gitlabFork/ISPConfig3.git - Solinfo Gitblit

parent: ad576c6a | patch | commit | ignore whitespace

Merge branch 'postfix' into 'stable-3.1'

Marius Burkard

2016-02-09 28184f599e6b16d6160738147cd520353120aabe

Merge branch 'postfix' into 'stable-3.1'

postfix: add smtpd_helo_restrictions, enable smtpd_reject_unlisted_sender

add smtpd_helo_restrictions to postfix config, including helo_access and blacklist_helo config files

enable smtpd_reject_unlisted_sender and stricter defaults on a few other settings

See merge request !275

3 files added

5 files modified

	docs/examples/blacklist_helo.master	74 ●●●●● patch \| view \| raw \| blame \| history
	install/lib/installer_base.lib.php	24 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/blacklist_helo.master	22 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/debian_postfix.conf.master	7 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/fedora_postfix.conf.master	7 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/gentoo_postfix.conf.master	7 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/helo_access.master	19 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/opensuse_postfix.conf.master	7 ●●●●● patch \| view \| raw \| blame \| history

 docs/examples/blacklist_helo.master

New file
@@ -0,0 +1,74 @@
# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
#
# This file can be used to block hostnames used in smtp HELO command which are known bad.
# Occasionally you will run into legitimate mail servers which are misconfigured and end
# up blocked here, so this is not enabled by default, but it is useful if you are prepared
# to address those cases.  .local is particularly problematic, and commented out by default.
#
# Note that any server hitting this check is misconfigured, all of the names below are bogus
# and not allowed per RFC 2821.
#
# If your own users are blocked by this, they are not authenticating to your server when
# sending (this check is after permit_sasl, which permits authenticated senders).
#
# Instructions:
#
# Copy this file to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
# as well as /etc/postfix/blacklist_helo, so your changes are not overwritten with ispconfig
# updates.

# probably just put REJECT lines in here,
# as OK lines will bypass a lot of other checks you may want done
# (use DUNNO instead of OK)
#

# common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally)
/.*\.administrator$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.admin$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.bac$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dlink$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dns$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.domain$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dynamic$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dyndns\.org$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.dyn$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.gateway$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.intern$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.janak$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.kornet$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.lab$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.lan$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.localdomain$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.localhost$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.

# .local is used by spammers a lot, but too many otherwise legit servers hit it
# (instead of REJECT, should send to greylisting)
#/.*\.local$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.

/.*\.loc$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.lokal$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.nat$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.pc$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.privat$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.private$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.router$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.setup$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.

/.*\.119$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.beeline$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.gt_3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.gt-3g$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.hananet$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.skbroadband$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
/.*\.tbroad$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.


 install/lib/installer_base.lib.php

@@ -896,6 +896,8 @@
        }
        unset($server_ini_array);
        
        $tmp = str_replace('.','\.',$conf['hostname']);

        $postconf_placeholders = array('{config_dir}' => $config_dir,
            '{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
            '{vmail_userid}' => $cf['vmail_userid'],
@@ -903,6 +905,7 @@
            '{rbl_list}' => $rbl_list,
            '{greylisting}' => $greylisting,
            '{reject_slm}' => $reject_sender_login_mismatch,
            '{myhostname}' => $tmp,
        );

        $postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master');
@@ -933,6 +936,27 @@
        if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
        exec('/usr/sbin/postmap /var/lib/mailman/data/transport-mailman');

        //* Create auxillary postfix conf files
        $configfile = 'helo_access';
        if(is_file($config_dir.'/'.$configfile)) {
            copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
            chmod($config_dir.'/'.$configfile.'~', 0400);
        }
        $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
        $content = strtr($content, $postconf_placeholders);
        # todo: look up this server's ip addrs and loop through each
        # todo: look up domains hosted on this server and loop through each
        wf($config_dir.'/'.$configfile, $content);

        $configfile = 'blacklist_helo';
        if(is_file($config_dir.'/'.$configfile)) {
            copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
            chmod($config_dir.'/'.$configfile.'~', 0400);
        }
        $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
        $content = strtr($content, $postconf_placeholders);
        wf($config_dir.'/'.$configfile, $content);

        //* Make a backup copy of the main.cf file
        copy($config_dir.'/main.cf', $config_dir.'/main.cf~');


 install/tpl/blacklist_helo.master

New file
@@ -0,0 +1,22 @@
# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
#
# This file can be used to block hostnames used in smtp HELO command which are known bad.
# Occasionally you will run into legitimate mail servers which are misconfigured and end
# up blocked here, so this is not enabled by default, but it is useful if you are prepared
# to address those cases.
#
# See docs/extras/blacklist_helo.master from ispconfig source for a more complete example list.
#
# If you make changes here, also copy them to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
# so your changes are not overwritten with ispconfig updates.


