$rateitem}{maxcount} + . ", time: ".ts($now - $Rates{$ratehit}{$rateitem}{"time"})."/".$Rates{$ratehit}{$rateitem}{ttl}."s)" unless $opt_norulelog; # check cache } elsif ( ($REQUEST_MAX_CACHE > 0) - and ((exists($Request_Cache{$cacheid}{$COMP_ACTION})) and (($now - $Request_Cache{$cacheid}{"time"}) <= $REQUEST_MAX_CACHE)) ) { + and ( exists($Request_Cache{$cacheid}{$COMP_ACTION}) and ($now <= $Request_Cache{$cacheid}{'until'}) ) ) { $Counter_Hits++; $myaction = $Request_Cache{$cacheid}{$COMP_ACTION}; - if ( $Request_Cache{$cacheid}{hit} ) { - $Matches{$Request_Cache{$cacheid}{$COMP_ID}}++; - + if ( $Request_Cache{$cacheid}{hit} and $Request_Cache{$cacheid}{$COMP_ID}) { + map { $Matches{$_}++ } (split ';', $Request_Cache{$cacheid}{hits}) if $Request_Cache{$cacheid}{hits}; mylogs $syslog_priority, "[CACHE] rule=".$Rule_by_ID{$Request_Cache{$cacheid}{$COMP_ID}} . ", id=".$Request_Cache{$cacheid}{$COMP_ID} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state} - . ", delay=".(time - $now)."s" + . ", delay=".ts(time() - $now)."s" . ", hits=".$Request_Cache{$cacheid}{hits} . ", action=".$Request_Cache{$cacheid}{$COMP_ACTION} unless $opt_norulelog; @@ -1983,15 +2229,15 @@ # clean up rbl cache if ( not($opt_nodns) and (scalar keys %DNS_Cache > 0) and (($now - $Cleanup_RBLs) > $CLEANUP_RBL_CACHE) ) { - $t1 = time; + $t1 = time(); $t3 = scalar keys %DNS_Cache; cleanup_dns_cache($now); - $t2 = time; - mylogs $syslog_priority, "[CLEANUP] needed ".($t2 - $t1) + $t2 = time(); + mylogs $syslog_priority, "[CLEANUP] needed ".ts($t2 - $t1) ." seconds for rbl cleanup of " .($t3 - scalar keys %DNS_Cache)." out of ".$t3 - ." cached items after ".($now - $Cleanup_RBLs) - ." seconds (min ".$CLEANUP_RBL_CACHE."s)" if ( $opt_verbose or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$CLEANUP_RBL_CACHE."s" + if ( wantsdebug(qw[ all thisrequest verbose ]) or (($t2 - $t1) >= 1) ); $Cleanup_RBLs = $t1; }; @@ -2012,7 +2258,7 @@ $request{$COMP_RHSBL_CNT} = $rhlcnt; # matched? prepare logline, increase counters - if ($matched > 0) { + if ($stop = $matched > 0) { $myaction = $Rules[$index]{$COMP_ACTION}; $Matches{$Rules[$index]{$COMP_ID}}++; $request{$COMP_HITS} .= ';' if (defined $request{$COMP_HITS}); @@ -2021,18 +2267,20 @@ $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); $myline = "rule=".$index . ", id=".$Rules[$index]{$COMP_ID} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state}; # check for postfwd action - if ($myaction =~ /^(\w[\-\w]+)\s*$\s*(.*?)\s*$$/) { - my($mycmd,$myarg) = ($1, $2); + while ($ai++ < $max_command_recursion and $myaction =~ /^(\w[\-\w]+)\s*$\s*(.*?)\s*$$/) { + my($mycmd,$myarg) = ($1, $2); $stop = 0; if (defined $postfwd_actions{$mycmd}) { - mylogs $syslog_priority, "[PLUGIN] executing postfwd-action $mycmd" if ($opt_verbose > 1); + mylogs $syslog_priority, "[PLUGIN] executing postfwd-action $mycmd" if (wantsdebug(qw[ all thisrequest ])); ($stop, $index, $myaction, $myline, %request) = &{$postfwd_actions{$mycmd}}($index, $now, $mycmd, $myarg, $myline, %request); # substitute again after postfwd-actions $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); @@ -2040,10 +2288,10 @@ warn "[RULES] ".$myline." - error: unknown command \"".$1."\" - ignoring"; $myaction = $default_action; }; - # normal rule. returns $action. - } else { $stop = 1; }; + }; + if ($stop) { - $myline .= ", delay=".(time - $now)."s, hits=".$request{$COMP_HITS}.", action=".$myaction; + $myline .= ", delay=".ts(time() - $now)."s, hits=".$request{$COMP_HITS}.", action=".$myaction; mylogs $syslog_priority, "[RULES] ".$myline unless $opt_norulelog; last RULE; }; @@ -2053,12 +2301,14 @@ # update cache if ( $REQUEST_MAX_CACHE > 0 ) { $Request_Cache{$cacheid}{"time"} = $now; + $Request_Cache{$cacheid}{'until'} = $now + $REQUEST_MAX_CACHE; $Request_Cache{$cacheid}{$COMP_ACTION} = $myaction; $Request_Cache{$cacheid}{hit} = $matched; $Request_Cache{$cacheid}{hits} = $request{$COMP_HITS}; $Request_Cache{$cacheid}{$COMP_ID} = $Rules[$index]{$COMP_ID} if ($matched > 0); }; }; + map { mylog $syslog_priority, "[DUMP] $_" } dump_cache() if (wantsdebug(qw[ all ])); $myaction = $default_action if ($opt_test or !($myaction)); return $myaction; }; @@ -2071,19 +2321,52 @@ $$attr{$1} = $2; # evaluate request } elsif ( $msg eq '' ) { - map { mylogs $syslog_priority, "Attribute: $_=$$attr{$_}" } (keys %$attr) if ($opt_verbose > 1); - unless ( (defined $$attr{request}) and ($$attr{request} eq "smtpd_access_policy") ) { - mylogs 'warning', "Ignoring unrecognized request type: '".((defined $$attr{request}) ? substr($$attr{request},0,100) : '')."'"; - } else { - my $action = smtpd_access_policy(%$attr) || $default_action; - mylogs $syslog_priority, "Action: $action" if ($opt_verbose > 1); - if ($client) { - print $client ("action=$action\n\n"); - } else { - print STDOUT ("action=$action\n\n"); - }; - %$attr = (); - }; + map { mylogs $syslog_priority, "Attribute: $_=$$attr{$_}" } (keys %$attr) if (wantsdebug(qw[ all thisrequest ])); + if (defined $$attr{request}) { + if ( $$attr{request} eq "smtpd_access_policy" ) { + my $action = smtpd_access_policy(%$attr) || $default_action; + mylogs $syslog_priority, "Action: $action" if (wantsdebug(qw[ all thisrequest ])); + if ($client) { + print $client ("action=$action\n\n"); + } else { + print STDOUT ("action=$action\n\n"); + }; + $Counter_Requests++; $Counter_Interval++; %$attr = (); + delete $DEBUG{thisrequest}; + } elsif ( $$attr{request} eq "dumpstats" ) { + mylogs $syslog_priority, "STATS requested"; + map { print $client "[STATS] $_\r\n" } list_stats(); + close($client); + } elsif ( $$attr{request} eq "dumpcache" ) { + mylogs $syslog_priority, "DUMP requested"; + map { print $client "$_\r\n" } dump_cache(); + close($client); + } elsif ( $$attr{request} =~ /^delrate (.*)$/ ) { + my $del = $1; $del =~ s/^[%]?//g; + if (defined $Rates{$del}) { + mylogs "notice", "rate cache item '$del' removed"; + print $client "rate cache item '$del' removed\r\n"; + delete $Rates{$del}; + } else { + mylogs "notice", "rate cache removal of '$del' failed: item not found"; + print $client "rate cache removal of '$del' failed: item not found\r\n"; + }; + close($client); + } elsif ( $$attr{request} =~ /^delcache (.*)$/ ) { + my $del = $1; $del =~ s/^[%]?//g; + if (defined $Request_Cache{$del}) { + mylogs "notice", "request cache item '$del' removed"; + print $client "request cache item '$del' removed\r\n"; + delete $Request_Cache{$del}; + } else { + mylogs "notice", "request cache removal of '$del' failed: item not found"; + print $client "request cache removal of '$del' failed: item not found\r\n"; + }; + close($client); + } else { + mylogs 'warning', "Ignoring unrecognized request type: '".((defined $$attr{request}) ? substr($$attr{request},0,100) : '')."'"; + }; + }; # unknown command } else { mylogs 'warning', "Ignoring garbage '".substr($msg, 0, 100)."'"; @@ -2098,8 +2381,10 @@ "hup|reload" => \$opt_hup, 't|test' => \$opt_test, 'v|verbose' => sub { $opt_verbose++ }, + 'debug=s' => sub { push @DEBUGLIST, (split /[,\s]+/, $_[1]) }, 'l|logname=s' => \$syslog_name, 'facility=s' => \$syslog_facility, + 'socktype=s' => \$syslog_socktype, 'loglen=i' => \$syslog_maxlen, 'n|nodns' => \$opt_nodns, 'nodnslog' => \$opt_nodnslog, @@ -2144,10 +2429,17 @@ 'no-idlestats' => \$opt_noidlestats, 's|scores=s' => \%opt_scores, 'config_timeout=i' => \$config_timeout, + 'keep_rates|keep_limits|keep_rates_on_reload' => \$opt_keep_rates_on_reload, + 'save_rates|save_limits|save_rates_on_restart=s' => \$opt_saverates, + 'fast_limit_evaluation' => \$opt_fast_limits, + 'dumpcache' => \$opt_dumpcache, + 'dumpstats' => \$opt_dumpstats, + 'delcache=s' => \$opt_delcache, + 'delrate=s' => \$opt_delrate, 'f|file=s' => sub{ my($opt,$value) = @_; push (@Configs, $opt.'::'.$value) }, 'r|rule=s' => sub{ my($opt,$value) = @_; push (@Configs, $opt.'::'.$value) }, 'plugins=s' => \@Plugins, - 'V|version' => sub{ print "$NAME $VERSION (Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", Perl ".$]." on ".$^O.")\n"; exit 1; }, + 'V|version' => sub{ print "$NAME $VERSION (Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", ".((defined Time::HiRes->VERSION) ? "Time::HiRes ".(Time::HiRes->VERSION || '').", " : '').(($STORABLE) ? "Storable $STORABLE, " : '')."Perl ".$]." on ".$^O.")\n"; exit 1; }, 'versionshort|shortversion' => sub{ print "$VERSION\n"; exit 1; }, 'C|showconfig' => \$opt_showconfig, 'h|H|?|help|Help|HELP' => sub{ pod2usage (-msg => "\nPlease see \"".$NAME." -m\" for detailed instructions.\n", -verbose => 1); }, @@ -2158,7 +2450,12 @@ ) or pod2usage (-msg => "\nPlease see \"".$NAME." -m\" for detailed instructions.\n", -verbose => 1); $opt_verbose = 0 unless $opt_verbose; -$opt_stdoutlog = 1 if ($opt_kill or $opt_hup or $opt_showconfig); +$opt_stdoutlog = 1 if ($opt_kill or $opt_hup or $opt_showconfig or $opt_dumpcache or $opt_dumpstats); +if ($opt_verbose) { + push @DEBUGLIST, 'verbose'; + push @DEBUGLIST, 'all ' if ($opt_verbose > 1); +}; +map { $DEBUG{$_} = 1 } uniq(@DEBUGLIST); # terminate at -k or --kill if ($opt_kill) { @@ -2170,13 +2467,94 @@ exit (0); }; +# check for Storable module +if ( not($STORABLE) and $opt_saverates ) { + print STDERR "Perl module 'Storable' required to load and save rate limits!\n"; + exit(1); +}; + # init syslog setlogsock $syslog_socktype; $syslog_options = 'cons,pid' unless $opt_daemon; openlog $syslog_name, $syslog_options, $syslog_facility; mylogs "notice", $NAME." ".$VERSION." starting" if $opt_daemon; -mylogs "notice", "Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", Perl ".$]." on ".$^O if ($opt_verbose); +mylogs "notice", "Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", Perl ".$]." on ".$^O if (wantsdebug(qw[ all verbose ])); + +# query usage statistics +if ($opt_dumpstats) { + $net_interface ||= $def_net_interface; $net_port ||= $def_net_port; + my $prevalert = undef; + eval { + local $SIG{'__DIE__'}; + local $SIG{'ALRM'} = sub { print STDERR "\nTimeout for socket $net_interface:$net_port after 60 seconds\n\n"; die }; + $prevalert = alarm(60); + if ( my $socket = new IO::Socket::INET ( + PeerAddr => $net_interface, + PeerPort => $net_port, + Proto => 'tcp', + Timeout => 10, + Type => SOCK_STREAM ) ) { + print $socket "request=dumpstats\r\n\r\n"; + print "\n"; map { print } (<$socket>); print "\n"; + close($socket); + } else { + print STDERR "\nERROR: can not open socket to $net_interface:$net_port\n\n"; + }; + }; + alarm($prevalert); + exit 1; +}; + +# query cache contents +if ($opt_dumpcache) { + $net_interface ||= $def_net_interface; $net_port ||= $def_net_port; + my $prevalert = undef; + eval { + local $SIG{'__DIE__'}; + local $SIG{'ALRM'} = sub { print STDERR "\nTimeout for socket $net_interface:$net_port after 60 seconds\n\n"; die }; + $prevalert = alarm(60); + if ( my $socket = new IO::Socket::INET ( + PeerAddr => $net_interface, + PeerPort => $net_port, + Proto => 'tcp', + Timeout => 10, + Type => SOCK_STREAM ) ) { + print $socket "request=dumpcache\r\n\r\n"; + print "\n"; map { print } (<$socket>); print "\n"; + close($socket); + } else { + print STDERR "\nERROR: can not open socket to $net_interface:$net_port\n\n"; + }; + }; + alarm($prevalert); + exit 1; +}; + +# remove cache item +if ($opt_delcache or $opt_delrate) { + $net_interface ||= $def_net_interface; $net_port ||= $def_net_port; + my $prevalert = undef; + eval { + local $SIG{'__DIE__'}; + local $SIG{'ALRM'} = sub { print STDERR "\nTimeout for socket $net_interface:$net_port after 60 seconds\n\n"; die }; + $prevalert = alarm(60); + if ( my $socket = new IO::Socket::INET ( + PeerAddr => $net_interface, + PeerPort => $net_port, + Proto => 'tcp', + Timeout => 10, + Type => SOCK_STREAM ) ) { + print $socket "request=".(($opt_delcache) ? "delcache ".$opt_delcache : "delrate ".$opt_delrate)."\r\n\r\n"; + print "\n"; map { print } (<$socket>); print "\n"; + close($socket); + } else { + print STDERR "\nERROR: can not open socket to $net_interface:$net_port\n\n"; + }; + }; + alarm($prevalert); + exit 1; +}; # read configuration read_config(1); @@ -2187,7 +2565,7 @@ # check modes mylogs "notice", "TESTMODE: set - will return ".$default_action." to all requests" if ($opt_test); -if ($opt_verbose) { +if (wantsdebug(qw[ all verbose ])) { $opt_summary ||= $Stat_Interval_Time; mylogs "notice", "VERBOSE: set"; }; @@ -2203,9 +2581,8 @@ map ( modify_score (each %opt_scores), (keys %opt_scores) ); # get summary interval time, set next display time -$Stat_Interval_Time = $opt_summary if $opt_summary; -$Startdate = strftime("%a, %d %b %Y %T %Z", localtime); -$Cleanup_Timeouts = $Cleanup_Requests = $Cleanup_RBLs = $Cleanup_Rates = $Starttime = time; +$Stat_Interval_Time = $opt_summary if $opt_summary; +$Cleanup_Timeouts = $Cleanup_Requests = $Cleanup_RBLs = $Cleanup_Rates = $Starttime = time(); mylogs $syslog_priority, "Overriding cacheid itemlist with: ".(join ",", @CacheID) if ( @CacheID ); # load plugin-items @@ -2238,6 +2615,10 @@ $dns_timeout = ( $dns_timeout =~ /^(\d+)$/ ) ? $1 : $dns_timeout; $syslog_name = ( $syslog_name =~ /^(.+)$/ ) ? $1 : $NAME; $config_timeout = ( $config_timeout =~ /^(\d+)$/ ) ? $1 : $def_config_timeout; +$opt_saverates = ( $opt_saverates =~ /^([-\|\@\/\w. ]+)$/ ) ? $1 : '' if $opt_saverates; + +# load rate items +load_rates(); # Unbuffer standard output. select((select(STDOUT), $| = 1)[0]); @@ -2300,7 +2681,7 @@ $SIG{__WARN__} = sub { mylogs "crit", "warning - \"@_\""; }; $SIG{__DIE__} = sub { fatal_exit "last err: \"$!\", detail: \"@_\""; }; $SIG{ALRM} = sub { show_stats; alarm ($Stat_Interval_Time); } if $opt_summary; - mylogs $syslog_priority, "successfully installed signal handlers" if $opt_verbose; + mylogs $syslog_priority, "successfully installed signal handlers" if wantsdebug(qw[ all verbose ]); # process init umask oct($net_umask); @@ -2366,54 +2747,70 @@ postfwd [OPTIONS] [SOURCE1, SOURCE2, ...] Ruleset: (at least one, multiple use is allowed): - -f, --file reads rules from - -r, --rule adds to config + -f, --file reads rules from + -r, --rule adds to config Scoring: - -s, --scores = returns when score exceeds + -s, --scores = returns when score exceeds + + Control: + -d, --daemon run postfwd as daemon + -k, --kill stops daemon + --reload reloads configuration + --dumpstats displays usage statistics + --dumpcache displays cache contents + --delcache removes an item from the request cache + --delrate removes an item from the rate cache Networking: - -d, --daemon run postfwd as daemon - -i, --interface listen on interface - -p, --port listen on port - --proto socket type (tcp or unix) - -u, --user set uid to user - -g, --group set gid to group - --umask set umask for file permissions - -R, --chroot chroot the daemon to - --pidfile create pidfile under - -l, --logname label for syslog messages - --loglen truncates syslogs after chars + -i, --interface listen on interface + -p, --port listen on port + --proto socket type (tcp or unix) + -u, --user set uid to user + -g, --group set gid to group + --umask set umask for file permissions + -R, --chroot chroot the daemon to + --pidfile create pidfile under + --facility syslog facility + --socktype syslog socktype + -l, --logname label for syslog messages + --loglen truncates syslogs after chars Caching: - -c, --cache sets the request-cache timeout to seconds - --cache-no-size ignores size attribute for caching - --cache-no-sender ignores sender address in cache - --cache-rdomain-only ignores localpart of recipient address in cache - --cache-rbl-timeout default rbl timeout, if not specified in ruleset - --cache-rbl-default default rbl response pattern to match (regexp) - --cacheid , .. list of attributes for request cache identifier - --cleanup-requests cleanup interval in seconds for request cache - --cleanup-rbls cleanup interval in seconds for rbl cache - --cleanup-rates cleanup interval in seconds for rate cache + -c, --cache sets the request-cache timeout to seconds + --cache-no-size ignores size attribute for caching + --cache-no-sender ignores sender address in cache + --cache-rdomain-only ignores localpart of recipient address in cache + --cache-rbl-timeout default rbl timeout, if not specified in ruleset + --cache-rbl-default default rbl response pattern to match (regexp) + --cacheid , .. list of attributes for request cache identifier + --cleanup-requests cleanup interval in seconds for request cache + --cleanup-rbls cleanup interval in seconds for rbl cache + --cleanup-rates cleanup interval in seconds for rate cache Optional: - -t, --test testing, always returns "dunno" - -v, --verbose verbose logging, use twice (-vv) to increase level - -S, --summary show some usage statistics every seconds - --norulelog disbles rule logging - --norulestats disables per rule statistics - --noidlestats disables statistics when idle - -n, --nodns disable dns - --nodnslog disable dns logging - --dns_async_txt perform dnsbl A and TXT lookups simultaneously - --dns_timeout timeout in seconds for asynchonous dns queries - --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated - --dns_timeout_interval interval in seconds for dns timeout maximum counter - --dns_max_ns_lookups max names to look up with sender_ns_addrs - --dns_max_mx_lookups max names to look up with sender_mx_addrs - -I, --instantcfg re-reads rulefiles for every new request - --config_timeout parser timeout in seconds + -t, --test testing, always returns "dunno" + -v, --verbose verbose logging, use twice (-vv) to increase level + -S, --summary show some usage statistics every seconds + --norulelog disbles rule logging + --norulestats disables per rule statistics + --noidlestats disables statistics when idle + -n, --nodns disable dns + --nodnslog disable dns logging + --dns_async_txt perform dnsbl A and TXT lookups simultaneously + --dns_timeout timeout in seconds for asynchonous dns queries + --dns_timeout_max maximum of dns timeouts until a dnsbl will be deactivated + --dns_timeout_interval interval in seconds for dns timeout maximum counter + --dns_max_ns_lookups max names to look up with sender_ns_addrs + --dns_max_mx_lookups max names to look up with sender_mx_addrs + -I, --instantcfg re-reads rulefiles for every new request + --config_timeout parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed + + Plugins: + --plugins loads postfwd plugins from file Informational (use only at command-line!): -C, --showconfig shows ruleset summary, -v for verbose @@ -2423,9 +2820,6 @@ -h, --help shows usage -m, --manual shows program manual - Plugins: - --plugins loads plugins from - =head1 DESCRIPTION @@ -2464,7 +2858,7 @@ A configuration line consists of optional item=value pairs, separated by semicolons (`;`) and the appropriate desired action: - [ [=><~]=; [=><~]=; ... ] action= + [ =; =; ... ] action= I @@ -2500,10 +2894,20 @@ A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic. -Rules can span multiple lines by adding a trailing backslash "\" character: +Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros): - id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \ - action=REJECT please use your relay from there + id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access + +postfwd versions prior to 1.30 require trailing ';' and '\'-characters: + + id=RULE001; \ + client_address=192.168.1.0/24; \ + sender==no@bad.local; \ + action=REJECT no access =head2 ITEMS @@ -2569,9 +2973,15 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access + ratecount - only available for rate(), size() and rcpt() actions. + contains the actual limit counter: + id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) + id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) + Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below). @@ -2623,24 +3033,23 @@ ... the current list can be found at L. Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected: - id=TRUST001; action=OK; encryption_keysize=64; \ - ccert_fingerprint=11:22:33:44:55:66:77:88:99; \ - ccert_fingerprint=22:33:44:55:66:77:88:99:00; \ - ccert_fingerprint=33:44:55:66:77:88:99:00:11; \ + id=TRUST001; action=OK; encryption_keysize=64 + ccert_fingerprint=11:22:33:44:55:66:77:88:99 + ccert_fingerprint=22:33:44:55:66:77:88:99:00 + ccert_fingerprint=33:44:55:66:77:88:99:00:11 sender=@domain\.local$ client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: - id=SKIP01; action=dunno; \ + id=SKIP01; action=dunno client_address=192.168.1.0/24, 172.16.254.23 - id=SKIP02; action=dunno; \ - client_address= 10.10.3.32 \ - 10.216.222.0/27 + id=SKIP02; action=dunno + client_address=10.10.3.32 10.216.222.0/27 The following items currently have to be unique: @@ -2648,15 +3057,15 @@ Any item can be negated by preceeding '!!' to it, e.g.: - id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please + id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please or using the right compare operator: - id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? + id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please To avoid confusion with regexps or simply for better visibility you can use '!!(...)': - id=USER01 ; sasl_username=!!( (bob|alice) ) ; action=REJECT who is that? + id=USER01 ; sasl_username = !!( (bob|alice) ) ; action=REJECT who is that? Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -2667,6 +3076,32 @@ This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match. Use the '-vv' option to debug. +These special items will be reset for any new rule: + + rblcount - contains the number of RBL answers + rhsblcount - contains the number of RHSBL answers + matches - contains the number of matched items + dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form + rbltype:rblname:; rbltype:rblname:; ... + +These special items will be changed for any matching rule: + + request_hits - contains ids of all matching rules + +This means that it might be necessary to save them, if you plan to use these values in later rules: + + # set vals + id=RBL01 ; rhsblcount=all; rblcount=all + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) + rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org + rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + + # compare + id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] + id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] + id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] + =head2 FILES @@ -2689,16 +3124,16 @@ This will ignore the right-hand value. Items can be mixed: - id=R002 ; action=REJECT \ - client_name==unknown; \ + id=R002 ; action=REJECT + client_name==unknown client_name==file:/etc/postfwd/blacklisted and for non pcre (comma separated) items: - id=R003 ; action=REJECT \ + id=R003 ; action=REJECT client_address==10.1.1.1, file:/etc/postfwd/blacklisted - id=R004 ; action=REJECT \ + id=R004 ; action=REJECT rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing You can check your configuration with the --show_config option at the command line: @@ -2812,16 +3247,25 @@ please note that is currently limited to postfix actions (no postfwd actions)! # no more than 3 requests per 5 minutes # from the same "unknown" client - id=RATE01 ; client_name==unknown ; \ - action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + Please note also that the order of rate limits in your ruleset is important, which means + that this: + # works as expected + id=R001; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) + id=R002; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + leads to different results than this: + # rule R002 never gets executed + id=R001; action=rcpt(sender/200/3600/WARN state YELLOW for sender $$sender) + id=R002; action=rcpt(sender/500/3600/REJECT limit of 500 recipients per hour for sender $$sender exceeded) size (///) this command works similar to the rate() command with the difference, that the rate counter is increased by the request's size attribute. to do this reliably you should call postfwd from smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # size limit 1.5mb per hour per client - id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) + id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) rcpt (///) this command works similar to the rate() command with the difference, that the rate counter is @@ -2829,8 +3273,8 @@ from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # recipient count limit 3 per hour per client - id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) + id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address!=10.1.1.1 + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) ask (:[:]) allows to delegate the policy decision to another policy service (e.g. postgrey). the first @@ -2838,17 +3282,22 @@ specified to tell postfwd to ignore certain answers and go on parsing the ruleset: # example1: query postgrey and return it's answer to postfix id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031) - # example2: query postgrey but ignore it's answer, if it matches 'DUNNO' + # example2: query postgrey but ignore the answer, if it matches 'DUNNO' # and continue parsing postfwd's ruleset id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) + mail(server/helo/from/to/subject/body) + Very basic mail command, that sends a message with the given arguments. LIMITATIONS: + This basically performs a telnet. No authentication or TLS are available. Additionally it does + not track notification state and will notify you any time, the corresponding rule hits. + wait () pauses the program execution for seconds. use this for delaying or throtteling connections. note () just logs the given string and continues parsing the ruleset. - if the string is empty, nothing will be logged. + if the string is empty, nothing will be logged (noop). quit () terminates the program with the given exit-code. postfix doesn`t @@ -2858,32 +3307,6 @@ id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name' -These special attributes will be reset for any new rule: - - rblcount - contains the number of RBL answers - rhsblcount - contains the number of RHSBL answers - matches - contains the number of matched items - dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form - rbltype:rblname:; rbltype:rblname:; ... - -These special attributes will be changed for any matching rule: - - request_hits - contains ids of all matching rules - -This means that it might be necessary to save them, if you plan to use these values in later rules: - - # set vals - id=RBL01 ; rhsblcount=all ; rblcount=all ; \ - rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \ - rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) - - # compare - id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] - id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] - id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] - =head2 MACROS/ACLS @@ -2909,18 +3332,18 @@ Macros can contain macros, too: - # definition (note the trailing "\" characters) - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ - }; - &&DYNAMIC { \ - client_name=^unknown$ ; \ - client_name=(\d+[\.-_]){4} ; \ - client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + # definition + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net + }; + &&DYNAMIC{ + client_name=^unknown$ + client_name=(\d+[\.-_]){4} + client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] }; &&GOAWAY { &&RBLS; &&DYNAMIC; }; # rules @@ -2931,7 +3354,154 @@ =head2 PLUGINS -Please visit L +B + +The plugin interface allow you to define your own checks and enhance postfwd's +functionality. Feel free to share useful things! + +B + +Note that the plugin interface is still at devel stage. Please test your plugins +carefully, because errors may cause postfwd to break! It is also +allowed to override attributes or built-in functions, but be sure that you know +what you do because some of them are used internally. + +Please keep security in mind, when you access sensible ressources and never, ever +run postfwd as privileged user! Also never trust your input (especially hostnames, +and e-mail addresses). + +B + +Item plugins are perl subroutines which integrate additional attributes to requests +before they are evaluated against postfwd's ruleset like any other item of the +policy delegation protocol. This allows you to create your own checks. + +plugin-items can not be used selective. these functions will be executed for every +request postfwd receives, so keep performance in mind. + + SYNOPSIS: %result = postfwd_items_plugin{}(%request) + +means that your subroutine, called , has access to a hash called %request, +which contains all request attributes, like $request{client_name} and must +return a value in the following form: + + save: $result{} = + +this creates the new item containing , which will be integrated in +the policy delegation request and therefore may be used in postfwd's ruleset. + + # do NOT remove the next line + %postfwd_items_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # allows to check postfwd version in ruleset + "version" => sub { + my(%request) = @_; + my(%result) = ( + "version" => $NAME." ".$VERSION, + ); + return %result; + }, + + # sender_domain and recipient_domain + "address_parts" => sub { + my(%request) = @_; + my(%result) = (); + $request{sender} =~ /@([^@]*)$/; + $result{sender_domain} = ($1 || ''); + $request{recipient} =~ /@([^@]*)$/; + $result{recipient_domain} = ($1 || ''); + return %result; + }, + + # do NOT remove the next line + ); + +B + +Compare plugins allow you to define how your new items should be compared to the ruleset. +These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...) +will be used. + + SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, + + # do NOT remove the next line + %postfwd_compare_plugin = ( + + EXAMPLES - integrated in postfwd. no need to activate them here. + + # Simple example + # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) + "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + + # Complex example + # SYNOPSIS: = (, , , ) + "numeric" => sub { + my($cmp,$val,$myitem,%request) = @_; + my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + if ($cmp eq '==') { + $myresult = ($myitem == $val); + } elsif ($cmp eq '=<') { + $myresult = ($myitem <= $val); + } elsif ($cmp eq '=>') { + $myresult = ($myitem >= $val); + } elsif ($cmp eq '!=') { + $myresult = not($myitem == $val); + } elsif ($cmp eq '!<') { + $myresult = not($myitem <= $val); + } elsif ($cmp eq '!>') { + $myresult = not($myitem >= $val); + } else { + $myresult = ($myitem >= $val); + }; + return $myresult; + }, + + # do NOT remove the next line + ); + +B + +Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to +continue or to stop parsing the ruleset. + + SYNOPSIS: (, , , , ) = + (, , , , , ) + + # do NOT remove the next line + %postfwd_actions_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # note() command + "note" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + return ($stop,$index,$myaction,$myline,%request); + }, + + # skips next rules + "skip" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + return ($stop,$index,$myaction,$myline,%request); + }, + + # dumps current request contents to syslog + "dumprequest" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + return ($stop,$index,$myaction,$myline,%request); + }, + + # do NOT remove the next line + ); =head2 COMMAND LINE @@ -2949,12 +3519,6 @@ Adds to ruleset. Remember that you might have to quote strings that contain whitespaces or shell characters. -I - - --plugins - A file containing plugin routines for postfwd. Please see the - PLUGINS section for more information. - I -s, --scores = @@ -2962,22 +3526,50 @@ Multiple usage is allowed. Just chain your arguments, like: - postfwd -r "=;action=" -f -f --plugins ... + postfwd -r "=;action=" -f -f ... or postfwd --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd score too high" ... In case of multiple scores, the highest match will count. The order of the arguments will be reflected in the postfwd ruleset. -I - -postfwd can be run as daemon so that it listens on the network for incoming requests. -The following arguments will control it's behaviour in this case. +I -d, --daemon postfwd will run as daemon and listen on the network for incoming queries (default 127.0.0.1:10040). + -k, --kill + Stops a running postfwd daemon. + + --reload + Reloads configuration. + + --dumpstats + Displays program usage statistics. + + --dumpcache + Displays cache contents. + + --delcache + Removes an item from the request cache. Use --dumpcache to identify objects. + E.g.: + # postfwd --dumpcache + ... + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' + ... + # postfwd --delrate="sender=gmato@jqvo.org" + rate cache item 'sender=gmato@jqvo.org' removed + + --delrate + Removes an item from the rate cache. Use --dumpcache to identify objects. + +I + +postfwd can be run as daemon so that it listens on the network for incoming requests. +The following arguments will control it's behaviour in this case. + -i, --interface Bind postfwd to the specified interface (default 127.0.0.1). @@ -3007,6 +3599,13 @@ --pidfile The process id will be saved in the specified file. + --facility + sets the syslog facility, default is 'mail' + + --socktype + sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. + Default is to auto-detect this depening on module version and os. + -l, --logname Labels the syslog messages. Useful when running multiple instances of postfwd. @@ -3014,6 +3613,12 @@ --loglen Truncates any syslog message after characters. +I + + --plugins + Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins + or the plugins.postfwd.sample that is available from the tarball for more info. + I These parameters influence the way postfwd is working. Any of them can be combined. @@ -3141,6 +3746,22 @@ timeout in seconds to parse a single configuration line. if exceeded, the rule will be skipped. this is used to prevent problems due to large files or loops. + --keep_rates (default=0) + With this option set postfwd does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. + + --save_rates (default=none) + With this option postfwd saves existing rate limit counters to disk and reloads them + on program start. This allows persistent rate limits across program restarts or reboots. + Please note that postfwd needs read and write access to the specified file. + + --fast_limit_evaluation (default=0) + Once a ratelimit was set by the ruleset, future requests will be evaluated against it + before consulting the ruleset. This mode was the default behaviour until v1.30. + With this mode rate limits will be faster, but also eventually set up + whitelisting-rules within the ruleset might not work as expected. + I @@ -3201,18 +3822,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large ## Selective Greylisting + ## + ## Note that postfwd does not include greylisting. This setup requires a running postgrey service + ## at port 10031 and the following postfix restriction class in your main.cf: + ## + ## smtpd_restriction_classes = check_postgrey, ... + ## check_postgrey = check_policy_service inet:127.0.0.1:10031 + # # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s # 2. Client has no rDNS # 3. Client comes from several dialin domains - id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 - id=GR002; action=greylisting ; client_name=^unknown$ - id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ + id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ ## Date Time date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas @@ -3220,7 +3848,7 @@ time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim months=-Apr ; action=450 4.7.1 see you in may - days=!!Mon-Fri ; action=greylist + days=!!Mon-Fri ; action=check_postgrey ## Usage of jump # The following allows a message size of 30MB for different @@ -3230,8 +3858,8 @@ id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... - id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 - id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 + id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 ## Usage of score # The following rejects a mail, if the client @@ -3239,7 +3867,7 @@ # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS # - other clients without correct rDNS will be greylist-checked # - some whitelists are used to lower the score - id=S01 ; score=2.6 ; action=greylisting + id=S01 ; score=2.6 ; action=check_postgrey id=S02 ; score=5.0 ; action=REJECT postfwd score too high id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net @@ -3252,10 +3880,10 @@ # The following temporary rejects requests from "unknown" clients, if they # 1. exceeded 30 requests per hour or # 2. tried to send more than 1.5mb within 10 minutes - id=RATE01 ; client_name==unknown ; state==RCPT ; \ - action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) - id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \ - action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) + id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) ## Macros # definition @@ -3268,34 +3896,34 @@ ## Groups # definition - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&RHSBLS { \ + &&RHSBLS{ ... }; - &&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\d+[\.-_]){4} ; \ - client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name==unknown + client_name~=(\d+[\.-_]){4} + client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ... }; - &&BAD_HELO { \ - helo_name==my.name.tld; \ - helo_name~=^([^\.]+)$; \ - helo_name~=\.(local|lan)$; \ + &&BAD_HELO{ + helo_name==my.name.tld + helo_name~=^([^\.]+)$ + helo_name~=\.(local|lan)$ ... }; - &&MAINTENANCE { \ - date=15.01.2007 ; \ - date=15.04.2007 ; \ - date=15.07.2007 ; \ - date=15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ + &&MAINTENANCE{ + date=15.01.2007 + date=15.04.2007 + date=15.07.2007 + date=15.10.2007 + time=03:00:00 - 04:00:00 }; # rules id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -3312,7 +3940,7 @@ ## combined with enhanced rbl features # - id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \ + id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] diff -Nru postfwd-1.20/sbin/postfwd2 postfwd-1.32/sbin/postfwd2 --- postfwd-1.20/sbin/postfwd2 2010-11-14 21:42:28.000000000 +0000 +++ postfwd-1.32/sbin/postfwd2 2011-12-18 12:34:41.000000000 +0000 @@ -19,11 +19,22 @@ &wantsdebug &hash_to_list &hash_to_str &str_to_hash &check_inet &check_unix + &ts $TIMEHIRES $STORABLE ); +our($TIMEHIRES); our($STORABLE); +BEGIN { + # use Time::HiRes if available + eval { require Time::HiRes }; + $TIMEHIRES = ($@) ? 0 : (Time::HiRes->VERSION || 'available'); + # use Storable if available + eval { require Storable }; + $STORABLE = ($@) ? 0 : (Storable->VERSION || 'available'); +}; + # basics our $NAME = "postfwd2"; -our $VERSION = "1.00"; +our $VERSION = "1.32"; our $DEFAULT = 'DUNNO'; # change this, to match your POD requirements @@ -35,6 +46,7 @@ my $sepreq = '///'; my $seplst = ':::'; +my $seplim = '~~~'; my $nounixsock = ($^O eq 'solaris'); # program settings @@ -46,7 +58,6 @@ log_level => 2, log_file => 'Sys::Syslog', syslog_ident => "$NAME", - #chroot => $net_chroot ? $net_chroot : undef, umask => "0177", }, master => { @@ -64,6 +75,7 @@ proto => (($nounixsock) ? "tcp" : "unix"), check => (($nounixsock) ? \&check_inet : \&check_unix), umask => "0177", + recvbuffer => 65535, }, server => { commandline => " ".$NAME."::policy", @@ -73,6 +85,7 @@ proto => "tcp", check => \&check_inet, umask => "0111", + recvbuffer => 65535, # child control #check_for_dead => 30, #check_for_waiting => 10, @@ -131,6 +144,8 @@ rate => { cleanup => 600, noparent => 0, + fast_eval => 0, + store => undef, }, scores => { "5.0" => "554 5.7.1 ".$NAME." score exceeded", @@ -148,18 +163,23 @@ #getdns => 0, #setdns => 0, }, - name => $NAME, - version => $VERSION, - default => $DEFAULT, - daemon => 1, - manual => $cmd_manual, - pager => $cmd_pager, - sepreq => $sepreq, - seplst => $seplst, - summary => 600, - instant => 0, - verbose => 0, - test => 0, + name => $NAME, + version => $VERSION, + default => $DEFAULT, + daemon => 1, + chroot => undef, + manual => $cmd_manual, + pager => $cmd_pager, + sepreq => $sepreq, + seplst => $seplst, + seplim => $seplim, + summary => 600, + instant => 0, + verbose => 0, + test => 0, + keep_rates => 0, + max_command_recursion => 64, + timeformat => ( ($TIMEHIRES) ? '%.2f' : '%d' ), ); # daemon commands @@ -168,6 +188,8 @@ pong => 'PONG', dumpstats => 'DS', dumpcache => 'DC', + delcache => 'RC', + delrate => 'RR', #wipecache => 'WC', countcache => 'CN', matchcache => 'MT', @@ -175,6 +197,9 @@ getcacheitem => 'GC', getcacheval => 'GV', checkrate => 'CR', + setrateitem => 'SR', + setrateitem2 => 'S2', + getrateitem => 'GR', ); # precompiled patterns @@ -186,6 +211,8 @@ command => qr/^CMD\s*=/i, dumpstats => qr/^CMD\s*=\s*$postfwd_commands{dumpstats}\s*;\s*$/i, dumpcache => qr/^CMD\s*=\s*$postfwd_commands{dumpcache}\s*;\s*$/i, + delcache => qr/^CMD\s*=\s*$postfwd_commands{delcache}\s+(.*?)$/i, + delrate => qr/^CMD\s*=\s*$postfwd_commands{delrate}\s+(.*?)$/i, #wipecache => qr/^CMD\s*=\s*$postfwd_commands{wipecache}\s*;\s*$/i, countcache => qr/^CMD\s*=\s*$postfwd_commands{countcache}\s*;\s*TYPE\s*=\s*(.*?)\s*$/i, matchcache => qr/^CMD\s*=\s*$postfwd_commands{matchcache}\s*;\s*TYPE\s*=\s*(.*?)\s*$/i, @@ -193,11 +220,17 @@ getcacheitem => qr/^CMD\s*=\s*$postfwd_commands{getcacheitem}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*(.*?)\s*$/i, getcacheval => qr/^CMD\s*=\s*$postfwd_commands{getcacheval}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*(.*?)\s*$sepreq\s*KEY\s*=\s*(.*?)\s*$/i, checkrate => qr/^CMD\s*=\s*$postfwd_commands{checkrate}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*([^;]+)\s*;\s*SIZE\s*=\s*([^;]+)\s*;\s*RCPT\s*=\s*([^;]+)\s*$/i, + setrateitem => qr/^CMD\s*=\s*$postfwd_commands{setrateitem}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*(.*?)\s*$sepreq\s*(.*?)\s*$/i, + setrateitem2 => qr/^CMD\s*=\s*$postfwd_commands{setrateitem2}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*(.*?)\s*$sepreq\s*(.*?)\s*$/i, + getrateitem => qr/^CMD\s*=\s*$postfwd_commands{getrateitem}\s*;\s*TYPE\s*=\s*([^;]+)\s*;\s*ITEM\s*=\s*(.*?)\s*$/i, ); ## SUBS +# prints formatted timestamp +sub ts { return sprintf ($postfwd_settings{timeformat}, $_[0]) }; + # takes a list and returns a unified list, keeping given order sub uniq { undef my %uniq; @@ -291,7 +324,7 @@ sub init_log { my($logname) = @_; $postfwd_settings{syslog}{name} = $logname if $logname; - $postfwd_settings{syslog}{socktype} = ($postfwd_settings{syslog}{unsafe_version}) ? (($nounixsock) ? 'inet' : 'unix') : 'native'; + $postfwd_settings{syslog}{socktype} = ( $postfwd_settings{syslog}{socktype} || (($postfwd_settings{syslog}{unsafe_version}) ? (($nounixsock) ? 'inet' : 'unix') : 'native') ); if ($postfwd_settings{syslog}{stdout}) { $postfwd_settings{syslog}{logger} = \&mylogs_stdout; } else { @@ -312,10 +345,10 @@ Proto => 'tcp', Timeout => $postfwd_settings{timeout}{$type}, Type => SOCK_STREAM ) ) { - $socket->print("$send\r\n"); - $send = $socket->getline(); - chomp($send); + $socket->send("$send\n"); + $socket->recv($send, $postfwd_settings{$type}{recvbuffer}); $socket->close(); + chomp($send); } else { warn("can not open socket to $postfwd_settings{$type}{host}:$postfwd_settings{$type}{port}: '$!' '$@'\n"); undef $send; @@ -330,10 +363,10 @@ Peer => $postfwd_settings{$type}{port}, Timeout => $postfwd_settings{timeout}{$type}, Type => SOCK_STREAM ) ) { - $socket->print("$send\r\n"); - $send = $socket->getline(); - chomp($send); + $socket->send("$send\n"); + $socket->recv($send, $postfwd_settings{$type}{recvbuffer}); $socket->close(); + chomp($send); } else { warn("can not open socket to $postfwd_settings{$type}{host}:$postfwd_settings{$type}{port}: '$!' '$@'\n"); undef $send; @@ -347,12 +380,19 @@ ############################ package postfwd2::cache; + ## MODULES use warnings; use strict; use base 'Net::Server::Multiplex'; -import postfwd2::basic qw(:DEFAULT &wantsdebug &hash_to_list &str_to_hash &hash_to_str); +import postfwd2::basic qw(:DEFAULT &wantsdebug &hash_to_list &str_to_hash &hash_to_str &ts $TIMEHIRES $STORABLE); use vars qw( %Cache %Cleanup %Count %Interval %Top $Reload_Conf $Summary $StartTime ); +BEGIN { + # use Time::HiRes if available + Time::HiRes->import( qw(time) ) if $TIMEHIRES; + # use Storable if available + Storable->import( qw(store retrieve) ) if $STORABLE; +}; ## SUBS @@ -366,7 +406,7 @@ "[STATS] %s::cache %s: %d queries since %d days, %02d:%02d:%02d hours", $postfwd_settings{name}, $postfwd_settings{version}, - $Count{cache_queries}, + ($Count{cache_queries} || 0), ($uptime / 60 / 60 / 24), (($uptime / 60 / 60) % 24), (($uptime / 60) % 60), @@ -418,9 +458,9 @@ # get a whole cache item sub get_cache { - my ($self,$type,$item) = @_; + my ($self,$now,$type,$item) = @_; my @answer = (); - return '' unless ( defined $Cache{$type}{$item}{'until'} and (time() <= $Cache{$type}{$item}{'until'}[0])); + return '' unless ( defined $Cache{$type}{$item}{'until'} and ($now <= $Cache{$type}{$item}{'until'}[0])); $Count{$type."_hits"}++; map { push @answer, "$_=".(join $postfwd_settings{seplst}, @{$Cache{$type}{$item}{$_}}) } (keys %{$Cache{$type}{$item}}); return (join $postfwd_settings{sepreq}, @answer); @@ -441,40 +481,97 @@ return (join '; ', @answer); }; -# set item to cache +# get rate item +sub get_rate { + my ($self,$now,$type,$item) = @_; + my @answer = (); my $rindex = ''; + ($item, $rindex) = split $postfwd_settings{seplim}, $item; + return '' unless ( $item and $rindex and defined $Cache{$type}{$item} and defined $Cache{$type}{$item}{$rindex} and defined $Cache{$type}{$item}{$rindex}{'until'} and ($now <= $Cache{$type}{$item}{$rindex}{'until'}[0])); + $Count{$type."_hits"}++; + map { push @answer, "$_=".(join $postfwd_settings{seplst}, @{$Cache{$type}{$item}{$rindex}{$_}}) } (keys %{$Cache{$type}{$item}{$rindex}}); + return (join $postfwd_settings{sepreq}, @answer); +}; + +# set rate to cache +sub set_rate { + my ($self,$now,$type,$item,$vals) = @_; + my @answer = (); my $rindex = ''; + ($item, $rindex) = split $postfwd_settings{seplim}, $item; + return '' if ( defined $Cache{$type}{$item} and defined $Cache{$type}{$item}{$rindex} and defined $Cache{$type}{$item}{$rindex}{'until'} and $now <= @{$Cache{$type}{$item}{$rindex}{'until'}}[0] ); + push @{$Cache{$type}{$item}{'list'}}, $rindex; + @{$Cache{$type}{$item}{'list'}} = uniq(@{$Cache{$type}{$item}{'list'}}); + delete $Cache{$type}{$item}{$rindex} if defined $Cache{$type}{$item}{$rindex}; + foreach my $arg (split ($postfwd_settings{sepreq}, $vals)) { + map { push @{$Cache{$type}{$item}{$rindex}{$1}}, $_; + push @answer, "$type->$item->$rindex->$1=$_"; + @{$Cache{$type}{$item}{$rindex}{$1}} = uniq(@{$Cache{$type}{$item}{$rindex}{$1}}); + } (split $postfwd_settings{seplst}, $2) if ($arg =~ m/$postfwd_patterns{keyval}/); + }; + @answer = '' unless @answer; + return (join '; ', @answer); +}; + +# set rate to cache +sub set_rate2 { + my ($self,$now,$type,$item,$vals) = @_; + my $rindex = ''; my %entry = (); my $rcount = undef; + ($item, $rindex) = split $postfwd_settings{seplim}, $item; + push @{$Cache{$type}{$item}{'list'}}, $rindex; + @{$Cache{$type}{$item}{'list'}} = uniq(@{$Cache{$type}{$item}{'list'}}); + foreach my $arg (split ($postfwd_settings{sepreq}, $vals)) { + map { push @{$entry{$1}}, $_; + @{$entry{$1}} = uniq(@{$entry{$1}}); + } (split $postfwd_settings{seplst}, $2) if ($arg =~ m/$postfwd_patterns{keyval}/); + }; + unless (defined $Cache{$type}{$item}{$rindex} and defined $Cache{$type}{$item}{$rindex}{'until'}) { + %{$Cache{$type}{$item}{$rindex}} = %entry; + } elsif ($now > $Cache{$type}{$item}{$rindex}{'until'}[0]) { + %{$Cache{$type}{$item}{$rindex}} = %entry; + } else { + $rcount = $Cache{$type}{$item}{$rindex}{'count'}[0] + ($entry{'count'}[0] || 0); + $Cache{$type}{$item}{$rindex}{'count'}[0] = $rcount unless $rcount > $Cache{$type}{$item}{$rindex}{'maxcount'}[0]; + }; + return $rcount || $Cache{$type}{$item}{$rindex}{'count'}[0] || ''; +}; + +# check rate limits sub check_rate { my ($self,$now,$type,$item,$size,$rcpt) = @_; return '' unless ($type and $item); $size ||= 0; $rcpt ||= 0; my $answer = ''; RATES: foreach my $arg (split ($postfwd_settings{seplst}, $item)) { - next RATES unless ($arg and defined $Cache{$type}{$arg}); + next RATES unless (defined $Cache{$type}{$arg} and defined $Cache{$type}{$arg}{'list'}); - # renew rate - if ( $now > @{$Cache{$type}{$arg}{'until'}}[0] ) { - @{$Cache{$type}{$arg}{count}}[0] = ( (@{$Cache{$type}{$arg}{type}}[0] eq 'size') ? $size : - ((@{$Cache{$type}{$arg}{type}}[0] eq 'rcpt') ? $rcpt : 1 ) ); - @{$Cache{$type}{$arg}{'until'}}[0] = $now + @{$Cache{$type}{$arg}{ttl}}[0]; - log_info ("[RATES] renewing rate limit object '".$arg."'" - ." [type: ".@{$Cache{$type}{$arg}{type}}[0] - .", max: ".@{$Cache{$type}{$arg}{maxcount}}[0] - .", time: ".@{$Cache{$type}{$arg}{ttl}}[0]."s]") - if wantsdebug (qw[ all rates ]); - - # increase rate - } else { - @{$Cache{$type}{$arg}{count}}[0] += ( (@{$Cache{$type}{$arg}{type}}[0] eq 'size') ? $size : - ((@{$Cache{$type}{$arg}{type}}[0] eq 'rcpt') ? $rcpt : 1 ) ); - log_info ("[RATES] increasing rate limit object '".$arg."' to ".@{$Cache{$type}{$arg}{count}}[0] - ." [type: ".@{$Cache{$type}{$arg}{type}}[0] - .", max: ".@{$Cache{$type}{$arg}{maxcount}}[0] - .", time: ".@{$Cache{$type}{$arg}{ttl}}[0]."s]") - if wantsdebug (qw[ all rates ]); - }; - - # check rate - if (not($answer) and @{$Cache{$type}{$arg}{count}}[0] > @{$Cache{$type}{$arg}{maxcount}}[0]) { - $answer = $arg.$postfwd_settings{seplst}.hash_to_str (%{$Cache{$type}{$arg}}); - $Count{$type."_hits"}++; + RINDEX: foreach my $rindex (@{$Cache{$type}{$arg}{'list'}}) { + next RINDEX unless (defined $Cache{$type}{$arg}{$rindex} and defined $Cache{$type}{$arg}{$rindex}{'until'} and defined $Cache{$type}{$arg}{$rindex}{type}); + my $rcount = ( (@{$Cache{$type}{$arg}{$rindex}{type}}[0] eq 'size') ? $size : + ((@{$Cache{$type}{$arg}{$rindex}{type}}[0] eq 'rcpt') ? $rcpt : 1 ) ); + # renew rate + if ( $now > @{$Cache{$type}{$arg}{$rindex}{'until'}}[0] ) { + @{$Cache{$type}{$arg}{$rindex}{count}}[0] = $rcount; + @{$Cache{$type}{$arg}{$rindex}{'time'}}[0] = $now; + @{$Cache{$type}{$arg}{$rindex}{'until'}}[0] = $now + @{$Cache{$type}{$arg}{$rindex}{ttl}}[0]; + log_info ("[RATES] renewing rate limit object '".$arg."'" + ." [type: ".@{$Cache{$type}{$arg}{$rindex}{type}}[0] + .", max: ".@{$Cache{$type}{$arg}{$rindex}{maxcount}}[0] + .", time: ".@{$Cache{$type}{$arg}{$rindex}{ttl}}[0]."s]") + if wantsdebug (qw[ all rates ]); + + # increase rate + } elsif (not(($rcount+=@{$Cache{$type}{$arg}{$rindex}{count}}[0]) > @{$Cache{$type}{$arg}{$rindex}{maxcount}}[0])) { + @{$Cache{$type}{$arg}{$rindex}{count}}[0] = $rcount; + log_info ("[RATES] increasing rate limit object '".$arg."' to ".@{$Cache{$type}{$arg}{$rindex}{count}}[0] + ." [type: ".@{$Cache{$type}{$arg}{$rindex}{type}}[0] + .", max: ".@{$Cache{$type}{$arg}{$rindex}{maxcount}}[0] + .", time: ".@{$Cache{$type}{$arg}{$rindex}{ttl}}[0]."s]") + if wantsdebug (qw[ all rates ]); + }; + + # check rate + if (not($answer) and $rcount > @{$Cache{$type}{$arg}{$rindex}{maxcount}}[0]) { + $answer = $arg.$postfwd_settings{seplim}.$rindex.$postfwd_settings{seplst}.hash_to_str (%{$Cache{$type}{$arg}{$rindex}}); + $Count{$type."_hits"}++; + }; }; }; $answer = '' unless $answer; @@ -484,30 +581,86 @@ # clean up cache sub cleanup_cache { my($type,$now) = @_; - my $start = time(); + my $start = $Cleanup{$type} = time(); + log_info ("[CLEANUP] checking $type cache...") if wantsdebug (qw[ all cleanup parentcleanup ]); return unless defined $Cache{$type} and my $count = scalar keys %{$Cache{$type}}; - foreach my $checkitem (keys %{$Cache{$type}}) { - # remove inclomplete objects - if ( !defined($Cache{$type}{$checkitem}{'until'}) or !defined($Cache{$type}{$checkitem}{ttl}) ) { - log_info ("[CLEANUP] deleting incomplete $type cache item $checkitem after " - ." timeout: ".((defined $Cache{$type}{$checkitem}{ttl}) ? $Cache{$type}{$checkitem}{ttl}[0] : '')."s") - if wantsdebug (qw[ all ]); - delete $Cache{$type}{$checkitem}; - # remove timed out objects - } elsif ( $now > $Cache{$type}{$checkitem}{'until'}[0] ) { - log_info ("[CLEANUP] removing $type cache for $checkitem after " - ." timeout: ".$Cache{$type}{$checkitem}{ttl}[0]."s)") - if wantsdebug (qw[ all ]); - delete $Cache{$type}{$checkitem}; + CLEANUP: foreach my $checkitem (keys %{$Cache{$type}}) { + next CLEANUP unless (defined $Cache{$type}{$checkitem}); + unless ( defined $Cache{$type}{$checkitem}{'list'} ) { + # remove incomplete objects + if ( !defined($Cache{$type}{$checkitem}{'until'}) or !defined($Cache{$type}{$checkitem}{ttl}) ) { + if ( wantsdebug (qw[ all cleanup parentcleanup devel ]) ) { + log_info ("[CLEANUP] deleting incomplete $type cache item '$checkitem'"); + map { log_info ("[CLEANUP] $_") } ( hash_to_list(%{$Cache{$type}{$checkitem}}) ); + }; + delete $Cache{$type}{$checkitem}; + # remove timed out objects + } elsif ( $now > $Cache{$type}{$checkitem}{'until'}[0] ) { + log_info ("[CLEANUP] removing $type cache item '$checkitem' after ttl ".$Cache{$type}{$checkitem}{ttl}[0]."s") + if wantsdebug (qw[ all cleanup parentcleanup ]); + delete $Cache{$type}{$checkitem}; + }; + } else { + my @i = (); + foreach my $crate (@{$Cache{$type}{$checkitem}{'list'}}) { + if ( !(defined $Cache{$type}{$checkitem}{$crate}{'until'}) or !(defined $Cache{$type}{$checkitem}{$crate}{ttl}) ) { + if ( wantsdebug (qw[ all cleanup parentcleanup devel ]) ) { + log_info ("[CLEANUP] deleting incomplete $type cache item '$checkitem'->'$crate'"); + map { log_info ("[CLEANUP] $_") } ( hash_to_list(%{$Cache{$type}{$checkitem}{$crate}}) ); + }; + delete $Cache{$type}{$checkitem}{$crate}; + } elsif ( $now > $Cache{$type}{$checkitem}{$crate}{'until'}[0] ) { + log_info ("[CLEANUP] removing $type cache item '$checkitem'->'$crate' after ttl ".$Cache{$type}{$checkitem}{$crate}{ttl}[0]."s") + if wantsdebug (qw[ all cleanup parentcleanup ]); + delete $Cache{$type}{$checkitem}{$crate}; + } else { + push @i, $crate; + }; + }; + unless ($i[0]) { + log_info ("[CLEANUP] removing $type cache complete item '$checkitem'") + if wantsdebug (qw[ all cleanup parentcleanup ]); + delete $Cache{$type}{$checkitem}; + } else { + log_info ("[CLEANUP] new $type cache limits for item '$checkitem': ".(join ', ', @i)) + if wantsdebug (qw[ all cleanup parentcleanup ]); + @{$Cache{$type}{$checkitem}{'list'}} = @i; + }; }; }; my $end = time(); - log_info ("[CLEANUP] needed ".($end - $start) - ." seconds for request cleanup of " + log_info ("[CLEANUP] cleaning $type cache needed ".ts($end - $start)." seconds for " .($count - scalar keys %{$Cache{$type}})." out of ".$count - ." cached items after ".($now - $Cleanup{$type}) - ." seconds (min ".$postfwd_settings{request}{cleanup}."s)") if ( wantsdebug (qw[ all verbose ]) or (($end - $start) > 0) ); - $Cleanup{$type} = $start; + ." cached items after cleanup time ".$postfwd_settings{$type}{cleanup}."s") + if ( wantsdebug (qw[ all verbose cleanup parentcleanup ]) or (($end - $start) >= 1) ); +}; + +# saves rate limits to disk +sub save_rates { + return unless ($STORABLE and $postfwd_settings{rate}{store} and defined $Cache{rate}); + eval { + local $SIG{__DIE__} = sub { log_note ("ERROR: Could not store rate limits to ".$postfwd_settings{rate}{store}.": $! @_") }; + store ($Cache{rate}, $postfwd_settings{rate}{store}); + }; + unless( $@ ) { + log_info ("Saved ".(scalar %{$Cache{rate}})." rates to ".$postfwd_settings{rate}{store}) + if wantsdebug(qw[ all verbose rates loadrates saverates ]); + }; +}; + +# loads rate limits from disk +sub load_rates { + my $loadrate = undef; + return unless ($STORABLE and (-f $postfwd_settings{rate}{store})); + eval { + local $SIG{__DIE__} = sub { log_note ("Could not load rate limits from ".$postfwd_settings{rate}{store}.": $! @_") }; + $loadrate = retrieve($postfwd_settings{rate}{store}); + }; + if ( not($@) and defined $loadrate ) { + $Cache{rate} = $loadrate; + log_info ("Fetched ".(scalar %{$Cache{rate}})." rates from ".$postfwd_settings{rate}{store}) + if wantsdebug(qw[ all verbose rates loadrates saverates ]); + }; }; @@ -530,10 +683,17 @@ $0 = $self->{server}->{commandline} = " ".$postfwd_settings{name}.'::cache'; $self->{server}->{syslog_ident} = $postfwd_settings{name}."/cache"; init_log ($self->{server}->{syslog_ident}); + load_rates(); $StartTime = $Summary = $Cleanup{request} = $Cleanup{rate} = $Cleanup{dns} = time(); log_info ("ready for input"); }; +# cache end +sub post_child_cleanup_hook { + my $self = shift; + save_rates(); +}; + # cache process request sub mux_input { my ($self, $mux, $client, $mydata) = @_; @@ -545,9 +705,9 @@ my $request = $1; log_info ("request: '$request'") if wantsdebug (qw[ all ]); if ($Reload_Conf) { - undef $Reload_Conf; - delete $Cache{request}; delete $Cache{rate}; - log_info ("request and rate cache cleared") if wantsdebug (qw[ all verbose ]); + undef $Reload_Conf; my $s = ''; delete $Cache{request}; + unless ($postfwd_settings{keep_rates}) { delete $Cache{rate}; $s = 'and rate' }; + log_info ("request".(($s) ? " $s" : '')." cache cleared") if wantsdebug (qw[ all verbose ]); }; if ($request eq $postfwd_patterns{ping}) { $action = $postfwd_patterns{pong}; @@ -565,7 +725,7 @@ cleanup_cache ($type,$now) if (($now - $Cleanup{$type}) > ($postfwd_settings{$type}{cleanup} || 300)); $Count{cache_queries}++; $Interval{cache_queries}++; $Count{$type."_get"}++; $Interval{$type."_get"}++; - $action = $self->get_cache($type,$item); + $action = $self->get_cache($now,$type,$item); log_info ("[GETCACHEITEM] answer: '$action'") if wantsdebug (qw[ all cache getcache ]); } elsif ($request =~ m/$postfwd_patterns{setcacheitem}/) { my ($type, $item, $vals) = ($1, $2, $3); @@ -574,10 +734,52 @@ $Count{$type."_set"}++; $Interval{$type."_set"}++; $action = $self->set_cache($type,$item,$vals); log_info ("[SETCACHEITEM] answer: '$action'") if wantsdebug (qw[ all cache setcache ]); + } elsif ($request =~ m/$postfwd_patterns{getrateitem}/) { + my ($type, $item) = ($1, $2); + log_info ("[GETRATEITEM] request: '$request'") if wantsdebug (qw[ all cache getcache rates ]); + cleanup_cache ($type,$now) if (($now - $Cleanup{$type}) > ($postfwd_settings{$type}{cleanup} || 300)); + $Count{cache_queries}++; $Interval{cache_queries}++; + $Count{$type."_get"}++; $Interval{$type."_get"}++; + $action = $self->get_rate($now,$type,$item); + log_info ("[GETRATEITEM] answer: '$action'") if wantsdebug (qw[ all cache getcache rates ]); + } elsif ($request =~ m/$postfwd_patterns{setrateitem}/) { + my ($type, $item, $vals) = ($1, $2, $3); + log_info ("[SETRATEITEM] request: '$request'") if wantsdebug (qw[ all cache setcache ]); + $Count{cache_queries}++; $Interval{cache_queries}++; + $Count{$type."_set"}++; $Interval{$type."_set"}++; + $action = $self->set_rate($now,$type,$item,$vals); + log_info ("[SETRATEITEM] answer: '$action'") if wantsdebug (qw[ all cache setcache ]); + } elsif ($request =~ m/$postfwd_patterns{setrateitem2}/) { + my ($type, $item, $vals) = ($1, $2, $3); + log_info ("[SETRATEITEM2] request: '$request'") if wantsdebug (qw[ all cache setcache ]); + $Count{cache_queries}++; $Interval{cache_queries}++; + $Count{$type."_set"}++; $Interval{$type."_set"}++; + $action = $self->set_rate2($now,$type,$item,$vals); + log_info ("[SETRATEITEM2] answer: '$action'") if wantsdebug (qw[ all cache setcache ]); } elsif ($request =~ m/$postfwd_patterns{dumpstats}/) { $action = join $postfwd_settings{sepreq}.$postfwd_settings{seplst}, list_stats(); } elsif ($request =~ m/$postfwd_patterns{dumpcache}/) { $action = join $postfwd_settings{sepreq}.$postfwd_settings{seplst}, dump_cache(); + } elsif ($request =~ m/$postfwd_patterns{delcache}/) { + my $del = $1; $del =~ s/^[%]?//; + if (defined $Cache{'request'}{$del}) { + delete $Cache{'request'}{$del}; + log_info ("[DELCACHEITEM] request cache item '$del' removed"); + $action = "request cache item '$del' removed"; + } else { + log_info ("[DELCACHEITEM] request cache removal of '$del' failed: item not found"); + $action = "request cache removal of '$del' failed: item not found"; + }; + } elsif ($request =~ m/$postfwd_patterns{delrate}/) { + my $del = $1; $del =~ s/^[%]?//; + if (defined $Cache{'rate'}{$del}) { + delete $Cache{'rate'}{$del}; + log_info ("[DELRATEITEM] rate cache item '$del' removed"); + $action = "rate cache item '$del' removed"; + } else { + log_info ("[DELRATEITEM] rate cache removal of '$del' failed: item not found"); + $action = "rate cache removal of '$del' failed: item not found"; + }; } else { log_note ("warning: ignoring unknown command '".substr($request,0,512)."'"); }; @@ -597,12 +799,14 @@ use IO::Socket qw(SOCK_STREAM); use Net::DNS; use base 'Net::Server::PreFork'; -import postfwd2::basic qw(:DEFAULT %postfwd_commands &check_inet &check_unix &wantsdebug &hash_to_str &str_to_hash &hash_to_list); +import postfwd2::basic qw(:DEFAULT %postfwd_commands &check_inet &check_unix &wantsdebug &hash_to_str &str_to_hash &hash_to_list &ts $TIMEHIRES); # export these functions for '-C' switch use Exporter qw(import); our @EXPORT_OK = qw( - &read_config &show_config &process_input + &read_config &show_config &process_input &get_plugins ); +# use Time::HiRes if available +BEGIN { Time::HiRes->import( qw(time) ) if $TIMEHIRES }; # these items have to be compared as... @@ -753,7 +957,7 @@ sub modify_score { my($myscore,$myaction) = @_; log_info ( ((defined $postfwd_settings{scores}{$myscore}) ? "redefined" : "setting new") - ." score $myscore with action=\"$myaction\"") if wantsdebug (qw[ all verbose ]); + ." score $myscore with action=\"$myaction\"") if wantsdebug (qw[ all thisrequest verbose ]); $postfwd_settings{scores}{$myscore} = $myaction; }; @@ -766,6 +970,7 @@ # resolves $$() variables sub devar_item { my($cmp,$val,$myitem,%request) = @_; + return '' unless $val and $myitem; my($pre,$post,$var,$myresult) = ''; while ( ($val =~ /(.*)$COMP_VAR\s*(\w+)(.*)/g) or ($val =~ /(.*)$COMP_VAR\s*$(\w+)$(.*)/g) ) { ($pre,$var,$post) = ($1,$2,$3); @@ -774,7 +979,7 @@ } elsif (defined $request{$var}) { $myresult=$val=$pre.$request{$var}.$post; }; - log_info ("substitute : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all verbose ]); + log_info ("substitute : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest verbose ]); }; return $myresult; }; @@ -785,14 +990,13 @@ foreach my $checkitem (keys %DNS_Cache) { # remove inclomplete objects (dns timeouts) if ( !defined($DNS_Cache{$checkitem}{'until'}) or !defined($DNS_Cache{$checkitem}{ttl}) ) { - log_info ("[CLEANUP] deleting incomplete dns-cache item $checkitem after " - ." timeout: ".((defined $DNS_Cache{$checkitem}{ttl}) ? $DNS_Cache{$checkitem}{ttl} : '')."s") - if wantsdebug (qw[ all ]); + log_info ("[CLEANUP] deleting incomplete dns-cache item '$checkitem'") + if wantsdebug (qw[ all cleanup childcleanup devel ]); delete $DNS_Cache{$checkitem}; # remove timed out objects } elsif ( $now > $DNS_Cache{$checkitem}{'until'} ) { - log_info ("[CLEANUP] removing rbl-cache for $checkitem after timeout: " - .$DNS_Cache{$checkitem}{ttl}."s") if wantsdebug (qw[ all ]); + log_info ("[CLEANUP] removing dns-cache item '$checkitem' after ttl ".$DNS_Cache{$checkitem}{ttl}."s") + if wantsdebug (qw[ all cleanup childcleanup ]); delete $DNS_Cache{$checkitem}; }; }; @@ -803,9 +1007,13 @@ my($now) = $_[0]; return unless $now; RITEM: foreach my $checkitem (keys %Request_Cache) { next RITEM unless defined $Request_Cache{$checkitem}{'until'}; - if ( $now > $Request_Cache{$checkitem}{'until'} ) { - log_info ("[CLEANUP] removing request-cache $checkitem after timeout: " - .$Request_Cache{$checkitem}{ttl}."s") if wantsdebug (qw[ all ]); + if ( !defined($Request_Cache{$checkitem}{'until'}) or !defined($Request_Cache{$checkitem}{ttl}) ) { + log_info ("[CLEANUP] deleting incomplete request-cache item '$checkitem'") + if wantsdebug (qw[ all cleanup childcleanup devel ]); + delete $Request_Cache{$checkitem}; + } elsif ( $now > $Request_Cache{$checkitem}{'until'} ) { + log_info ("[CLEANUP] removing request-cache item '$checkitem' after ttl ".$Request_Cache{$checkitem}{ttl}."s") + if wantsdebug (qw[ all cleanup childcleanup ]); delete $Request_Cache{$checkitem}; }; }; @@ -814,12 +1022,35 @@ # clean up rate cache sub cleanup_rate_cache { my($now) = $_[0]; return unless $now; - LITEM: foreach my $checkitem (keys %Rate_Cache) { - next LITEM unless defined $Rate_Cache{$checkitem}{'until'}; - if ( $now > $Rate_Cache{$checkitem}{'until'} ) { - log_info ("[CLEANUP] removing rate-cache for $checkitem after timeout: " - .$Rate_Cache{$checkitem}{ttl}."s") if wantsdebug (qw[ all ]); + foreach my $checkitem (keys %Rate_Cache) { + unless (defined $Rate_Cache{$checkitem}{'list'}) { + log_info ("[CLEANUP] deleting incomplete rate-cache item '$checkitem'") + if wantsdebug (qw[ all cleanup childcleanup devel ]); delete $Rate_Cache{$checkitem}; + } else { + my @i = (); + foreach my $crate (@{$Rate_Cache{$checkitem}{'list'}}) { + if ( not(defined $Rate_Cache{$checkitem}{$crate}{'until'}) or not(defined $Rate_Cache{$checkitem}{$crate}{'ttl'}) ) { + log_info ("[CLEANUP] deleting incomplete rate-cache item '$checkitem'->'$crate'") + if wantsdebug (qw[ all cleanup childcleanup devel ]); + delete $Rate_Cache{$checkitem}{$crate}; + } elsif ( $now > $Rate_Cache{$checkitem}{$crate}{'until'} ) { + log_info ("[CLEANUP] removing rate-cache item '$checkitem'->'$crate' after ttl ".$Rate_Cache{$checkitem}{$crate}{ttl}."s") + if wantsdebug (qw[ all cleanup childcleanup ]); + delete $Rate_Cache{$checkitem}{$crate}; + } else { + push @i, $crate; + }; + }; + unless ($i[0]) { + log_info ("[CLEANUP] removing complete rate-cache item '$checkitem'") + if wantsdebug (qw[ all cleanup childcleanup ]); + delete $Rate_Cache{$checkitem}; + } else { + log_info ("[CLEANUP] new limits for rate-cache item '$checkitem': ".(join ', ', @i)) + if wantsdebug (qw[ all cleanup childcleanup ]); + @{$Rate_Cache{$checkitem}{'list'}} = @i; + }; }; }; }; @@ -827,7 +1058,7 @@ # preparses configuration line for ACL syntax sub acl_parser { my($file,$num,$myline) = @_; - if ( $myline =~ /^\s*($COMP_ACL[\-\w]+)\s*{\s*(.*?)\s*;\s*}[\s;]*$/ ) { + if ( $myline =~ /^\s*($COMP_ACL[\-\w]+)\s*{\s*(.*?)\s*;?\s*}[\s;]*$/ ) { $ACLs{$1} = $2; $myline = ""; } else { while ( $myline =~ /($COMP_ACL[\-\w]+)/) { @@ -869,14 +1100,14 @@ if ( not($forced_reload) and (defined $Config_Cache{$file}{lastread}) and ($Config_Cache{$file}{lastread} > (stat $file)[9]) ) { log_info ("$type:$file unchanged - using cached content (mtime: " .(stat $file)[9].", cache: $Config_Cache{$file}{lastread})") - if wantsdebug (qw[ all config ]); + if wantsdebug (qw[ all thisrequest config ]); return @{$Config_Cache{$file}{content}}; }; unless (open ($fh, "<$file")) { log_warn ("error: could not open $type:$file - $! - will be ignored"); return @result; }; - log_info ("reading $type:$file") if wantsdebug (qw[ all config ]); + log_info ("reading $type:$file") if wantsdebug (qw[ all thisrequest config ]); while (<$fh>) { chomp; s/#.*//g; @@ -886,9 +1117,9 @@ push @result, prepare_item($forced_reload, $cmp, $_); }; close ($fh); # update Config_Cache - $Config_Cache{$file}{lastread} = time; + $Config_Cache{$file}{lastread} = time(); @{$Config_Cache{$file}{content}} = @result; - log_info ("read ".($#result + 1)." items from $type:$file") if wantsdebug (qw[ all config ]); + log_info ("read ".($#result + 1)." items from $type:$file") if wantsdebug (qw[ all thisrequest config ]); return @result; }; @@ -915,7 +1146,7 @@ $myarg = $1; $myvalue = "$mycmd($myarg)"; log_note ( "notice: Rule $myindex ($myfile line $mynum): " - ."removing obsolete '\$\$' for $mycmd limit index. See man page for new syntax." ) if wantsdebug (qw[ all config verbose ]); + ."removing obsolete '\$\$' for $mycmd limit index. See man page for new syntax." ) if wantsdebug (qw[ all thisrequest config verbose ]); }; push @Rate_Items, (split '/', $myarg)[0]; }; @@ -962,9 +1193,9 @@ }; unless (exists($myrule{$COMP_ID})) { $myrule{$COMP_ID} = "R-".$myindex; - log_note ("notice: Rule $myindex ($myfile line $mynum): contains no rule identifier - will use \"$myrule{id}\"") if wantsdebug (qw[ all config verbose ]); + log_note ("notice: Rule $myindex ($myfile line $mynum): contains no rule identifier - will use \"$myrule{id}\"") if wantsdebug (qw[ all thisrequest config verbose ]); }; - log_info ("loaded: Rule $myindex ($myfile line $mynum): id->\"$myrule{id}\" action->\"$myrule{action}\"") if wantsdebug (qw[ all config verbose ]); + log_info ("loaded: Rule $myindex ($myfile line $mynum): id->\"$myrule{id}\" action->\"$myrule{action}\"") if wantsdebug (qw[ all thisrequest config verbose ]); }; }; alarm($prevalert) if $postfwd_settings{timeout}{config}; @@ -975,7 +1206,7 @@ # parses configuration file sub read_config_file { my($forced_reload, $myindex, $myfile) = @_; - my(%myrule, @myruleset) = (); + my(%myrule, @myruleset, @lines) = (); my($mybuffer) = ""; undef my $fh; unless (-e $myfile) { @@ -984,18 +1215,28 @@ unless (open ($fh, "<$myfile")) { log_warn ("error: could not open ".$myfile." - $! - file will be ignored"); } else { - log_info ("reading file $myfile") if wantsdebug (qw[ all config verbose ]); + log_info ("reading file $myfile") if wantsdebug (qw[ all thisrequest config verbose ]); while (<$fh>) { chomp; s/(\"|#.*)//g; next if /^\s*$/; - if (/(.*)\\\s*$/) { $mybuffer = $mybuffer.$1; next; }; + if ( /(.*)\\\s*$/ or /(.*\{)\s*$/ ) { $mybuffer = $mybuffer.$1; next; }; + $mybuffer .= $_; + if ( $lines[0] and $mybuffer =~ /^(\}|\s+\S)/ ) { + my $last = pop(@lines); $last .= ';' unless $last =~ /;\s*$/; + $mybuffer = $last.$mybuffer; + }; + push @lines, $mybuffer; + $mybuffer = ""; + }; + map { + log_info ("parsing line: '$_'") if wantsdebug (qw[ all thisrequest config ]); %myrule = parse_config_line ($forced_reload, $myfile, $., ($#myruleset+$myindex+1), $mybuffer.$_); push ( @myruleset, { %myrule } ) if (%myrule); $mybuffer = ""; - }; + } @lines; close ($fh); - log_info ("loaded: Rules $myindex - ".($myindex + $#myruleset)." from file \"$myfile\"") if wantsdebug (qw[ all config verbose ]); + log_info ("loaded: Rules $myindex - ".($myindex + $#myruleset)." from file \"$myfile\"") if wantsdebug (qw[ all thisrequest config verbose ]); }; }; return @myruleset; @@ -1009,6 +1250,7 @@ # init, cleanup cache and config vars @Rules = (); %Rule_by_ID = %Request_Cache = (); @Rate_Items = (); + %Rate_Cache = () unless $postfwd_settings{keep_rates}; # parse configurations for $config (@{$postfwd_settings{Configs}}) { @@ -1020,7 +1262,7 @@ if ( not($forced_reload) and defined $Config_Cache{$myitem}{lastread} and ($Config_Cache{$myitem}{lastread} > (stat $myitem)[9]) ) { log_info ("file \"$myitem\" unchanged - using cached ruleset (mtime: ".(stat $myitem)[9].", cache: $Config_Cache{$myitem}{lastread})" - ) if wantsdebug (qw[ all config verbose ]); + ) if wantsdebug (qw[ all thisrequest config verbose ]); push ( @Rules, @{$Config_Cache{$myitem}{ruleset}} ) if $Config_Cache{$myitem}{ruleset}; } else { @myruleset = read_config_file ($forced_reload, ($#Rules + 1), $myitem); @@ -1037,8 +1279,16 @@ } else { # update Rule by ID hash map { $Rule_by_ID{$Rules[$_]{$COMP_ID}} = $_ } (0 .. $#Rules); - @Rate_Items = uniq(@Rate_Items) if @Rate_Items; - log_info ("rate items: ".(join ', ', @Rate_Items)) if wantsdebug (qw[ all verbose rates ]); + if ( @Rate_Items ) { + @Rate_Items = uniq(@Rate_Items); + log_info ("rate items: ".(join ', ', @Rate_Items)) if wantsdebug (qw[ all thisrequest verbose rates ]); + # disable request cache with ratelimits unless --fast_limit_evaluation is set + unless ($postfwd_settings{rate}{fast_eval}) { + $postfwd_settings{request}{ttl} = 0; + log_note ("disabling request cache due to ratelimits in configuration. may be changed with the --fast_limit_evaluation option") + if wantsdebug (qw[ all thisrequest verbose ]); + }; + }; }; }; @@ -1089,9 +1339,9 @@ foreach ($myresult->question) { $typ = ($_->qtype || ''); $que = ($_->qname || ''); map { &{$postfwd_settings{syslog}{logger}} ('info', "[GETDNS00] type=$typ, query=$que, $_") } (hash_to_list ('%packet', %{$myresult})) - if wantsdebug (qw[ all dns getdns getdnspacket ]); + if wantsdebug (qw[ all thisrequest dns getdns getdnspacket ]); next unless ($typ and $que); - log_info ("[GETDNS01] type=$typ, query=$que") if wantsdebug (qw[ all dns getdns ]); + log_info ("[GETDNS01] type=$typ, query=$que") if wantsdebug (qw[ all thisrequest dns getdns ]); unless ( (defined $DNS_Cache{$que}) and (($typ eq 'A') or ($typ eq 'TXT')) ) { log_note ("[DNSBL] ignoring unknown query '$que', type '$typ'"); @@ -1100,19 +1350,19 @@ # parse answers foreach ($myresult->answer) { - log_info ("[GETDNS02] type=$typ, query=$que, restype='".$_->type."'") if wantsdebug (qw[ all dns getdns ]); + log_info ("[GETDNS02] type=$typ, query=$que, restype='".$_->type."'") if wantsdebug (qw[ all thisrequest dns getdns ]); if ($_->type eq 'A') { push @addrs, $_->address if $_->address; $ttl = $_->ttl; - log_info ("[GETDNSA1] type=$typ, query=$que, ttl=$ttl, answer='".($_->address || '')."'") if wantsdebug (qw[ all dns getdns ]); + log_info ("[GETDNSA1] type=$typ, query=$que, ttl=$ttl, answer='".($_->address || '')."'") if wantsdebug (qw[ all thisrequest dns getdns ]); } elsif ($_->type eq 'TXT') { $res = (join(" ", $_->char_str_list()) || ''); # escape commas for set() action $res =~ s/,/ /g; push @texts, $res; $ttl = $_->ttl; - log_info ("[GETDNST1] type=$typ, query=$que, ttl=$ttl, answer='$res'") if wantsdebug (qw[ all dns getdns ]); - } elsif (wantsdebug (qw[ all dns getdns devel ])) { + log_info ("[GETDNST1] type=$typ, query=$que, ttl=$ttl, answer='$res'") if wantsdebug (qw[ all thisrequest dns getdns ]); + } elsif (wantsdebug (qw[ all thisrequest dns getdns ])) { log_info ("[GETDNS??] received answer type=".$typ." for query $que"); }; }; @@ -1125,14 +1375,14 @@ $DNS_Cache{$que}{delay} = ($now - $DNS_Cache{$que}{delay}); $DNS_Cache{$que}{'log'} = 1; $DNS_Cache{$que}{'until'} = $now + $DNS_Cache{$que}{ttl}; - log_info ("[GETDNSA2] type=$typ, query=$que, cache='".(hash_to_str(%{$DNS_Cache{$que}}))."'") if wantsdebug (qw[ all dns getdns ]); + log_info ("[GETDNSA2] type=$typ, query=$que, cache='".(hash_to_str(%{$DNS_Cache{$que}}))."'") if wantsdebug (qw[ all thisrequest dns getdns ]); #} elsif ($typ eq 'TXT') { } else { $res = (join(" ", @texts) || ''); $ttl = ( $DNS_Cache{$que}{ttl} > ($ttl||=0) ) ? $DNS_Cache{$que}{ttl} : $ttl; $DNS_Cache{$que}{TXT} = $res; $DNS_Cache{$que}{ttl} = $ttl unless $DNS_Cache{$que}{ttl}; - log_info ("[GETDNST2] type=$typ, query=$que, cache='".(hash_to_str(%{$DNS_Cache{$que}}))."'") if wantsdebug (qw[ all dns getdns ]); + log_info ("[GETDNST2] type=$typ, query=$que, cache='".(hash_to_str(%{$DNS_Cache{$que}}))."'") if wantsdebug (qw[ all thisrequest dns getdns ]); }; }; return $que if (@addrs || $res); @@ -1173,7 +1423,7 @@ if ( exists($DNS_Cache{$myquery}) and exists($DNS_Cache{$myquery}{A}) ) { ANSWER1: foreach (@{$DNS_Cache{$myquery}{A}}) { last ANSWER1 if $myresult = ( $_ =~ /$mypat/ ) }; log_info ("[DNSBL] cached $mytype: $myrbl $myval ($myquery) - answer: \'".(join ", ", @{$DNS_Cache{$myquery}{A}})."\'") - if ( wantsdebug (qw[ all ]) or ($myresult and wantsdebug (qw[ verbose ])) ); + if ( wantsdebug (qw[ all thisrequest ]) or ($myresult and wantsdebug (qw[ verbose ])) ); # query parent cache } elsif ( not($postfwd_settings{dns}{noparent}) @@ -1183,7 +1433,7 @@ ref $DNS_Cache{$myquery}{A} eq 'ARRAY' or $DNS_Cache{$myquery}{A} = [ $DNS_Cache{$myquery}{A} ]; ANSWER2: foreach (@{$DNS_Cache{$myquery}{A}}) { last ANSWER2 if $myresult = ( $_ =~ /$mypat/ ) }; log_info ("[DNSBL] parent cached $mytype: $myrbl $myval ($myquery) - answer: \'".(join ", ", @{$DNS_Cache{$myquery}{A}})."\'") - if ( wantsdebug (qw[ all ]) or ($myresult and wantsdebug (qw[ verbose ])) ); + if ( wantsdebug (qw[ all thisrequest ]) or ($myresult and wantsdebug (qw[ verbose ])) ); }; # not found -> prepare dns query @@ -1195,7 +1445,7 @@ ttl => $myrbltime, delay => time(), }; - log_info("[DNSBL] query $mytype: $myrbl $myval ($myquery)") if wantsdebug (qw[ all ]); + log_info("[DNSBL] query $mytype: $myrbl $myval ($myquery)") if wantsdebug (qw[ all thisrequest ]); push @lookups, $myquery; }; }; @@ -1234,11 +1484,11 @@ }; push @DNSBL_Text, $DNS_Cache{$myquery}{type}.':'.$DNS_Cache{$myquery}{name}.':<'.($DNS_Cache{$myquery}{TXT} || '').'>' if $myresult and defined $DNS_Cache{$myquery}{type} and defined $DNS_Cache{$myquery}{name}; - if ( wantsdebug (qw[ all verbose ]) or $postfwd_settings{dns}{anylog} + if ( wantsdebug (qw[ all thisrequest verbose ]) or $postfwd_settings{dns}{anylog} or ($myresult and not($postfwd_settings{dns}{nolog}) and defined $DNS_Cache{$myquery}{'log'}) ) { log_info ("[DNSBL] ".( ($mytype eq $COMP_RBL_KEY) ? join('.', reverse(split(/\./,$myval))) : $myval )." listed on " .lc(($DNS_Cache{$myquery}{type} || $mytype)).":$myrbl (answer: ".(join ", ", @{$DNS_Cache{$myquery}{A}}) - .", time: ".$DNS_Cache{$myquery}{delay}."s, ttl: ".$DNS_Cache{$myquery}{ttl}."s, '".($DNS_Cache{$myquery}{TXT} || '')."')"); + .", time: ".ts($DNS_Cache{$myquery}{delay})."s, ttl: ".$DNS_Cache{$myquery}{ttl}."s, '".($DNS_Cache{$myquery}{TXT} || '')."')"); delete $DNS_Cache{$myquery}{'log'} if defined $DNS_Cache{$myquery}{'log'}; }; }; @@ -1274,7 +1524,7 @@ if ( (defined $DNS_Cache{$item}{$type}) and (defined $DNS_Cache{$item}{'until'}) and ($DNS_Cache{$item}{'until'} >= $now) ) { $DNS_Cache{$item}{$type} = [ $DNS_Cache{$item}{$type} ] unless (ref $DNS_Cache{$item}{$type} eq 'ARRAY'); log_info ("[DNS] dnsccache: item=$item, type=$type -> ".(join ',', @{$DNS_Cache{$item}{$type}})." (ttl: ".($DNS_Cache{$item}{ttl} || 0).")") - if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all dns getdns ])); + if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all thisrequest dns getdns ])); push @result, @{$DNS_Cache{$item}{$type}}; # query parent cache } elsif ( not($postfwd_settings{dns}{noparent}) @@ -1283,12 +1533,12 @@ and (defined $DNS_Cache{$item}{$type}) and (defined $DNS_Cache{$item}{'until'}) and ($DNS_Cache{$item}{'until'} >= $now) ) { $DNS_Cache{$item}{$type} = [ $DNS_Cache{$item}{$type} ] unless (ref $DNS_Cache{$item}{$type} eq 'ARRAY'); log_info ("[DNS] dnspcache: item=$item, type=$type -> ".(join ',', @{$DNS_Cache{$item}{$type}})." (ttl: ".($DNS_Cache{$item}{ttl} || 0).")") - if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all dns getdns ])); + if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all thisrequest dns getdns ])); push @result, @{$DNS_Cache{$item}{$type}}; # send queries } else { log_info ("[DNS] dnsquery: item=$item, type=$type") - if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all dns getdns devel ])); + if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all thisrequest dns getdns ])); $DNS_Cache{$item}{delay} = $now; $bgsock = $dns->bgsend ($item, $type); $ownsel->add($bgsock); @@ -1310,7 +1560,7 @@ foreach my $rr (@rrs) { $ttl = $rr->ttl if ($rr->ttl > $ttl); log_info ("[DNS] dnsanswer: item=$item, type=$type -> $rname=".$rr->$rname." (ttl: $ttl)") - if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all dns setdns ])); + if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all thisrequest dns setdns ])); push @ans, $rr->$rname; }; push @result, @ans; @@ -1324,8 +1574,8 @@ cache_query ( "CMD=".$postfwd_commands{setcacheitem}.";TYPE=dns;ITEM=$item".hash_to_str(%{$DNS_Cache{$item}}) ) unless ($postfwd_settings{dns}{noparent}); $DNS_Cache{$item}{'log'} = 1; - log_info ("[DNS] dnsanswers: item=$item, type=$type -> $rname=".((@{$DNS_Cache{$item}{$type}}) ? join ',', @{$DNS_Cache{$item}{$type}} : '')." (delay: ".$DNS_Cache{$item}{delay}.", ttl: $ttl)") - if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all verbose dns setdns devel ])); + log_info ("[DNS] dnsanswers: item=$item, type=$type -> $rname=".((@{$DNS_Cache{$item}{$type}}) ? join ',', @{$DNS_Cache{$item}{$type}} : '')." (delay: ".ts($DNS_Cache{$item}{delay}).", ttl: $ttl)") + if ($postfwd_settings{dns}{anylog} or wantsdebug (qw[ all thisrequest verbose dns setdns ])); delete $ownsock{$sock}; } else { $ownsel->remove($sock); @@ -1376,11 +1626,11 @@ my(%result) = (); foreach (sort keys %postfwd_items) { log_info ("[PLUGIN] executing postfwd-item ".$_) - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); %result = (%result, &{$postfwd_items{$_}}((%request,%result))) if (defined $postfwd_items{$_}); }; - map { $result{$_} = '' unless $result{$_}; log_info ("[PLUGIN] Added key: $_=$result{$_}") if wantsdebug (qw[ all ]) } (keys %result); + map { $result{$_} = '' unless $result{$_}; log_info ("[PLUGIN] Added key: $_=$result{$_}") if wantsdebug (qw[ all thisrequest ]) } (keys %result); return %result; }; # @@ -1391,7 +1641,7 @@ "cidr" => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = ($val and $myitem); - log_info ("type cidr : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type cidr : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); if ($myresult) { # always true $myresult = ($val eq '0.0.0.0/0'); @@ -1402,7 +1652,7 @@ $val .= '/32' unless ($val =~ /\/\d{1,2}$/); $myresult = cidr_match((cidr_parse($val)),$myitem); } else { - log_info ("Non IPv4 address. Using type default") if wantsdebug (qw[ all ]); + log_info ("Non IPv4 address. Using type default") if wantsdebug (qw[ all thisrequest ]); return &{$postfwd_compare{default}}($cmp,$val,$myitem,%request); }; }; @@ -1413,7 +1663,7 @@ "numeric" => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = undef; - log_info ("type numeric : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type numeric : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); $myitem ||= "0"; $val ||= "0"; if ($cmp eq '==') { $myresult = ($myitem == $val); @@ -1435,7 +1685,7 @@ $COMP_RBL_KEY => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = not($postfwd_settings{dns}{disabled}); - log_info ("type rbl : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type rbl : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); $myresult = ( rbl_check ($COMP_RBL_KEY, $val, $myitem) ) if $myresult; $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1443,7 +1693,7 @@ $COMP_RHSBL_KEY => sub { my($cmp,$val,$myitem,%request) = @_; my($myresult) = not($postfwd_settings{dns}{disabled}); - log_info ("type rhsbl : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type rhsbl : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); $myresult = ( rbl_check ($COMP_RHSBL_KEY, $val, $myitem) ) if $myresult; $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1456,7 +1706,7 @@ $rmin = ($rmin) ? (($rmin =~ /^\d$/) ? $rmin : $months{$rmin}) : $imon; $rmax = ($rmax) ? (($rmax =~ /^\d$/) ? $rmax : $months{$rmax}) : (($val =~ /-/) ? $imon : $rmin); log_info ("type months : \"$imon\" \"$cmp\" \"$rmin\"-\"$rmax\"") - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); $myresult = (($rmin <= $imon) and ($rmax >= $imon)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1469,7 +1719,7 @@ $rmin = ($rmin) ? (($rmin =~ /^\d$/) ? $rmin : $weekdays{$rmin}) : $iday; $rmax = ($rmax) ? (($rmax =~ /^\d$/) ? $rmax : $weekdays{$rmax}) : (($val =~ /-/) ? $iday : $rmin); log_info ("type days : \"$iday\" \"$cmp\" \"$rmin\"-\"$rmax\"") - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); $myresult = (($rmin <= $iday) and ($rmax >= $iday)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1483,7 +1733,7 @@ $rmin = ($rmin) ? join ('', reverse split ('\.', $rmin)) : $idat; $rmax = ($rmax) ? join ('', reverse split ('\.', $rmax)) : (($val =~ /-/) ? $idat : $rmin); log_info ("type date : \"$idat\" \"$cmp\" \"$rmin\"-\"$rmax\"") - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); $myresult = (($rmin <= $idat) and ($rmax >= $idat)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1497,7 +1747,7 @@ $rmin = ($rmin) ? join ('', split ('\:', $rmin)) : $idat; $rmax = ($rmax) ? join ('', split ('\:', $rmax)) : (($val =~ /-/) ? $idat : $rmin); log_info ("type time : \"$idat\" \"$cmp\" \"$rmin\"-\"$rmax\"") - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); $myresult = (($rmin <= $idat) and ($rmax >= $idat)); $myresult = not($myresult) if ($cmp eq '!='); return $myresult; @@ -1508,7 +1758,7 @@ return $myresult if $postfwd_settings{dns}{disabled}; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,A") ) { - log_info ("type $COMP_HELO_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type $COMP_HELO_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; return $myresult; @@ -1519,7 +1769,7 @@ return $myresult if $postfwd_settings{dns}{disabled}; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,NS") ) { - log_info ("type $COMP_NS_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type $COMP_NS_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); map { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; } else { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,'',%request)) ); @@ -1532,7 +1782,7 @@ return $myresult if $postfwd_settings{dns}{disabled}; return $myresult unless $myitem =~ /\./; if ( my @answers = dns_query ("$myitem,MX") ) { - log_info ("type $COMP_MX_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type $COMP_MX_NAME : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); map { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; } else { $myresult = ( &{$postfwd_compare{default}}(($cmp,$val,'',%request)) ); @@ -1547,7 +1797,7 @@ if ( my @answers = dns_query ("$myitem,NS") ) { splice (@answers, $postfwd_settings{dns}{max_ns_lookups}) if $postfwd_settings{dns}{max_ns_lookups} and $#answers > $postfwd_settings{dns}{max_ns_lookups}; if ( @answers = dns_query (@answers) ) { - log_info ("type $COMP_NS_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type $COMP_NS_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; }; @@ -1561,7 +1811,7 @@ if ( my @answers = dns_query ("$myitem,MX") ) { splice (@answers, $postfwd_settings{dns}{max_mx_lookups}) if $postfwd_settings{dns}{max_mx_lookups} and $#answers > $postfwd_settings{dns}{max_mx_lookups}; if ( @answers = dns_query (@answers) ) { - log_info ("type $COMP_MX_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type $COMP_MX_ADDR : \"".(join ',', @answers)."\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); map { $myresult = ( &{$postfwd_compare{cidr}}(($cmp,$val,$_,%request)) ); return $myresult if $myresult } @answers; }; }; @@ -1570,15 +1820,11 @@ "default" => sub { my($cmp,$val,$myitem,%request) = @_; my($var,$myresult) = undef; - log_info ("type default : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("type default : \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); # backward compatibility $cmp = '==' if ( ($var) and ($cmp eq '=') ); if ($cmp eq '==') { $myresult = ( lc($myitem) eq lc($val) ) if $myitem; - } elsif ( $cmp eq '=~' ) { - $myresult = ( $myitem =~ /$val/i ); - } elsif ( $cmp eq '!~' ) { - $myresult = ( $myitem !~ /$val/i ); } elsif ($cmp eq '!=') { $myresult = not( lc($myitem) eq lc($val) ) if $myitem; } elsif ($cmp eq '=<') { @@ -1589,10 +1835,14 @@ $myresult = (($myitem || 0) >= $val); } elsif ($cmp eq '!>') { $myresult = not(($myitem || 0) >= $val); + } elsif ($cmp eq '=~') { + $myresult = ($myitem =~ /$val/i); + } elsif ($cmp eq '!~') { + $myresult = ($myitem !~ /$val/i); } else { # allow // regex $val =~ s/^\/?(.*?)\/?$/$1/; - $myresult = ( $myitem =~ /$val/i ); + $myresult = $myitem =~ /$val/i; }; return $myresult; }, @@ -1625,7 +1875,7 @@ my($ruleno) = $Rule_by_ID{$myarg}; log_info ("[RULES] ".$myline .", jump to rule $ruleno (id $myarg)") - if wantsdebug (qw[ all verbose ]); + if wantsdebug (qw[ all thisrequest verbose ]); $index = $ruleno - 1; } else { log_warn ("[RULES] ".$myline." - error: jump failed, can not find rule-id ".$myarg." - ignoring"); @@ -1656,11 +1906,11 @@ } else { $m_val = $r_val; }; - $m_val = $1.((defined $2) ? $2 : '') if ( $m_val =~ /^(\-?\d+)([\.,]\d\d?)?/ ); + $m_val = $1.($2 || '').($3 || '') if ( $m_val =~ /^(\-?\d+)([\.,]\d+)?(.*)$/ ); (defined $request{$r_var}) ? log_info ("notice", "[RULES] ".$myline.", redefining existing ".$r_var."=".$request{$r_var}." with ".$r_var."=".$m_val) : log_info ("[RULES] ".$myline.", defining ".$r_var."=".$m_val) - if wantsdebug (qw[ all verbose ]); + if wantsdebug (qw[ all thisrequest verbose ]); $request{$r_var} = $m_val; } else { log_warn ("[RULES] ".$myline.", ignoring unknown set() attribute ".$_); @@ -1688,7 +1938,7 @@ }; $score = $1.((defined $2) ? $2 : '.0') if ( $score =~ /^(\-?\d+)([\.,]\d\d?)?/ ); log_info ("[SCORE] ".$myline.", modifying score about ".$myarg." points to ". $score) - if wantsdebug (qw[ all verbose ]); + if wantsdebug (qw[ all thisrequest verbose ]); $request{score} = $request{request_score} = $score; } elsif ($myarg) { log_warn ("[RULES] ".$myline.", invalid value for score \"$myarg\" - ignoring"); @@ -1702,39 +1952,124 @@ }; return ($stop,$index,$myaction,$myline,%request); }, + # mail() command + "mail" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $postfwd_settings{default}; my($stop) = 0; + my($mserver,$mhelo,$mfrom,$mto,$msubject,$mbody) = split "/", $myarg, 6; + ($mserver, my $mport) = split ":", $mserver; my $res = ""; + my @talk = ( + "HELO $mhelo", + "MAIL FROM: $mfrom", + "RCPT TO: $mto", + "DATA", + "Subject: $msubject\r\n$mbody\r\n.", + "QUIT", + ); + if ( my $socket = IO::Socket::INET->new( + PeerAddr => $mserver, + PeerPort => ($mport || 25), + Proto => 'tcp', + Timeout => 30, + Type => SOCK_STREAM, + ) ) { + SMTP: foreach (@talk) { + print $socket "$_\r\n"; $res = <$socket>; chomp($res); + last SMTP unless $res =~ /^[23][0-9][0-9] /; + }; + close($socket); + log_info ("[MAIL] ".$myline.", mail server=<$mserver:$mport>, from=<$mfrom>, to=<$mto>, subject=<$msubject>, status=<$res>"); + } else { + log_info ("[MAIL] ".$myline.", could not open socket to $mserver:$mport: '$!'"); + }; + return ($stop,$index,$myaction,$myline,%request); + }, # rate() command "rate" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; - my($myaction) = $postfwd_settings{default}; my($stop) = 0; + my($myaction) = $postfwd_settings{default}; my($stop) = 0; my $prate = ''; my($ratetype,$ratecount,$ratetime,$ratecmd) = split "/", $myarg, 4; - if ($ratetype and $ratecount and $ratetime and $ratecmd) { + my($rcount) = ( ($mycmd eq 'size') ? $request{size} : (($mycmd eq 'rcpt') ? $request{recipient_count} : 1 ) ); + if ($ratetype and $ratecount and $ratetime and $ratecmd and $rcount) { + my $crate = $Rules[$index]{$COMP_ID}.'+'.$ratecount.'_'.$ratetime; if ( defined $request{$ratetype} ) { $ratetype .= "=".$request{$ratetype}; - unless ( defined $Rate_Cache{$ratetype} ) { - log_info ("[RULES] ".$myline - .", creating rate limit object '".$ratetype."'" - ." [type: ".$mycmd.", max: ".$ratecount.", time: ".$ratetime."s]") - if wantsdebug (qw[ all rates ]); - $Rate_Cache{$ratetype} = { - type => $mycmd, - maxcount => $ratecount, - ttl => $ratetime, - 'until' => $now + $ratetime, - count => ( ($mycmd eq 'size') ? $request{size} : (($mycmd eq 'rcpt') ? $request{recipient_count} : 1 ) ), - rule => $Rules[$index]{$COMP_ID}, - action => $ratecmd, + + if ( $postfwd_settings{rate}{fast_eval} ) { + # Check if rate already exists in cache + my $rate_exists = ( defined $Rate_Cache{$ratetype}{$crate} ); + if ( $rate_exists ) { + # Child hit + log_info ("[RULES] rate limit object '".$ratetype."' '".$crate."' exists in local cache") if wantsdebug (qw[ all thisrequest rates ]); + # Query parent cache + } elsif ( not $postfwd_settings{rate}{noparent} ) { + my $prate = "CMD=".$postfwd_commands{getrateitem}.";TYPE=rate;ITEM=$ratetype".$postfwd_settings{seplim}.$crate; + log_info ("[RULES] query parent cache: '$prate'") if wantsdebug (qw[ all thisrequest rates ]); + $prate = cache_query($prate); + log_info ("[RULES] parent cache answer: '$prate'") if wantsdebug (qw[ all thisrequest rates ]); + $rate_exists = ( $prate ne '' ); + if ( $rate_exists ) { + # Parent hit, populate local cache + %{$Rate_Cache{$ratetype}{$crate}} = str_to_hash($prate); + push @{$Rate_Cache{$ratetype}{'list'}}, $crate; + @{$Rate_Cache{$ratetype}{'list'}} = uniq(@{$Rate_Cache{$ratetype}{'list'}}); + }; }; - unless ($postfwd_settings{rate}{noparent}) { - my $prate = "CMD=".$postfwd_commands{setcacheitem}.";TYPE=rate;ITEM=$ratetype".hash_to_str(%{$Rate_Cache{$ratetype}}); - log_info ("creating parent rate limit object '".$ratetype."'") if wantsdebug (qw[ all rates setcache ]); - cache_query ($prate); + unless ( $rate_exists ) { + log_info ("[RULES] ".$myline + .", creating rate limit object '".$ratetype."' '".$crate."'" + ." [type: ".$mycmd.", max: ".$ratecount.", time: ".$ratetime."s]") + if wantsdebug (qw[ all thisrequest rates ]); + push @{$Rate_Cache{$ratetype}{'list'}}, $crate; + @{$Rate_Cache{$ratetype}{'list'}} = uniq(@{$Rate_Cache{$ratetype}{'list'}}); + $Rate_Cache{$ratetype}{$crate} = { + type => $mycmd, + maxcount => $ratecount, + ttl => $ratetime, + 'time' => $now, + 'until' => $now + $ratetime, + count => $rcount, + rule => $Rules[$index]{$COMP_ID}, + action => $ratecmd, + }; + unless ($postfwd_settings{rate}{noparent}) { + $prate = "CMD=".$postfwd_commands{setrateitem}.";TYPE=rate;ITEM=$ratetype".$postfwd_settings{seplim}.$crate.hash_to_str(%{$Rate_Cache{$ratetype}{$crate}}); + log_info ("updating parent rate limit object '".$prate."'") if wantsdebug (qw[ all thisrequest rates setcache ]); + cache_query ($prate); + }; }; + } else { + push @{$Rate_Cache{$ratetype}{'list'}}, $crate; + @{$Rate_Cache{$ratetype}{'list'}} = uniq(@{$Rate_Cache{$ratetype}{'list'}}); + $Rate_Cache{$ratetype}{$crate} = { + type => $mycmd, + maxcount => $ratecount, + ttl => $ratetime, + 'time' => $now, + 'until' => $now + $ratetime, + count => $rcount, + rule => $Rules[$index]{$COMP_ID}, + action => $ratecmd, + }; + unless ($postfwd_settings{rate}{noparent}) { + $prate = "CMD=".$postfwd_commands{setrateitem2}.";TYPE=rate;ITEM=$ratetype".$postfwd_settings{seplim}.$crate.hash_to_str(%{$Rate_Cache{$ratetype}{$crate}}); + log_info ("updating parent rate limit object '".$prate."'") if wantsdebug (qw[ all thisrequest rates setcache ]); + $prate = cache_query ($prate); + }; + $Rate_Cache{$ratetype}{$crate}{count} = $prate if ($prate =~ /^\d+$/); + }; + # rate exceeded + $stop = ( $Rate_Cache{$ratetype}{$crate}{count} > $Rate_Cache{$ratetype}{$crate}{maxcount} ); + if ($stop) { + $myaction=$Rate_Cache{$ratetype}{$crate}{action}; + $request{'ratecount'} = $prate; + $myline .= ", rate=".$Rate_Cache{$ratetype}{$crate}{type}."/".$Rate_Cache{$ratetype}{$crate}{count}."/".ts($now - $Rate_Cache{$ratetype}{$crate}{'time'})."s"; }; } else { - log_note ("[RULES] ".$myline.", ignoring empty index for ".$mycmd." limit '".$ratetype."'") if wantsdebug (qw[ all rates ]); + log_note ("[RULES] ".$myline.", ignoring empty index for ".$mycmd." limit '".$ratetype."'") if wantsdebug (qw[ all thisrequest rates ]); }; } else { - log_note ("[RULES] ".$myline.", ignoring unknown ".$mycmd."() attribute \'".$myarg."\'"); + log_note ("[RULES] ".$myline.(($rcount) ? ", ignoring unknown ".$mycmd."() attribute \'".$myarg."\'" : ", ignoring empty counter")); }; return ($stop,$index,$myaction,$myline,%request); }, @@ -1757,6 +2092,14 @@ log_info ("[RULES] ".$myline." - note: ".$myarg) if $myarg; return ($stop,$index,$myaction,$myline,%request); }, + # debug() command + "debug" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $postfwd_settings{default}; my($stop) = 0; + log_info ("[RULES] ".$myline.", DEBUG=$myarg"); + ($myarg =~ /^(1|y(es)?|on)$/i) ? $postfwd_settings{debug}{thisrequest} = 1 : delete $postfwd_settings{debug}{thisrequest}; + return ($stop,$index,$myaction,$myline,%request); + }, # quit() command - not supported in this version "quit" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; @@ -1773,7 +2116,7 @@ "ask" => sub { my($index,$now,$mycmd,$myarg,$myline,%request) = @_; my($myaction) = $postfwd_settings{default}; my($stop) = 0; - log_info ("Opening socket to '$myarg'") if wantsdebug (qw[ all ]); + log_info ("Opening socket to '$myarg'") if wantsdebug (qw[ all thisrequest ]); my($addr,$port,$ignore) = split ':', $myarg; my %orig = str_to_hash ($request{orig}); if ( ($addr and $port) and my $socket = new IO::Socket::INET ( @@ -1788,20 +2131,20 @@ $sendstr .= $_."=".$orig{$_}."\n"; }; $sendstr .= "\n"; - log_info ("Asking service $myarg -> '$sendstr'") if wantsdebug (qw[ all ]); + log_info ("Asking service $myarg -> '$sendstr'") if wantsdebug (qw[ all thisrequest ]); print $socket "$sendstr"; $sendstr = <$socket>; chomp($sendstr); - log_info ("Answer from $myarg -> '$sendstr'") if wantsdebug (qw[ all verbose ]); + log_info ("Answer from $myarg -> '$sendstr'") if wantsdebug (qw[ all thisrequest verbose ]); $sendstr =~ s/^(action=)//; if ($1 and $sendstr) { if ($ignore and ($sendstr =~ /$ignore/i)) { - log_info ("ignoring answer '$sendstr' from $myarg") if wantsdebug (qw[ all verbose ]); + log_info ("ignoring answer '$sendstr' from $myarg") if wantsdebug (qw[ all thisrequest verbose ]); } else { $stop = $myaction = $sendstr; }; } else { - mylogs ('notice', "rule: $index got invalid answer '$sendstr' from $myarg"); + log_note ("rule: $index got invalid answer '$sendstr' from $myarg"); }; } else { log_note ("Could not open socket to '$myarg' - $!"); @@ -1869,24 +2212,24 @@ push @items, prepare_file (0, $1, $cmp, $2); next ITEM; }; - log_info ("compare $mykey: \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all ]); + log_info ("compare $mykey: \"$myitem\" \"$cmp\" \"$val\"") if wantsdebug (qw[ all thisrequest ]); $val = $neg if ($neg = deneg_item($val)); - log_info ("deneg $mykey: \"$myitem\" \"$cmp\" \"$val\"") if ($neg and wantsdebug (qw[ all ])); + log_info ("deneg $mykey: \"$myitem\" \"$cmp\" \"$val\"") if ($neg and wantsdebug (qw[ all thisrequest ])); next ITEM unless $val; # substitute check for $$vars in rule item if ( $var = devar_item ($cmp,$val,$myitem,%request) ) { $val = $var; $val =~ s/([^-_@\.\w\s])/\\$1/g unless ($cmp eq '=='); }; $myresult = &{$postfwd_compare{$postfwd_compare_proc}}($cmp,$val,$myitem,%request); - log_info ("match $mykey: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all ]); + log_info ("match $mykey: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all thisrequest ]); if ($neg) { $myresult = not($myresult); - log_info ("negate match $mykey: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all ]); + log_info ("negate match $mykey: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all thisrequest ]); }; $rcount++ if $myresult; $myresult = not($mymin eq 'all'); $myresult = ( $rcount >= $mymin ) if $myresult; - log_info ("count $mykey: request=$rcount minimum: $mymin result: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all ]); + log_info ("count $mykey: request=$rcount minimum: $mymin result: ".($myresult ? "TRUE" : "FALSE")) if wantsdebug (qw[ all thisrequest ]); last ITEM if $myresult; }; $myresult = $rcount if ($myresult or ($mymin eq 'all')); @@ -1921,7 +2264,7 @@ my %ownsock = (); my @ownready = (); - log_info ("[RULES] rule: $index, id: $Rules[$index]{$COMP_ID}, items: '".((@ruleitems) ? join ';', @ruleitems: '')."'") if wantsdebug (qw[ all ]); + log_info ("[RULES] rule: $index, id: $Rules[$index]{$COMP_ID}, items: '".((@ruleitems) ? join ';', @ruleitems: '')."'") if wantsdebug (qw[ all thisrequest ]); # COMPARE-ITEMS # check all non-dns items @@ -1949,7 +2292,7 @@ }; last ITEM unless ($myresult[0] > 0); }; - log_info ("[RULES] pre-dns: rule: $index, id: $Rules[$index]{$COMP_ID}, RESULT: ".$myresult[0]) if wantsdebug (qw[ all ]); + log_info ("[RULES] pre-dns: rule: $index, id: $Rules[$index]{$COMP_ID}, RESULT: ".$myresult[0]) if wantsdebug (qw[ all thisrequest ]); # DNSQUERY-SECTION # fire bgsend()s with callback to result cache, @@ -1993,7 +2336,7 @@ QUERY: foreach my $query (@queries) { next QUERY unless $query; log_info ("[SENDDNS] sending query \'$query\'") - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); # send A query $bgsock = $ownres->bgsend($query, 'A'); $ownsel->add($bgsock); @@ -2006,7 +2349,7 @@ }; }; log_info ("[SENDDNS] rule: $index, id: $Rules[$index]{$COMP_ID}, lookups: ".($#queries + 1)) - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); $myresult[3] = "dnsqueries=".($#queries + 1).$postfwd_settings{sepreq}."dnsinterval=".($#queries + 1); }; @@ -2017,7 +2360,7 @@ foreach my $sock (@ownready) { if (defined $ownsock{$sock}) { log_note ("[DNSBL] answer for ".$ownsock{$sock}) - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); my $packet = $ownres->bgread($sock); push @queries, (split ':', $ownsock{$sock})[1] if rbl_read_dns ($packet); delete $ownsock{$sock}; @@ -2044,16 +2387,16 @@ ? $Timeouts{$DNS_Cache{$_}{name}} + 1 : 1 if ( $postfwd_settings{dns}{max_timeout} > 0 ); - log_note ("[DNSBL] warning: timeout (".$Timeouts{$DNS_Cache{$_}{name}}."/".$postfwd_settings{dns}{max_timeout}.") for ".$DNS_Cache{$_}{name}." after ".$DNS_Cache{$_}{'delay'}." seconds"); + log_note ("[DNSBL] warning: timeout (".$Timeouts{$DNS_Cache{$_}{name}}."/".$postfwd_settings{dns}{max_timeout}.") for ".$DNS_Cache{$_}{name}." after ".ts($DNS_Cache{$_}{'delay'})." seconds"); }; }; # perform outstanding TXT queries unless --dns_async_txt is set if (not($postfwd_settings{dns}{async_txt}) and @queries) { @queries = uniq(@queries); - log_info ("[DNSBL] sending TXT queries for ".(join ',', @queries)) if wantsdebug (qw[ all debugdns ]); + log_info ("[DNSBL] sending TXT queries for ".(join ',', @queries)) if wantsdebug (qw[ all thisrequest debugdns ]); foreach my $query (@queries) { - log_info ("[SENDDNS] sending TXT query \'$query\'") if wantsdebug (qw[ all ]); + log_info ("[SENDDNS] sending TXT query \'$query\'") if wantsdebug (qw[ all thisrequest ]); # send TXT query $bgsock = $ownres->bgsend($query, 'TXT'); $ownsel->add($bgsock); @@ -2063,7 +2406,7 @@ foreach my $sock (@ownready) { if (defined $ownsock{$sock}) { log_info ("[DNSBL] answer for ".$ownsock{$sock}) - if wantsdebug (qw[ all ]); + if wantsdebug (qw[ all thisrequest ]); my $packet = $ownres->bgread($sock); rbl_read_dns ($packet); delete $ownsock{$sock}; @@ -2146,7 +2489,7 @@ }; }; }; - if ( wantsdebug (qw[ all ]) ) { + if ( wantsdebug (qw[ all thisrequest ]) ) { $myline = "[RULES] RULE: ".$index." MATCHES: ".((($myresult[0] - 2) > 0) ? ($myresult[0] - 2) : 0); $myline .= " RBLCOUNT: ".$myresult[1] if $myresult[1]; $myline .= " RHSBLCOUNT: ".$myresult[2] if $myresult[2]; @@ -2164,11 +2507,13 @@ my($parent,%request) = @_; my($myaction) = $postfwd_settings{default}; my($index) = 1; + my($stop) = 1; my($now) = time(); my($date) = join(',', localtime($now)); my($counters) = "request=1".$postfwd_settings{sepreq}."interval=1"; - my($matched,$rblcnt,$rhlcnt,$t1,$t2,$t3,$stop) = 0; - my($mykey,$cacheid,$myline,$checkreq,$checkval,$var,$ratehit,$rulehits) = ""; + my ($rhit) = "ruleset"; + my($matched,$rblcnt,$rhlcnt,$t1,$t2,$t3,$ai) = 0; + my($mykey,$cacheid,$myline,$checkreq,$checkval,$var,$ratehit,$rateindex,$rulehits) = ""; # save original request $request{orig} = hash_to_str (%request); @@ -2184,7 +2529,7 @@ # clear dnsbl timeout counters if ( $Cleanup_Timeouts and ($postfwd_settings{dns}{max_interval} > 0) and (($now - $Cleanup_Timeouts) > $postfwd_settings{dns}{max_interval}) ) { undef %Timeouts; - log_info ("[CLEANUP] clearing dnsbl timeout counters") if wantsdebug (qw[ all verbose ]); + log_info ("[CLEANUP] clearing dnsbl timeout counters") if wantsdebug (qw[ all thisrequest verbose ]); $Cleanup_Timeouts = $now; }; @@ -2194,25 +2539,34 @@ $t3 = scalar keys %Rate_Cache; cleanup_rate_cache($now); $t2 = time(); - log_info ("[CLEANUP] needed ".($t2 - $t1) + log_info ("[CLEANUP] cleaning rate-cache needed ".ts($t2 - $t1) ." seconds for rate cleanup of " .($t3 - scalar keys %Rate_Cache)." out of ".$t3 - ." cached items after ".($now - $Cleanup_Rates) - ." seconds (min ".$postfwd_settings{rate}{cleanup}."s)") if ( wantsdebug (qw[ all verbose rates ]) or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$postfwd_settings{rate}{cleanup}."s") + if ( wantsdebug (qw[ all thisrequest verbose rates cleanup childcleanup ]) or (($t2 - $t1) >= 1) ); $Cleanup_Rates = $t1; }; # increase rate limits - if (@Rate_Items) { + if (@Rate_Items and $postfwd_settings{rate}{fast_eval}) { map { $checkval .= $_."=".$request{$_}.$postfwd_settings{seplst} if $request{$_} } (@Rate_Items); if ($checkval) { $checkval = "CMD=".$postfwd_commands{checkrate}.";TYPE=rate;ITEM=$checkval;SIZE=".($request{'size'} || 0).";RCPT=".($request{'recipient_count'} || 0); - log_info ("[RATES] parent rate limit query: ".$checkval) if wantsdebug (qw[ all verbose rates ]); + log_info ("[RATES] parent rate limit query: ".$checkval) if wantsdebug (qw[ all thisrequest verbose rates ]); $checkval = cache_query ($checkval); - log_info ("[RATES] parent rate limit answer: ".$checkval) if wantsdebug (qw[ all verbose rates ]); + log_info ("[RATES] parent rate limit answer: ".$checkval) if wantsdebug (qw[ all thisrequest verbose rates ]); unless ($checkval eq '') { my($i,$r) = split $postfwd_settings{seplst}, $checkval; - if ($i and $r) { $ratehit = $i; %{$Rate_Cache{$i}} = str_to_hash ($r) }; + my($it, $ri) = split $postfwd_settings{seplim}, $i; + if ($it and $ri and $r) { + $ratehit = $it; $rateindex = $ri; + %{$Rate_Cache{$it}{$ri}} = str_to_hash ($r); + push @{$Rate_Cache{$it}{'list'}}, $ri; + @{$Rate_Cache{$it}{'list'}} = uniq(@{$Rate_Cache{$it}{'list'}}); + $request{'ratecount'} = $Rate_Cache{$it}{$ri}{'count'} + + ( ($Rate_Cache{$it}{$ri}{type} eq 'size') ? $request{size} + : (($Rate_Cache{$it}{$ri}{type} eq 'rcpt') ? $request{recipient_count} : 1 ) ); + }; }; }; }; @@ -2236,7 +2590,7 @@ }; }; }; - log_info ("created cache-id: $cacheid") if wantsdebug (qw[ all ]); + log_info ("created cache-id: $cacheid") if wantsdebug (qw[ all thisrequest ]); # wipe out old cache entries if ( $Cleanup_Requests and (scalar keys %Request_Cache > 0) and (($now - $Cleanup_Requests) > $postfwd_settings{request}{cleanup}) ) { @@ -2244,34 +2598,38 @@ $t3 = scalar keys %Request_Cache; cleanup_request_cache($now); $t2 = time(); - log_info ("[CLEANUP] needed ".($t2 - $t1) + log_info ("[CLEANUP] cleaning request-cache needed ".ts($t2 - $t1) ." seconds for request cleanup of " .($t3 - scalar keys %Request_Cache)." out of ".$t3 - ." cached items after ".($now - $Cleanup_Requests) - ." seconds (min ".$postfwd_settings{request}{cleanup}."s)") if ( wantsdebug (qw[ all verbose ]) or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$postfwd_settings{request}{cleanup}."s") + if ( wantsdebug (qw[ all thisrequest verbose cleanup childcleanup ]) or (($t2 - $t1) >= 1) ); $Cleanup_Requests = $t1; }; }; # check rate - if ( $ratehit ) { + if ( $postfwd_settings{rate}{fast_eval} and $ratehit and $rateindex and defined $Rate_Cache{$ratehit}{$rateindex} ) { $counters .= $postfwd_settings{sepreq}."rate=1"; - $Matches{$Rate_Cache{$ratehit}{rule}}++; - $myaction = $Rate_Cache{$ratehit}{action}; - log_info ("[RATES] rule=".$Rule_by_ID{$Rate_Cache{$ratehit}{rule}} - . ", id=".$Rate_Cache{$ratehit}{rule} + $Matches{$Rate_Cache{$ratehit}{$rateindex}{rule}}++; + $myaction = $Rate_Cache{$ratehit}{$rateindex}{action}; + # substitute check for $$vars in action + $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); + log_info ("[RATES] rule=".$Rule_by_ID{$Rate_Cache{$ratehit}{$rateindex}{rule}} + . ", id=".$Rate_Cache{$ratehit}{$rateindex}{rule} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state} - . ", delay=".(time() - $now)."s" + . ", delay=".ts(time() - $now)."s" . ", action=".$myaction." (item: '".$ratehit."'" - . ", type: ".$Rate_Cache{$ratehit}{type} - . ", count: ".$Rate_Cache{$ratehit}{count}."/".$Rate_Cache{$ratehit}{maxcount} - . ", ttl: ".$Rate_Cache{$ratehit}{ttl}."s" + . ", type: ".$Rate_Cache{$ratehit}{$rateindex}{type} + . ", count: ".$request{ratecount}."/".$Rate_Cache{$ratehit}{$rateindex}{maxcount} + . ", time: ".ts($now - $Rate_Cache{$ratehit}{$rateindex}{"time"})."/".$Rate_Cache{$ratehit}{$rateindex}{ttl}."s)" ) unless $postfwd_settings{request}{nolog}; # check own cache @@ -2284,13 +2642,15 @@ $rulehits = join $postfwd_settings{sepreq}, (split ';', $Request_Cache{$cacheid}{hits}) if $Request_Cache{$cacheid}{hits}; log_info ("[CACHE] rule=".$Rule_by_ID{$Request_Cache{$cacheid}{$COMP_ID}} . ", id=".$Request_Cache{$cacheid}{$COMP_ID} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state} - . ", delay=".(time() - $now)."s" + . ", delay=".ts(time() - $now)."s" . ", hits=".$Request_Cache{$cacheid}{hits} . ", action=".$Request_Cache{$cacheid}{$COMP_ACTION} ) unless $postfwd_settings{request}{nolog}; @@ -2308,13 +2668,15 @@ $rulehits = join $postfwd_settings{sepreq}, (split ';', $Request_Cache{$cacheid}{hits}) if $Request_Cache{$cacheid}{hits}; log_info ("[CACHE] rule=".$Rule_by_ID{$Request_Cache{$cacheid}{$COMP_ID}} . ", id=".$Request_Cache{$cacheid}{$COMP_ID} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state} - . ", delay=".(time() - $now)."s" + . ", delay=".ts(time() - $now)."s" . ", hits=".$Request_Cache{$cacheid}{hits} . ", action=".$Request_Cache{$cacheid}{$COMP_ACTION} ) unless $postfwd_settings{request}{nolog}; @@ -2337,11 +2699,11 @@ $t3 = scalar keys %DNS_Cache; cleanup_dns_cache($now); $t2 = time(); - log_info ("[CLEANUP] needed ".($t2 - $t1) + log_info ("[CLEANUP] cleaning dns-cache needed ".ts($t2 - $t1) ." seconds for rbl cleanup of " .($t3 - scalar keys %DNS_Cache)." out of ".$t3 - ." cached items after ".($now - $Cleanup_RBLs) - ." seconds (min ".$postfwd_settings{dns}{cleanup}."s)") if ( wantsdebug (qw[ all verbose ]) or (($t2 - $t1) > 0) ); + ." cached items after cleanup time ".$postfwd_settings{dns}{cleanup}."s") + if ( wantsdebug (qw[ all thisrequest verbose cleanup childcleanup ]) or (($t2 - $t1) >= 1) ); $Cleanup_RBLs = $t1; }; @@ -2363,7 +2725,7 @@ $counters .= $postfwd_settings{sepreq}.$compcnt if $compcnt; # matched? prepare logline, increase counters - if ($matched > 0) { + if ($stop = $matched > 0) { $myaction = $Rules[$index]{$COMP_ACTION}; $Matches{$Rules[$index]{$COMP_ID}}++; $rulehits .= $postfwd_settings{sepreq} if $rulehits; @@ -2374,31 +2736,33 @@ $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); $myline = "rule=".$index . ", id=".$Rules[$index]{$COMP_ID} + . ( ($request{queue_id}) ? ", queue=".$request{queue_id} : '' ) . ", client=".$request{client_name}."[".$request{client_address}."]" + . ( ($request{sasl_username}) ? ", user=".$request{sasl_username} : '' ) . ", sender=<".(($request{sender} eq '<>') ? "" : $request{sender}).">" - . ", recipient=<".$request{recipient}.">" + . ( ($request{recipient}) ? ", recipient=<".$request{recipient}.">" : '' ) . ", helo=<".$request{helo_name}.">" . ", proto=".$request{protocol_name} . ", state=".$request{protocol_state}; # check for postfwd action - if ($myaction =~ /^(\w[\-\w]+)\s*$\s*(.*?)\s*$$/) { - my($mycmd,$myarg) = ($1, $2); + while ($ai++ < $postfwd_settings{max_command_recursion} and $myaction =~ /^(\w[\-\w]+)\s*$\s*(.*?)\s*$$/) { + my($mycmd,$myarg) = ($1, $2); $stop = 0; if (defined $postfwd_actions{$mycmd}) { - log_info ("[PLUGIN] executing postfwd-action $mycmd") if wantsdebug (qw[ all ]); + log_info ("[PLUGIN] executing postfwd-action $mycmd") if wantsdebug (qw[ all thisrequest ]); ($stop, $index, $myaction, $myline, %request) = &{$postfwd_actions{$mycmd}}($index, $now, $mycmd, $myarg, $myline, %request); + $rhit = "rate" if ($stop and $mycmd =~ /^(rate|size|rcpt)$/); # substitute again after postfwd-actions $myaction = $var if ( $var = devar_item ("==",$myaction,"action",%request) ); } else { log_warn ("[RULES] ".$myline." - error: unknown command \"".$1."\" - ignoring"); $myaction = $postfwd_settings{default}; }; - # normal rule. returns $action. - } else { $stop = 1; }; + }; if ($stop) { - $myline .= ", delay=".(time() - $now)."s, hits=".$request{$COMP_HITS}.", action=".$myaction; + $myline .= ", delay=".ts(time() - $now)."s, hits=".$request{$COMP_HITS}.", action=".$myaction; log_info ("[RULES] ".$myline) unless $postfwd_settings{request}{nolog}; - $counters .= $postfwd_settings{sepreq}."ruleset=1"; + $counters .= $postfwd_settings{sepreq}.$rhit."=1"; # update cache if ( $postfwd_settings{request}{ttl} > 0 ) { $Request_Cache{$cacheid}{ttl} = ($Rules[$index]{$COMP_CACHE} || $postfwd_settings{request}{ttl}); @@ -2451,6 +2815,9 @@ $self->{server}->{syslog_ident} = $postfwd_settings{name}."/policy"; $StartTime = $Summary = $Cleanup_Timeouts = $Cleanup_Requests = $Cleanup_RBLs = $Cleanup_Rates = time(); init_log ($self->{server}->{syslog_ident}); + # load plugin-items + get_plugins (@{$postfwd_settings{Plugins}}) if $postfwd_settings{Plugins}; + # read configuration read_config(1); log_info ("ready for input"); }; @@ -2520,8 +2887,8 @@ # per rule stats if (%Hits and not($postfwd_settings{syslog}{norulestats})) { - my @rulecharts = (sort { $Hits{$b} <=> $Hits{$a} } (keys %Hits)); my $cntln = length($Hits{$rulecharts[0]}) + 2; - map { push ( @output, sprintf ("[STATS] %".$cntln."d matches for id: %s", $Hits{$_}, $_)) } @rulecharts; + my @rulecharts = (sort { ($Hits{$b} || 0) <=> ($Hits{$a} || 0) } (keys %Hits)); my $cntln = length(($Hits{$rulecharts[0]} || 2)) + 2; + map { push ( @output, sprintf ("[STATS] %".$cntln."d matches for id: %s", ($Hits{$_} || 0), $_)) } @rulecharts; }; }; @@ -2595,18 +2962,18 @@ $$attr{$1} = $2; # evaluate request } elsif ( $msg eq '' ) { - map { log_info ("Attribute: $_=$$attr{$_}") } (keys %$attr) if wantsdebug (qw[ all request ]); + map { log_info ("Attribute: $_=$$attr{$_}") } (keys %$attr) if wantsdebug (qw[ all thisrequest request ]); unless ( (defined $$attr{request}) and ($$attr{request} eq "smtpd_access_policy") ) { log_note ("Ignoring unrecognized request type: '".((defined $$attr{request}) ? substr($$attr{request},0,100) : '')."'"); } else { my $action = smtpd_access_policy($parent, %$attr) || $postfwd_settings{default}; - log_info ("Action: $action") if wantsdebug (qw[ all verbose ]); + log_info ("Action: $action") if wantsdebug (qw[ all thisrequest verbose ]); if ($client) { print $client ("action=$action\n\n"); } else { print STDOUT ("action=$action\n\n"); }; - %$attr = (); + %$attr = (); delete $postfwd_settings{debug}{thisrequest}; }; # unknown command } else { @@ -2625,11 +2992,12 @@ use Net::Server::Daemonize qw(daemonize); # own modules # program settings, syslogging -import postfwd2::basic qw(:DEFAULT %postfwd_commands &check_inet &check_unix &wantsdebug &hash_to_list); +import postfwd2::basic qw(:DEFAULT %postfwd_commands &check_inet &check_unix &wantsdebug &hash_to_list $TIMEHIRES); # cache daemon (requests, dns, limits), Net::Server::Multiplex import postfwd2::cache qw(); # policy daemon, Net::Server::PreFork -import postfwd2::server qw(&read_config &show_config &process_input); +import postfwd2::server qw(&read_config &show_config &process_input &get_plugins); + # functions to start, override with '--daemons' at command line my @daemons = qw[ cache server ]; @@ -2639,6 +3007,7 @@ ); # parse command-line +my $Commandline = "$0 ".(join ' ', @ARGV); GetOptions( \%options, # Ruleset 'rule|r=s' => sub{ my($opt,$value) = @_; push (@{$postfwd_settings{Configs}}, $opt.$postfwd_settings{sepreq}.$value) }, @@ -2698,8 +3067,11 @@ "no_parent_cache" => sub{ $postfwd_settings{request}{noparent} = $postfwd_settings{rate}{noparent} = $postfwd_settings{dns}{noparent} = 1 }, # Limits "cleanup-rates=i" => \$postfwd_settings{rate}{cleanup}, + "keep_rates|keep_limits|keep_rates_on_reload" => \$postfwd_settings{keep_rates}, + "save_rates|save_limits|save_rates_on_restart=s" => \$postfwd_settings{rate}{store}, + "fast_limit_evaluation" => \$postfwd_settings{rate}{fast_eval}, # Control - 'version|V' => sub{ print "$postfwd_settings{name} $postfwd_settings{version} (Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", Perl ".$]." on ".$^O.")\n"; exit 1; }, + 'version|V' => sub{ print "$postfwd_settings{name} $postfwd_settings{version} (Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", ".(($TIMEHIRES) ? "Time::HiRes $TIMEHIRES, " : '').(($STORABLE) ? "Storable: $STORABLE, " : '')."Perl ".$]." on ".$^O.")\n"; exit 1; }, 'versionshort|shortversion' => sub{ print "$postfwd_settings{version}\n"; exit 1; }, 'manual|m' => sub{ # contructing command string (de-tainting $0) $postfwd_settings{manual} .= ($0 =~ /^([-\@\/\w. ]+)$/) ? " \"".$1 : " \"".$postfwd_settings{name}; @@ -2707,6 +3079,8 @@ system ($postfwd_settings{manual}); exit 1; }, "term|kill|stop|k", "hup|reload", + "delcache=s", + "delrate=s", "dumpcache", "dumpstats", "pid|pidfile|pid_file=s" => \$postfwd_settings{master}{pid_file}, @@ -2715,6 +3089,7 @@ "failures=i" => \$postfwd_settings{master}{failures}, "daemon|d!" => \$postfwd_settings{daemon}, "daemons=s" => sub { push @{$options{daemons}}, (split /[,\s]+/, $_[1]) }, + "chroot|R=s" => \$postfwd_settings{chroot}, # Logging "debug=s" => sub { push @{$options{debug}}, (split /[,\s]+/, $_[1]) }, "verbose|v+" => \$postfwd_settings{verbose}, @@ -2722,21 +3097,23 @@ $postfwd_settings{cache}{syslog_ident} = $_[1].'/cache'; $postfwd_settings{server}{syslog_ident} = $_[1].'/policy'; }, "facility=s" => \$postfwd_settings{syslog}{facility}, + "socktype=s" => \$postfwd_settings{syslog}{socktype}, "nodnslog" => \$postfwd_settings{dns}{nolog}, "no-dnslog" => \$postfwd_settings{dns}{nolog}, "anydnslog" => \$postfwd_settings{dns}{anylog}, "norulelog" => \$postfwd_settings{request}{nolog}, "no-rulelog" => \$postfwd_settings{request}{nolog}, "perfmon|P" => \$postfwd_settings{syslog}{nolog}, + "plugins=s" => sub { push @{$postfwd_settings{Plugins}}, $_[1] }, + # Unused "start", - "chroot|R=s", "shortlog", "dns_queuesize=i", "dns_retries=i", ) or pod2usage (-msg => "\nPlease see \"".$postfwd_settings{name}." -m\" for detailed instructions.\n", -verbose => 1); -map { $postfwd_settings{syslog}{stdout} = 1 if defined $options{$_} } qw(term hup showconfig dumpcache dumpstats defaults); +map { $postfwd_settings{syslog}{stdout} = 1 if defined $options{$_} } qw(term hup showconfig dumpcache dumpstats defaults delcache delrate); # basic syntax checks if ($postfwd_settings{verbose} > 1) { @@ -2758,6 +3135,14 @@ exit (0); }; +# chroot master +if (defined $postfwd_settings{chroot}) { + unless (eval {chroot($postfwd_settings{chroot});}) { + print "Cannot chroot to $postfwd_settings{chroot}: $!\n"; + exit (2); + }; +}; + # init_log init_log ($postfwd_settings{name}."/master"); @@ -2797,12 +3182,25 @@ exit 1; }; +# remove cache item +if (defined $options{'delcache'} or defined $options{'delrate'}) { + print "\n".( join "\n", + split $postfwd_settings{sepreq}.$postfwd_settings{seplst}, + (&{$postfwd_settings{cache}{check}} ('cache', (($options{'delcache'}) ? 'CMD=RC '.$options{'delcache'} : 'CMD=RR '.$options{'delrate'})) || '') + )."\n\n"; + exit 1; +}; + +# -n - skip dns based checks +log_note ("NODNS: set - will skip all dns based checks") if $postfwd_settings{dns}{disabled}; + # de-taint command-line %postfwd_settings = detaint_hash (%postfwd_settings); # check for --nodaemon option unless ($postfwd_settings{daemon}) { my(%attr) = (); + get_plugins (@{$postfwd_settings{Plugins}}) if $postfwd_settings{Plugins}; read_config(1); map { $postfwd_settings{daemons}{$_} = 0 } (keys %{$postfwd_settings{daemons}}); $postfwd_settings{request}{noparent} = $postfwd_settings{rate}{noparent} = $postfwd_settings{dns}{noparent} = 1; @@ -2814,14 +3212,13 @@ }; # daemonize master -my $arg0 = $0; my $argv = join (' ', @ARGV); log_info ($postfwd_settings{name}." " .$postfwd_settings{version}." starting" .((scalar keys %{$postfwd_settings{debug}}) ? " with debug levels: ".(join ',', keys %{$postfwd_settings{debug}}) : '')); -log_info ("Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", Perl ".$]." on ".$^O) if wantsdebug (qw[ all verbose ]); +log_info ("Net::DNS ".(Net::DNS->VERSION || '').", Net::Server ".(Net::Server->VERSION || '').", Sys::Syslog ".($Sys::Syslog::VERSION || '').", ".(($TIMEHIRES) ? "Time::HiRes $TIMEHIRES, " : '')."Perl ".$]." on ".$^O) if wantsdebug (qw[ all verbose ]); umask oct($postfwd_settings{base}{umask}); daemonize($postfwd_settings{base}{user}, $postfwd_settings{base}{group}, $postfwd_settings{master}{pid_file}); -$0 = $arg0." ".$argv; +$0 = $Commandline; # prepare shared SIG handlers $SIG{__WARN__} = sub { log_warn("warning: $_[0]") }; @@ -3007,7 +3404,7 @@ --cache-no-size skip size for cache-id --no_parent_request_cache disable parent request cache --no_parent_rate_cache disable parent rate cache - --no_parent_dns_cache disable parent dns cache + --no_parent_dns_cache disable parent dns cache (default) --no_parent_cache disable all parent caches Rates: @@ -3022,6 +3419,9 @@ --daemons list of daemons to start --dumpcache show cache contents --dumpstats show statistics + -R, --chroot chroot to before start + --delcache removes an item from the request cache + --delrate removes an item from the rate cache DNS: -n, --nodns skip any dns based test @@ -3042,10 +3442,17 @@ --norulestats disables per rule statistics -I, --instantcfg reloads ruleset on every new request --config_timeout parser timeout in seconds + --keep_rates do not clear rate limit counters on reload + --save_rates save and load rate limits on disk + --fast_limit_evaluation evaluate rate limits before ruleset is parsed + + Plugins: + --plugins loads postfwd plugins from file Logging: -l, --logname label for syslog messages --facility use syslog facility + --socktype use syslog socktype --nodnslog do not log dns results --anydnslog log any dns (even cached) results --norulelog do not log rule actions @@ -3103,7 +3510,7 @@ A configuration line consists of optional item=value pairs, separated by semicolons (`;`) and the appropriate desired action: - [ [=><~]=; [=><~]=; ... ] action= + [ =; =; ... ] action= I @@ -3139,10 +3546,20 @@ A ruleset consists of one or multiple rules, which can be loaded from files or passed as command line arguments. Please see the COMMAND LINE section below for more information on this topic. -Rules can span multiple lines by adding a trailing backslash "\" character: +Since postfwd version 1.30 rules spanning span multiple lines can be defined by prefixing the following +lines with one or multiple whitespace characters (or '}' for macros): - id=R_001 ; client_address=192.168.1.0/24; sender==no@bad.local; \ - action=REJECT please use your relay from there + id=RULE001 + client_address=192.168.1.0/24 + sender==no@bad.local + action=REJECT no access + +postfwd versions prior to 1.30 require trailing ';' and '\'-characters: + + id=RULE001; \ + client_address=192.168.1.0/24; \ + sender==no@bad.local; \ + action=REJECT no access =head2 ITEMS @@ -3208,9 +3625,15 @@ this enables version based checks in your rulesets (e.g. for migration). works with old versions too, because a non-existing item always returns false: - id=R01; version~=1.10; sender_domain==some.org \ + # version >= 1.10 + id=R01; version~=1\.[1-9][0-9]; sender_domain==some.org \ ; action=REJECT sorry no access + ratecount - only available for rate(), size() and rcpt() actions. + contains the actual limit counter: + id=R01; action=rate(sender/200/600/REJECT limit of 200 exceeded [$$ratecount hits]) + id=R02; action=rate(sender/100/600/WARN limit of 100 exceeded [$$ratecount hits]) + Besides these you can specify any attribute of the postfix policy delegation protocol. Feel free to combine them the way you need it (have a look at the EXAMPLES section below). @@ -3262,24 +3685,23 @@ ... the current list can be found at L. Please read carefully about which -attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END_OF_DATA level). +attribute can be used at which level of the smtp transaction (e.g. size will only work reliably at END-OF-MESSAGE level). Pattern matching is performed case insensitive. Multiple use of the same item is allowed and will compared as logical OR, which means that this will work as expected: - id=TRUST001; action=OK; encryption_keysize=64; \ - ccert_fingerprint=11:22:33:44:55:66:77:88:99; \ - ccert_fingerprint=22:33:44:55:66:77:88:99:00; \ - ccert_fingerprint=33:44:55:66:77:88:99:00:11; \ + id=TRUST001; action=OK; encryption_keysize=64 + ccert_fingerprint=11:22:33:44:55:66:77:88:99 + ccert_fingerprint=22:33:44:55:66:77:88:99:00 + ccert_fingerprint=33:44:55:66:77:88:99:00:11 sender=@domain\.local$ client_address, rbl and rhsbl items may also be specified as whitespace-or-comma-separated values: - id=SKIP01; action=dunno; \ + id=SKIP01; action=dunno client_address=192.168.1.0/24, 172.16.254.23 - id=SKIP02; action=dunno; \ - client_address= 10.10.3.32 \ - 10.216.222.0/27 + id=SKIP02; action=dunno + client_address= 10.10.3.32 10.216.222.0/27 The following items must be unique: @@ -3287,15 +3709,15 @@ Any item can be negated by preceeding '!!' to it, e.g.: - id=TLS001 ; hostname=!!^secure\.trust\.local$ ; action=REJECT only secure.trust.local please + id=HOST001 ; hostname == !!secure.trust.local ; action=REJECT only secure.trust.local please or using the right compare operator: - id=USER01 ; sasl_username !~ /^(bob|alice)$/ ; action=REJECT who is that? + id=HOST001 ; hostname != secure.trust.local ; action=REJECT only secure.trust.local please To avoid confusion with regexps or simply for better visibility you can use '!!(...)': - id=USER01 ; sasl_username=!!( /^(bob|alice)$/ ) ; action=REJECT who is that? + id=USER01 ; sasl_username =~ !!( /^(bob|alice)$/ ) ; action=REJECT who is that? Request attributes can be compared by preceeding '$$' characters, e.g.: @@ -3306,6 +3728,32 @@ This is only valid for PCRE values (see list above). The comparison will be performed as case insensitive exact match. Use the '-vv' option to debug. +These special items will be reset for any new rule: + + rblcount - contains the number of RBL answers + rhsblcount - contains the number of RHSBL answers + matches - contains the number of matched items + dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form + rbltype:rblname:; rbltype:rblname:; ... + +These special items will be changed for any matching rule: + + request_hits - contains ids of all matching rules + +This means that it might be necessary to save them, if you plan to use these values in later rules: + + # set vals + id=RBL01 ; rhsblcount=all; rblcount=all + action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) + rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org + rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net + + # compare + id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] + id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] + id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] + =head2 FILES @@ -3328,16 +3776,16 @@ This will ignore the right-hand value. Items can be mixed: - id=R002 ; action=REJECT \ - client_name==unknown; \ + id=R002 ; action=REJECT + client_name==unknown client_name==file:/etc/postfwd/blacklisted and for non pcre (comma separated) items: - id=R003 ; action=REJECT \ + id=R003 ; action=REJECT client_address==10.1.1.1, file:/etc/postfwd/blacklisted - id=R004 ; action=REJECT \ + id=R004 ; action=REJECT rbl=myrbl.home.local, zen.spamhaus.org, file:/etc/postfwd/rbls_changing You can check your configuration with the --show_config option at the command line: @@ -3451,16 +3899,16 @@ please note that is currently limited to postfix actions (no postfwd actions)! # no more than 3 requests per 5 minutes # from the same "unknown" client - id=RATE01 ; client_name==unknown ; \ - action==rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) + id=RATE01 ; client_name==unknown + action=rate(client_address/3/300/450 4.7.1 sorry, max 3 requests per 5 minutes) size (///) this command works similar to the rate() command with the difference, that the rate counter is increased by the request's size attribute. to do this reliably you should call postfwd2 from smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # size limit 1.5mb per hour per client - id=SIZE01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) + id=SIZE01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=size(client_address/1572864/3600/450 4.7.1 sorry, max 1.5mb per hour) rcpt (///) this command works similar to the rate() command with the difference, that the rate counter is @@ -3468,8 +3916,8 @@ from smtpd_data_restrictions or smtpd_end_of_data_restrictions. if you want to be sure, you could check it within the ruleset: # recipient count limit 3 per hour per client - id=RCPT01 ; state==END_OF_DATA ; client_address==!!(10.1.1.1); \ - action==rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) + id=RCPT01 ; protocol_state==END-OF-MESSAGE ; client_address==!!(10.1.1.1) + action=rcpt(client_address/3/3600/450 4.7.1 sorry, max 3 recipients per hour) ask (:[:]) allows to delegate the policy decision to another policy service (e.g. postgrey). the first @@ -3481,13 +3929,18 @@ # and continue parsing postfwd's ruleset id=GREY; client_address==10.1.1.1; action=ask(127.0.0.1:10031:^dunno$) + mail(server/helo/from/to/subject/body) + Very basic mail command, that sends a message with the given arguments. LIMITATIONS: + This basically performs a telnet. No authentication or TLS are available. Additionally it does + not track notification state and will notify you any time, the corresponding rule hits. + wait () pauses the program execution for seconds. use this for delaying or throtteling connections. note () just logs the given string and continues parsing the ruleset. - if the string is empty, nothing will be logged. + if the string is empty, nothing will be logged (noop). quit () terminates the program with the given exit-code. postfix doesn`t @@ -3497,32 +3950,6 @@ id=R-HELO ; helo_name=^[^\.]+$ ; action=REJECT invalid helo '$$helo_name' -These special attributes will be reset for any new rule: - - rblcount - contains the number of RBL answers - rhsblcount - contains the number of RHSBL answers - matches - contains the number of matched items - dnsbltext - contains the dns TXT part of all RBL and RHSBL replies in the form - rbltype:rblname:; rbltype:rblname:; ... - -These special attributes will be changed for any matching rule: - - request_hits - contains ids of all matching rules - -This means that it might be necessary to save them, if you plan to use these values in later rules: - - # set vals - id=RBL01 ; rhsblcount=all ; rblcount=all ; \ - rbl=list.dsbl.org, bl.spamcop.net, dnsbl.sorbs.net, zen.spamhaus.org ; \ - rhsbl_client=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - rhsbl_sender=rddn.dnsbl.net.au, rhsbl.ahbl.org, rhsbl.sorbs.net ; \ - action=set(HIT_rhls=$$rhsblcount,HIT_rbls=$$rblcount,HIT_txt=$$dnsbltext) - - # compare - id=RBL02 ; HIT_rhls>=1 ; HIT_rbls>=1 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs and $$HIT_rbls RBLs [INFO: $$HIT_txt] - id=RBL03 ; HIT_rhls>=2 ; action=554 5.7.1 blocked using $$HIT_rhls RHSBLs [INFO: $$HIT_txt] - id=RBL04 ; HIT_rbls>=2 ; action=554 5.7.1 blocked using $$HIT_rbls RBLs [INFO: $$HIT_txt] - =head2 MACROS/ACLS @@ -3548,18 +3975,18 @@ Macros can contain macros, too: - # definition (note the trailing "\" characters) - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ - }; - &&DYNAMIC { \ - client_name=^unknown$ ; \ - client_name=(\d+[\.-_]){4} ; \ - client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + # definition + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net + }; + &&DYNAMIC{ + client_name=^unknown$ + client_name=(\d+[\.-_]){4} + client_name=[\.-_](adsl|dynamic|ppp|)[\.-_] }; &&GOAWAY { &&RBLS; &&DYNAMIC; }; # rules @@ -3570,7 +3997,154 @@ =head2 PLUGINS -Please visit L +B + +The plugin interface allow you to define your own checks and enhance postfwd's +functionality. Feel free to share useful things! + +B + +Note that the plugin interface is still at devel stage. Please test your plugins +carefully, because errors may cause postfwd to break! It is also +allowed to override attributes or built-in functions, but be sure that you know +what you do because some of them are used internally. + +Please keep security in mind, when you access sensible ressources and never, ever +run postfwd as privileged user! Also never trust your input (especially hostnames, +and e-mail addresses). + +B + +Item plugins are perl subroutines which integrate additional attributes to requests +before they are evaluated against postfwd's ruleset like any other item of the +policy delegation protocol. This allows you to create your own checks. + +plugin-items can not be used selective. these functions will be executed for every +request postfwd receives, so keep performance in mind. + + SYNOPSIS: %result = postfwd_items_plugin{}(%request) + +means that your subroutine, called , has access to a hash called %request, +which contains all request attributes, like $request{client_name} and must +return a value in the following form: + + save: $result{} = + +this creates the new item containing , which will be integrated in +the policy delegation request and therefore may be used in postfwd's ruleset. + + # do NOT remove the next line + %postfwd_items_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # allows to check postfwd version in ruleset + "version" => sub { + my(%request) = @_; + my(%result) = ( + "version" => $NAME." ".$VERSION, + ); + return %result; + }, + + # sender_domain and recipient_domain + "address_parts" => sub { + my(%request) = @_; + my(%result) = (); + $request{sender} =~ /@([^@]*)$/; + $result{sender_domain} = ($1 || ''); + $request{recipient} =~ /@([^@]*)$/; + $result{recipient_domain} = ($1 || ''); + return %result; + }, + + # do NOT remove the next line + ); + +B + +Compare plugins allow you to define how your new items should be compared to the ruleset. +These are optional. If you don't specify one, the default (== for exact match, =~ for PCRE, ...) +will be used. + + SYNOPSIS: => sub { return &{$postfwd_compare{}}(@_); }, + + # do NOT remove the next line + %postfwd_compare_plugin = ( + + EXAMPLES - integrated in postfwd. no need to activate them here. + + # Simple example + # SYNOPSIS: = (return &{$postfwd_compare{}}(@_)) + "client_address" => sub { return &{$postfwd_compare{cidr}}(@_); }, + "size" => sub { return &{$postfwd_compare{numeric}}(@_); }, + "recipient_count" => sub { return &{$postfwd_compare{numeric}}(@_); }, + + # Complex example + # SYNOPSIS: = (, , , ) + "numeric" => sub { + my($cmp,$val,$myitem,%request) = @_; + my($myresult) = undef; $myitem ||= "0"; $val ||= "0"; + if ($cmp eq '==') { + $myresult = ($myitem == $val); + } elsif ($cmp eq '=<') { + $myresult = ($myitem <= $val); + } elsif ($cmp eq '=>') { + $myresult = ($myitem >= $val); + } elsif ($cmp eq '!=') { + $myresult = not($myitem == $val); + } elsif ($cmp eq '!<') { + $myresult = not($myitem <= $val); + } elsif ($cmp eq '!>') { + $myresult = not($myitem >= $val); + } else { + $myresult = ($myitem >= $val); + }; + return $myresult; + }, + + # do NOT remove the next line + ); + +B + +Action plugins allow to define new postfwd actions. By setting the $stop-flag you can decide to +continue or to stop parsing the ruleset. + + SYNOPSIS: (, , , , ) = + (, , , , , ) + + # do NOT remove the next line + %postfwd_actions_plugin = ( + + # EXAMPLES - integrated in postfwd. no need to activate them here. + + # note() command + "note" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + mylogs 'info', "[RULES] ".$myline." - note: ".$myarg if $myarg; + return ($stop,$index,$myaction,$myline,%request); + }, + + # skips next rules + "skip" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + $index += $myarg if ( $myarg and not(($index + $myarg) > $#Rules) ); + return ($stop,$index,$myaction,$myline,%request); + }, + + # dumps current request contents to syslog + "dumprequest" => sub { + my($index,$now,$mycmd,$myarg,$myline,%request) = @_; + my($myaction) = $default_action; my($stop) = 0; + map { mylogs 'info', "[DUMP] rule=$index, Attribute: $_=$request{$_}" } (keys %request); + return ($stop,$index,$myaction,$myline,%request); + }, + + # do NOT remove the next line + ); =head2 COMMAND LINE @@ -3588,12 +4162,6 @@ Adds to ruleset. Remember that you might have to quote strings that contain whitespaces or shell characters. -I - - --plugins - A file containing plugin routines for postfwd. Please see the - PLUGINS section for more information. - I -s, --scores = @@ -3601,7 +4169,7 @@ Multiple usage is allowed. Just chain your arguments, like: - postfwd2 -r "=;action=" -f -f --plugins ... + postfwd2 -r "=;action=" -f -f ... or postfwd2 --scores 4.5="WARN high score" --scores 5.0="REJECT postfwd2 score too high" ... @@ -3615,13 +4183,13 @@ -d, --daemon postfwd2 will run as daemon and listen on the network for incoming - queries (default 127.0.0.1:10040). + queries (default 127.0.0.1:10045). -i, --interface Bind postfwd2 to the specified interface (default 127.0.0.1). -p, --port - postfwd2 listens on the specified port (default tcp/10040). + postfwd2 listens on the specified port (default tcp/10045). --proto The protocol type for postfwd's socket. Currently you may use 'tcp' or 'unix' here. @@ -3647,11 +4215,18 @@ -R, --chroot Chroot the process to the specified path. - Test this before using - you might need some libs there. + Please look at http://postfwd.org/postfwd2-chroot.html before use! --pidfile The process id will be saved in the specified file. + --facility + sets the syslog facility, default is 'mail' + + --socktype + sets the Sys::Syslog socktype to 'native', 'inet' or 'unix'. + Default is to auto-detect this depening on module version and os. + -l, --logname Labels the syslog messages. Useful when running multiple instances of postfwd. @@ -3659,6 +4234,12 @@ --loglen Truncates any syslog message after characters. +I + + --plugins + Loads postfwd plugins from file. Please see http://postfwd.org/postfwd.plugins + or the plugins.postfwd.sample that is available from the tarball for more info. + I These parameters influence the way postfwd2 is working. Any of them can be combined. @@ -3786,6 +4367,22 @@ timeout in seconds to parse a single configuration line. if exceeded, the rule will be skipped. this is used to prevent problems due to large files or loops. + --keep_rates (default=0) + With this option set postfwd2 does not clear the rate limit counters on reload. Please + note that you have to restart (not reload) postfwd with this option if you change + any rate limit rules. + + --save_rates (default=none) + With this option postfwd saves existing rate limit counters to disk and reloads them + on program start. This allows persistent rate limits across program restarts or reboots. + Please note that postfwd needs read and write access to the specified file. + + --fast_limit_evaluation (default=0) + Once a ratelimit was set by the ruleset, future requests will be evaluated against it + before consulting the ruleset. This mode was the default behaviour until v1.30. + With this mode rate limits will be faster, but also eventually set up + whitelisting-rules within the ruleset might not work as expected. + I These arguments are for command line usage only. Never ever use them with postfix! @@ -3809,6 +4406,26 @@ This option turns of any syslogging and output. It is included for performance testing. + --dumpstats + Displays program usage statistics. + + --dumpcache + Displays cache contents. + + --delcache + Removes an item from the request cache. Use --dumpcache to identify objects. + E.g.: + # postfwd --dumpcache + ... + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @count -> '1' + %rate_cache -> %sender=gmato@jqvo.org -> %RATE002+2_600 -> @maxcount -> '2' + ... + # postfwd --delrate="sender=gmato@jqvo.org" + rate cache item 'sender=gmato@jqvo.org' removed + + --delrate + Removes an item from the rate cache. Use --dumpcache to identify objects. + =head2 REFRESH @@ -3848,18 +4465,25 @@ # 1. 30MB for systems in *.customer1.tld # 2. 20MB for SASL user joejob # 3. 10MB default - id=SZ001; state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob - id=SZ002; state==END-OF-MESSAGE; action=DUNNO; size<=10000000 - id=SZ100; state==END-OF-MESSAGE; action=REJECT message too large + id=SZ001; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=30000000 ; client_name=\.customer1.tld$ + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=20000000 ; sasl_username==joejob + id=SZ002; protocol_state==END-OF-MESSAGE; action=DUNNO; size<=10000000 + id=SZ100; protocol_state==END-OF-MESSAGE; action=REJECT message too large ## Selective Greylisting + ## + ## Note that postfwd does not include greylisting. This setup requires a running postgrey service + ## at port 10031 and the following postfix restriction class in your main.cf: + ## + ## smtpd_restriction_classes = check_postgrey, ... + ## check_postgrey = check_policy_service inet:127.0.0.1:10031 + # # 1. if listed on zen.spamhaus.org with results 127.0.0.10 or .11, dns cache timeout 1200s # 2. Client has no rDNS # 3. Client comes from several dialin domains - id=GR001; action=greylisting ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 - id=GR002; action=greylisting ; client_name=^unknown$ - id=GR003; action=greylisting ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ + id=GR001; action=check_postgrey ; rbl=dul.dnsbl.sorbs.net, zen.spamhaus.org/127.0.0.1[01]/1200 + id=GR002; action=check_postgrey ; client_name=^unknown$ + id=GR003; action=check_postgrey ; client_name=\.(t-ipconnect|alicedsl|ish)\.de$ ## Date Time date=24.12.2007-26.12.2007 ; action=450 4.7.1 office closed during christmas @@ -3867,7 +4491,7 @@ time=-07:00:00 ; sasl_username=jim ; action=450 4.7.1 to early for you, jim time=22:00:00- ; sasl_username=jim ; action=450 4.7.1 to late now, jim months=-Apr ; action=450 4.7.1 see you in may - days=!!Mon-Fri ; action=greylist + days=!!Mon-Fri ; action=check_postgrey ## Usage of jump # The following allows a message size of 30MB for different @@ -3877,8 +4501,8 @@ id=R003 ; action=jump(R100) ; ccert_fingerprint=AA:BB:CC:DD:... id=R004 ; action=jump(R100) ; ccert_fingerprint=AF:BE:CD:DC:... id=R005 ; action=jump(R100) ; ccert_fingerprint=DD:CC:BB:DD:... - id=R099 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 - id=R100 ; state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 + id=R099 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 10MB); size=10000000 + id=R100 ; protocol_state==END-OF-MESSAGE; action=REJECT message too big (max. 30MB); size=30000000 ## Usage of score # The following rejects a mail, if the client @@ -3886,23 +4510,23 @@ # - is listed in 1 RBL or 1 RHSBL and has no correct rDNS # - other clients without correct rDNS will be greylist-checked # - some whitelists are used to lower the score - id=S01 ; score=2.6 ; action=greylisting - id=S02 ; score=5.0 ; action=REJECT postfwd2 score too high - id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org - id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net - id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net - id=N01 ; action=score(-0.2) ; client_name==$$helo_name - id=N02 ; action=score(2.7) ; client_name=^unknown$ + id=S01 ; score=2.6 ; action=check_postgrey + id=S02 ; score=5.0 ; action=REJECT postfwd score too high + id=R00 ; action=score(-1.0) ; rbl=exemptions.ahbl.org,list.dnswl.org,query.bondedsender.org,spf.trusted-forwarder.org + id=R01 ; action=score(2.5) ; rbl=bl.spamcop.net, list.dsbl.org, dnsbl.sorbs.net + id=R02 ; action=score(2.5) ; rhsbl=rhsbl.ahbl.org, rhsbl.sorbs.net + id=N01 ; action=score(-0.2) ; client_name==$$helo_name + id=N02 ; action=score(2.7) ; client_name=^unknown$ ... ## Usage of rate and size # The following temporary rejects requests from "unknown" clients, if they # 1. exceeded 30 requests per hour or # 2. tried to send more than 1.5mb within 10 minutes - id=RATE01 ; client_name==unknown ; state==RCPT ; \ - action==rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) - id=SIZE01 ; client_name==unknown ; state==END_OF_DATA ; \ - action==size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) + id=RATE01 ; client_name==unknown ; protocol_state==RCPT + action=rate(client_address/30/3600/450 4.7.1 sorry, max 30 requests per hour) + id=SIZE01 ; client_name==unknown ; protocol_state==END-OF-MESSAGE + action=size(client_address/1572864/600/450 4.7.1 sorry, max 1.5mb per 10 minutes) ## Macros # definition @@ -3915,34 +4539,34 @@ ## Groups # definition - &&RBLS { \ - rbl=zen.spamhaus.org ; \ - rbl=list.dsbl.org ; \ - rbl=bl.spamcop.net ; \ - rbl=dnsbl.sorbs.net ; \ - rbl=ix.dnsbl.manitu.net ; \ + &&RBLS{ + rbl=zen.spamhaus.org + rbl=list.dsbl.org + rbl=bl.spamcop.net + rbl=dnsbl.sorbs.net + rbl=ix.dnsbl.manitu.net }; - &&RHSBLS { \ + &&RHSBLS{ ... }; - &&DYNAMIC { \ - client_name==unknown ; \ - client_name~=(\d+[\.-_]){4} ; \ - client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ; \ + &&DYNAMIC{ + client_name==unknown + client_name~=(\d+[\.-_]){4} + client_name~=[\.-_](adsl|dynamic|ppp|)[\.-_] ... }; - &&BAD_HELO { \ - helo_name==my.name.tld; \ - helo_name~=^([^\.]+)$; \ - helo_name~=\.(local|lan)$; \ + &&BAD_HELO{ + helo_name==my.name.tld + helo_name~=^([^\.]+)$ + helo_name~=\.(local|lan)$ ... }; - &&MAINTENANCE { \ - date=15.01.2007 ; \ - date=15.04.2007 ; \ - date=15.07.2007 ; \ - date=15.10.2007 ; \ - time=03:00:00 - 04:00:00 ; \ + &&MAINTENANCE{ + date=15.01.2007 + date=15.04.2007 + date=15.07.2007 + date=15.10.2007 + time=03:00:00 - 04:00:00 }; # rules id=COMBINED ; &&RBLS ; &&DYNAMIC ; action=REJECT dynamic client and listed on RBL @@ -3959,7 +4583,7 @@ ## combined with enhanced rbl features # - id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS ; \ + id=RBL01 ; rhsblcount=all ; rblcount=all ; &&RBLS ; &&RHSBLS action=set(HIT_dnsbls=$$rhsblcount,HIT_dnsbls+=$$rblcount,HIT_dnstxt=$$dnsbltext) id=RBL02 ; HIT_dnsbls>=2 ; action=554 5.7.1 blocked using $$HIT_dnsbls DNSBLs [INFO: $$HIT_dnstxt] @@ -4088,7 +4712,7 @@ postfwd2 will spawn multiple child processes which communicate with a parent cache. This is the prefered way to use postfwd2 in high volume environments. Start postfwd2 with the following parameters: - postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10040 -u nobody -g nobody -S + postfwd2 -d -f /etc/postfwd.cf -i 127.0.0.1 -p 10045 -u nobody -g nobody -S For efficient caching you should check if you can use the options --cacheid, --cache-rdomain-only, --cache-no-sender and --cache-no-size. @@ -4097,16 +4721,16 @@ Aug 9 23:00:24 mail postfwd[5158]: postfwd2 n.nn ready for input -and use `netstat -an|grep 10040` to check for something like +and use `netstat -an|grep 10045` to check for something like - tcp 0 0 127.0.0.1:10040 0.0.0.0:* LISTEN + tcp 0 0 127.0.0.1:10045 0.0.0.0:* LISTEN If everything works, open your postfix main.cf and insert the following - 127.0.0.1:10040_time_limit = 3600 <--- integration + 127.0.0.1:10045_time_limit = 3600 <--- integration smtpd_recipient_restrictions = permit_mynetworks <--- recommended reject_unauth_destination <--- recommended - check_policy_service inet:127.0.0.1:10040 <--- integration + check_policy_service inet:127.0.0.1:10045 <--- integration Reload your configuration with `postfix reload` and watch your logs. In it works you should see lines like the following in your mail log: @@ -4125,9 +4749,9 @@ # Restriction Classes smtpd_restriction_classes = postfwdcheck, ... <--- integration - postfwdcheck = check_policy_service inet:127.0.0.1:10040 <--- integration + postfwdcheck = check_policy_service inet:127.0.0.1:10045 <--- integration - 127.0.0.1:10040_time_limit = 3600 <--- integration + 127.0.0.1:10045_time_limit = 3600 <--- integration smtpd_recipient_restrictions = permit_mynetworks, <--- recommended reject_unauth_destination, <--- recommended ... <--- optional @@ -4154,7 +4778,7 @@ For network tests I use netcat: - nc 127.0.0.1 10040 =:::: +our(%Servers) = ( +# "GREY1" => { +# ip => '10.0.0.1', # ip address +# port => '10031', # tcp port +# prio => '10', # optional, lower wins +# weight => '1', # optional, for items with same prio (weighted round-robin), higher is better +# timeout => '30', # optional, query timeout in seconds +# }, +); + +# Environment +$ENV{PATH} = '/bin:/usr/bin:/usr/local/bin'; +$ENV{ENV} = ''; +# Syslog options +our($syslog_name) = $NAME; +our($syslog_facility) = 'mail'; +our($syslog_options) = 'pid'; +our($syslog_socktype) = ( (defined $sys::Syslog::VERSION) and ($Sys::Syslog::VERSION ge '0.15') ) + ? 'native' + : (($^O eq 'solaris') ? 'inet' : 'unix'); +use vars qw(%opt); + +### MAIN ### + +# get command-line +GetOptions ( + \%opt, 'service|s=s@', 'verbose|v', 'stdout|L', 'logging|l', 'default|d=s' + ) or pod2usage (-msg => "\nPlease see \"pod2text ".$NAME."\" for detailed instructions.\n", -verbose => 1); +setlogsock $syslog_socktype; +openlog $syslog_name, $syslog_options, $syslog_facility; + +# check command-line +$DEFAULT = $opt{default} if defined $opt{default}; +foreach (@{$opt{service}}) { + if (/^([^=]+)=([^:]+):([^:]+):(.*)$/) { + $Servers{$1}{ip} = $2; $Servers{$1}{port} = $3; + ($Servers{$1}{prio},$Servers{$1}{weight},$Servers{$1}{timeout}) = split ':', $4 if $4; + } else { + mylogs ('warning', "ignoring invalid service '$_'"); + }; +}; + +# sort servers by prio +my %ServerPrioHash = (); +foreach (keys %Servers) { + unless ($Servers{$_}{ip} and $Servers{$_}{port}) { + mylogs ('warning', "No address or port for '$_'"); + next; + }; + $Servers{$_}{prio} ||= 10; $Servers{$_}{timeout} ||= $TIMEOUT; + $Servers{$_}{weight} = ($Servers{$_}{weight}) ? (1/$Servers{$_}{weight}) : 1; + $Servers{$_}{questions} = $Servers{$_}{answers} = $Servers{$_}{failed} = 0; + push @{$ServerPrioHash{$Servers{$_}{prio}}}, $_; +}; + +# run main loop +select((select(STDOUT), $| = 1)[0]); +hapolicy::main(); + +# end program +exit; + + + +### FUNCTIONS ### + +# send log message +sub mylogs { + my($prio,$msg) = @_; + + unless ($opt{stdout}) { + # escape '%' characters + $msg =~ s/\%/%%/g; + # Sys::Syslog < 0.15 dies when syslog daemon is temporarily not + # present (for example on syslog rotation) + if ( (defined $Sys::Syslog::VERSION) or ($Sys::Syslog::VERSION lt '0.15') ) { + eval { + local $SIG{__DIE__} = sub { }; + syslog ($prio,$msg); + }; + } else { syslog ($prio,$msg); }; + } else { printf "[LOG $prio]: $msg\n"; }; +}; + +# ask remote server +sub ask { + my($srv,$sendstr) = @_; + my($action) = ''; + + eval { + # handle timeout + local $SIG{__DIE__} = sub { }; + local $SIG{'ALRM'} = sub { mylogs ('warning',"Timeout for '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})"); die }; + my $prevaltert = alarm($Servers{$srv}{timeout}); + + # increase server request-counter and try to open socket + $Servers{$srv}{questions}+=$Servers{$srv}{weight}; + mylogs ('info', "Opening socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose}; + unless ( my $socket = new IO::Socket::INET ( + PeerAddr => $Servers{$srv}{ip}, + PeerPort => $Servers{$srv}{port}, + Proto => 'tcp', + Type => SOCK_STREAM ) ) { + mylogs ('warning', "Could not open socket to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})"); + + } else { + # print request and get answer + mylogs ('info', "Connection established to '$srv' ($Servers{$srv}{ip}:$Servers{$srv}{port})") if $opt{verbose}; + print $socket "$sendstr"; + $sendstr = <$socket>; + chomp($sendstr); + + # check answer + $sendstr =~ s/^(action=)//; + if ($1 and $sendstr) { + $Servers{$srv}{answers}++; + mylogs ('info', "Answer from '$srv' -> '$sendstr'") if $opt{verbose}; + $action = $sendstr; + } else { + mylogs ('warning', "Invalid answer from '$srv' -> '$sendstr'"); + }; + }; + # restore old sig + alarm ($prevaltert); + }; + $Servers{$srv}{failed}++ unless ($Servers{$srv}{last} = $action); + # return action + return $action; +}; + +# process policy delegation request +sub smtpd_access_policy { + my(%attr) = @_; + my($sendstr,$action,$srv) = ''; + + my $t1 = time(); + + # request to str + map { $sendstr .= $_."=".$attr{$_}."\n" } (keys %attr); $sendstr .= "\n"; + + # loop serverlist until someone answers + PRIO: foreach my $prio (sort keys %ServerPrioHash) { + foreach my $srv ( sort { $Servers{$a}{questions}<=>$Servers{$b}{questions} } @{$ServerPrioHash{$prio}} ) { + $action = ask ($srv, $sendstr) || ''; + mylogs ('info', "[$srv]" + ." (".$Servers{$srv}{ip}.":".$Servers{$srv}{port}.")" + .", prio: $prio, weight: ".(1/$Servers{$srv}{weight}) + .", queries: ".($Servers{$srv}{questions} * (1/$Servers{$srv}{weight})) + .", answers: ".$Servers{$srv}{answers} + .", failed: ".$Servers{$srv}{failed} + .", delay: ".(time() - $t1)."s" + .", client: ".$attr{client_name}."[".$attr{client_address}."]" + .", helo: <".$attr{helo_name}.">" + .", from: <".$attr{sender}.">" + .", to: <".$attr{recipient}.">" + .", action: '".$action."'" + ) if ($opt{verbose} or $opt{logging}); + last PRIO if $action; + }; + }; + + # return action + return $action; +}; + +# main loop +sub main { + my($request,$action) = undef; + my (%attr) = (); + + while (<>) { + next unless /^([^\r\n]*)\r?\n/; + $request = $1; + if ($request =~ /([^=]+)=(.*)/) { + $attr{substr($1, 0, 512)} = substr($2, 0, 512); + } elsif ($request eq '') { + map { mylogs ('info', "Attribute: $_=$attr{$_}") } (keys %attr) if $opt{verbose}; + unless ((defined $attr{request}) and ($attr{request} eq 'smtpd_access_policy')) { + $attr{request} ||=''; + mylogs ('notice', "ignoring unrecognized request type: '$attr{request}'"); + } else { + my($action) = smtpd_access_policy(%attr); + $action ||= $DEFAULT; %attr = (); + mylogs('info', "Action: $action") if $opt{verbose}; + print "action=$action\n\n"; + }; + } else { + chop; + mylogs ('notice', "error: ignoring garbage \"".$request."\""); + }; + }; +}; + +__END__ + +=head1 NAME + +hapolicy - policy delegation high availability script + +=head1 SYNOPSIS + +B [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...] + + Services: + -s, --service =:[:::] + + Options: + -d, --default returns if no service was available (default: 'dunno') + -l, --logging log requests + -v, --verbose increase logging verbosity + -L, --stdout log to stdout, for debugging, do NOT use with postfix + +=head1 DESCRIPTION + +=head2 INTRODUCTION + +B enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries +other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing', +if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, B returns a default action (e.g. dunno) to postfix. + +With version 1.00 B has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged +user account. This should allow fast and reliable operation. + +=head2 CONFIGURATION + +A service has the following attributes + + "servicename" => { + ip => '127.0.0.1', # ip address + port => '10040', # tcp port + prio => '10', # optional, lower wins + weight => '1', # optional, for items with same prio (weighted round-robin), higher is better + timeout => '30', # optional, query timeout in seconds + }, + +You may define multiple services at the command line. Which means that + + hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20" + +will always try first service I at ip 10.0.0.1 port 10031 and if that service is not available or +does not answer within the default of 30 seconds the next service I at ip 10.0.0.2 port 10031 will +be queried. + +If you want to load balance connections you may define + + hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1" + +which queries service I at ip 10.0.0.1 twice as much as service I at ip 10.0.0.2. Note that this +setup also ensures high availability for both services. If I is not available or does not answer +within the default of 30 seconds I will be queried and vice versa. There is no reason to define a service twice. + +=head2 INTEGRATION + +Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix): + + # service description, note the leading blanks at the second line + 127.0.0.1:10060 inet n n n - 0 spawn + user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10 + +save the file and open postfix main.cf. Modify it as follows: + + 127.0.0.1:10060_time_limit = 3600 + + smtpd_recipient_restrictions = + permit_mynetworks, + ... other authed permits ... + reject_unauth_destination, + ... other restrictions ... + check_policy_service inet:127.0.0.1:10060 # <- hapolicy query + +Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups +using postfix restriction classes. Please see L for further options. + +=head1 LINKS + +[1] Postfix SMTP Access Policy Delegation +L + +[2] Postfix Per-Client/User/etc. Access Control +L + +=head1 LICENSE + +hapolicy is free software and released under BSD license, which basically means +that you can do what you want as long as you keep the copyright notice: + +Copyright (c) 2008, Jan Peter Kessler +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of the authors nor the names of his contributors + may be used to endorse or promote products derived from this + software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + + +=head1 AUTHOR + +Sinfo (AT) postfwd (DOT) orgE>. Let me know, if you have any suggestions. + +=cut + Binary files /tmp/vzFOMaZX9v/postfwd-1.20/tools/hapolicy/hapolicy01.png and /tmp/wLBD5ViKuh/postfwd-1.32/tools/hapolicy/hapolicy01.png differ Binary files /tmp/vzFOMaZX9v/postfwd-1.20/tools/hapolicy/hapolicy02.png and /tmp/wLBD5ViKuh/postfwd-1.32/tools/hapolicy/hapolicy02.png differ diff -Nru postfwd-1.20/tools/hapolicy/hapolicy.html postfwd-1.32/tools/hapolicy/hapolicy.html --- postfwd-1.20/tools/hapolicy/hapolicy.html 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/tools/hapolicy/hapolicy.html 2011-08-16 06:30:20.000000000 +0000 @@ -0,0 +1,162 @@ + + + +hapoliy - HA and LB for policy servers + + + + + + + + + + + + + + + NAME + SYNOPSIS + DESCRIPTION + + + INTRODUCTION + CONFIGURATION + INTEGRATION + + + LINKS + LICENSE + AUTHOR + + + + + + +NAME +hapolicy - policy delegation high availability script + + + +SYNOPSIS +hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...] ++ Services: + -s, --service <name>=<address>:<port>[:<prio>:<weight>:<timeout>] ++ Options: + -d, --default <action> returns <action> if no service was available (default: 'dunno') + -l, --logging log requests + -v, --verbose increase logging verbosity + -L, --stdout log to stdout, for debugging, do NOT use with postfix + + + +DESCRIPTION + + +INTRODUCTION +hapolicy enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries +other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing', +if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, hapolicy returns a default action (e.g. dunno) to postfix. +With version 1.00 hapolicy has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged +user account. This should allow fast and reliable operation. + + +CONFIGURATION +A service has the following attributes ++ "servicename" => { + ip => '127.0.0.1', # ip address + port => '10040', # tcp port + prio => '10', # optional, lower wins + weight => '1', # optional, for items with same prio (weighted round-robin), higher is better + timeout => '30', # optional, query timeout in seconds + }, +You may define multiple services at the command line. Which means that ++ hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20" +will always try first service grey1 at ip 10.0.0.1 port 10031 and if that service is not available or +does not answer within the default of 30 seconds the next service grey2 at ip 10.0.0.2 port 10031 will +be queried. + + +If you want to load balance connections you may define ++ hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1" +which queries service polw1 at ip 10.0.0.1 twice as much as service polw2 at ip 10.0.0.2. + + +Note that this +setup also ensures high availability for both services. If polw1 is not available or does not answer +within the default of 30 seconds polw2 will be queried and vice versa. There is no reason to define a service twice. + + +INTEGRATION +Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix): ++ # service description, note the leading blanks at the second line + 127.0.0.1:10061 inet n n n - 0 spawn + user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10 +save the file and open postfix main.cf. Modify it as follows: ++ 127.0.0.1:10061_time_limit = 3600 ++ smtpd_recipient_restrictions = + permit_mynetworks, + ... other authed permits ... + reject_unauth_destination, + ... other restrictions ... + check_policy_service inet:127.0.0.1:10061 # <- hapolicy query +Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups +using postfix restriction classes. Please see LINKS for further options. + + + +LINKS +[1] Get hapolicy +http://www.postfwd.org/hapolicy/hapolicy +[2] Postfix SMTP Access Policy Delegation +http://www.postfix.org/SMTPD_POLICY_README.html +[3] Postfix Per-Client/User/etc. Access Control +http://www.postfix.org/RESTRICTION_CLASS_README.html + + + +LICENSE +hapolicy is free software and released under BSD license, which basically means +that you can do what you want as long as you keep the copyright notice: +Copyright (c) 2008, Jan Peter Kessler +All rights reserved. +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: ++ * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of the authors nor the names of his contributors + may be used to endorse or promote products derived from this + software without specific prior written permission. +THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, +INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + + + +AUTHOR +Jan Peter Kessler <info (AT) postfwd (DOT) org>. Let me know, if you have any suggestions. + + + + diff -Nru postfwd-1.20/tools/hapolicy/hapolicy.txt postfwd-1.32/tools/hapolicy/hapolicy.txt --- postfwd-1.20/tools/hapolicy/hapolicy.txt 1970-01-01 00:00:00.000000000 +0000 +++ postfwd-1.32/tools/hapolicy/hapolicy.txt 2011-08-16 06:32:03.000000000 +0000 @@ -0,0 +1,127 @@ +NAME + hapolicy - policy delegation high availability script + +SYNOPSIS + hapolicy [OPTIONS] --service=SERVICE1 [--service=SERVICE2 ...] + + Services: + -s, --service =:[:::] + + Options: + -d, --default returns if no service was available (default: 'dunno') + -l, --logging log requests + -v, --verbose increase logging verbosity + -L, --stdout log to stdout, for debugging, do NOT use with postfix + +DESCRIPTION + INTRODUCTION + hapolicy enables high availability, weighted loadbalancing and a + fallback action for postfix policy delegation services. Invoked via + postfix spawn it acts as a wrapper that queries other policy servers via + tcp connection. The order of the service queries can be influenced by + assigning a specific priority and weight to each service. A service is + considered 'failing', if the connection is refused or the specified + service timeout is reached. If all of the configured policy services + were failing, hapolicy returns a default action (e.g. dunno) to postfix. + + With version 1.00 hapolicy has less than 200 lines of perl code using + only standard perl modules. It does not require any disk access nor + configuration files and runs under an unpriviledged user account. This + should allow fast and reliable operation. + + CONFIGURATION + A service has the following attributes + + "servicename" => { + ip => '127.0.0.1', # ip address + port => '10040', # tcp port + prio => '10', # optional, lower wins + weight => '1', # optional, for items with same prio (weighted round-robin), higher is better + timeout => '30', # optional, query timeout in seconds + }, + + You may define multiple services at the command line. Which means that + + hapolicy -s "grey1=10.0.0.1:10031:10" -s "grey2=10.0.0.2:10031:20" + + will always try first service *grey1* at ip 10.0.0.1 port 10031 and if + that service is not available or does not answer within the default of + 30 seconds the next service *grey2* at ip 10.0.0.2 port 10031 will be + queried. + + If you want to load balance connections you may define + + hapolicy -s "polw1=10.0.0.1:12525:10:2" -s "polw2=10.0.0.2:12525:10:1" + + which queries service *polw1* at ip 10.0.0.1 twice as much as service + *polw2* at ip 10.0.0.2. Note that this setup also ensures high + availability for both services. If *polw1* is not available or does not + answer within the default of 30 seconds *polw2* will be queried and vice + versa. There is no reason to define a service twice. + + INTEGRATION + Enter the following at the bottom of your postfix master.cf (usually + located at /etc/postfix): + + # service description, note the leading blanks at the second line + 127.0.0.1:10060 inet n n n - 0 spawn + user=nobody argv=/usr/local/bin/hapolicy -l -s GREY1=10.0.0.1:10031:10 -s GREY2=10.0.0.2:10031:10 + + save the file and open postfix main.cf. Modify it as follows: + + 127.0.0.1:10060_time_limit = 3600 + + smtpd_recipient_restrictions = + permit_mynetworks, + ... other authed permits ... + reject_unauth_destination, + ... other restrictions ... + check_policy_service inet:127.0.0.1:10060 # <- hapolicy query + + Now issue 'postfix reload' at the command line. Of course you can have + more enhanced setups using postfix restriction classes. Please see + "LINKS" for further options. + +LINKS + [1] Postfix SMTP Access Policy Delegation + + + [2] Postfix Per-Client/User/etc. Access Control + + +LICENSE + hapolicy is free software and released under BSD license, which + basically means that you can do what you want as long as you keep the + copyright notice: + + Copyright (c) 2008, Jan Peter Kessler All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + * Neither the name of the authors nor the names of his contributors + may be used to endorse or promote products derived from this + software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY ME ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN + NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +AUTHOR + Jan Peter Kessler . Let me know, if you + have any suggestions. + diff -Nru postfwd-1.20/tools/lograte.sh postfwd-1.32/tools/lograte.sh --- postfwd-1.20/tools/lograte.sh 2008-05-05 07:24:22.000000000 +0000 +++ postfwd-1.32/tools/lograte.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,90 +0,0 @@ -#!/bin/sh -# -# generates per minute stats for generic syslog files -# call it: -# -# lograte.sh [OPTIONS] -# -# or for online monitoring -# -# tail -f | lograte.sh [OPTIONS] -# -# by JPK - -PATH=/usr/local/bin:/bin:/usr/bin - -# default values -PATTERN=".*" -MINIMUM=1 -TOPLIST=10 - -# show usage -Usage () { - { - echo "Usage: `basename $0` -m -t -s ..."; - echo " -m minimum events to display" - echo " -t how many rankings?" - echo " -T print rankings only" - echo " -s filter input through this regexp" - echo "Example: `basename $0` -m 10 -t 5 -s \"(panic|error)\" /var/log/messages" - } >&2 -} - -# parse arguments -while getopts Tt:m:s: o -do case "$o" in - s) PATTERN="$OPTARG";; - m) MINIMUM="$OPTARG";; - t) TOPLIST="$OPTARG";; - T) TOPONLY=1;; - *) Usage; - exit 1;; - esac -done -shift `expr $OPTIND - 1` - -# a single awk -awk ' ($0 ~ PATTERN) { - split($3,TIME,":"); - CURRTIME=$1 " " $2 " " TIME[1] ":" TIME[2]; - if (LASTTIME != CURRTIME) { - if (COUNT >= MINIMUM) { - if (!(TOPONLY == 1)) { - printf ( "%s %7d events, %8.2f per sec\n", LASTTIME, COUNT, ( COUNT / 60 ) ); - }; - for (i=1;i<=TOPLIST;i++) { - if (COUNT > MAXCOUNT[i]) { - MAXCOUNT[i+1]=MAXCOUNT[i]; - MAXCOUNT[i]=COUNT; - MAXTIME[i+1]=MAXTIME[i]; - MAXTIME[i]=LASTTIME; - break; - }; - }; - }; - COUNT=1; - } else { - COUNT++; - }; - LASTTIME=CURRTIME; - } - - END { - if (CURRTIME != "") { - if ( (COUNT >= MINIMUM) && (!(TOPONLY == 1)) ) { - printf ( "%s %7d events, %8.2f per sec\n\n", LASTTIME, COUNT, ( COUNT / 60 ) ); - }; - print "###########"; - printf ("# TOP %3d #\n",TOPLIST); - print "###########"; - for (i=1;i<=TOPLIST;i++) { - printf ( "# TOP %3d:\t%s %7d events, %8.2f per sec\n", i, MAXTIME[i], MAXCOUNT[i], ( MAXCOUNT[i] / 60 ) );; - }; - exit 0; - } else { - exit 1; - }; - }' PATTERN="${PATTERN}" MINIMUM="${MINIMUM}" TOPLIST="${TOPLIST}" TOPONLY="${TOPONLY}" $* - -# set exitcode=1 if no matching lines found -exit $? diff -Nru postfwd-1.20/tools/README.txt postfwd-1.32/tools/README.txt --- postfwd-1.20/tools/README.txt 2008-09-14 19:09:41.000000000 +0000 +++ postfwd-1.32/tools/README.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,10 +0,0 @@ -Directory contents: - -- lograte.sh [OPTIONS] - generates per minute stats for generic syslog files - -- request.sample - a sample policy delegation request. you may test your postfwd config with - postfwd -f request.sample - -by JPK

Version +	postfwd1 +	postfwd2 +
+ Specs +	+ + Single process (Multiplexer) + Default port: tcp/10040 + Small memory footprint + +	+ + Multiple processes (Preforker) + Default port: tcp/10045 + Scales with multiple cpus/cores + Builtin watchdog function + Debug classes + +
+ Usage +	+ + Fits for most setups + Any single core system + Rate-limit-only rulesets + +	+ + High throughput setups with lots of requests per second and + + + rulesets that use a lot of dnsbl lookups + really huge rulesets containing tons of checks + + +
+ *Issues +	+	+ + postfwd2 versions below 1.30 do not support multiple rate limits for the same item: + +# reject on 300+ connections/hour, warn at 200+ +id=R01; client_address=1.2.3.4; action=rate(client_address/300/3600/REJECT state RED) +id=R02; client_address=1.2.3.4; action=rate(client_address/200/3600/WARN state YELLOW) + + +