#/.*\.administrator$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.admin$/    REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.dns$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.domain$/   REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.
#/.*\.dynamic$/  REJECT HELO hostname is using a top level domain that does not exist.  See RFC 2821 section 3.6.


 install/tpl/debian_postfix.conf.master

@@ -24,6 +24,8 @@
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
@@ -41,3 +43,8 @@
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
allow_percent_hack = no
swap_bangpath = no
smtpd_reject_unlisted_sender = yes

 install/tpl/fedora_postfix.conf.master

@@ -21,6 +21,8 @@
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
@@ -38,3 +40,8 @@
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
allow_percent_hack = no
swap_bangpath = no
smtpd_reject_unlisted_sender = yes

 install/tpl/gentoo_postfix.conf.master

@@ -20,6 +20,8 @@
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
@@ -37,3 +39,8 @@
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
allow_percent_hack = no
swap_bangpath = no
smtpd_reject_unlisted_sender = yes

 install/tpl/helo_access.master

New file
@@ -0,0 +1,19 @@
# helo_access - before permit_sasl
# be sure to list your own hostname(s), domain(s) and IP address(es) here

# Reject others identifying with this machine's hostnames and IP addresses
/^{myhostname}$/  REJECT
#/^((smtp|mx|mail)\.domain1\.com$/    REJECT
#/^mail\.domain2\.com$/        REJECT

# TODO: this server's ip addr loop here
#/^\[?1\.2\.3\.4\]?$/    REJECT
#/^\[?12\.34\.56\.78\]?$/    REJECT
#/^\[?123\.234\.123\.234\]?$/    REJECT

# Reject others identifying as domains we host
# TODO: this server's hosted mail domains loop here
#/^domain1\.com$/    REJECT
#/^domain2\.com$/    REJECT
#/^domain3\.net$/    REJECT


 install/tpl/opensuse_postfix.conf.master

@@ -23,6 +23,8 @@
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
@@ -40,3 +42,8 @@
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
allow_percent_hack = no
swap_bangpath = no
smtpd_reject_unlisted_sender = yes

New file
			@@ -0,0 +1,74 @@
			# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
			#
			# This file can be used to block hostnames used in smtp HELO command which are known bad.
			# Occasionally you will run into legitimate mail servers which are misconfigured and end
			# up blocked here, so this is not enabled by default, but it is useful if you are prepared
			# to address those cases. .local is particularly problematic, and commented out by default.
			#
			# Note that any server hitting this check is misconfigured, all of the names below are bogus
			# and not allowed per RFC 2821.
			#
			# If your own users are blocked by this, they are not authenticating to your server when
			# sending (this check is after permit_sasl, which permits authenticated senders).
			#
			# Instructions:
			#
			# Copy this file to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
			# as well as /etc/postfix/blacklist_helo, so your changes are not overwritten with ispconfig
			# updates.

			# probably just put REJECT lines in here,
			# as OK lines will bypass a lot of other checks you may want done
			# (use DUNNO instead of OK)
			#

			# common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally)
			/.*\.administrator$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.admin$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.bac$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dlink$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dns$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.domain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dynamic$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dyndns\.org$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.dyn$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.gateway$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.intern$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.janak$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.kornet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.lab$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.lan$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.localdomain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.localhost$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.

			# .local is used by spammers a lot, but too many otherwise legit servers hit it
			# (instead of REJECT, should send to greylisting)
			#/.*\.local$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.

			/.*\.loc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.lokal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.nat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.pc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.privat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.private$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.router$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.setup$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.

			/.*\.119$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.beeline$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.gt_3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.gt-3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.hananet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.skbroadband$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			/.*\.tbroad$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.

			@@ -896,6 +896,8 @@
			}
			unset($server_ini_array);

			$tmp = str_replace('.','\.',$conf['hostname']);

			$postconf_placeholders = array('{config_dir}' => $config_dir,
			'{vmail_mailbox_base}' => $cf['vmail_mailbox_base'],
			'{vmail_userid}' => $cf['vmail_userid'],
			@@ -903,6 +905,7 @@
			'{rbl_list}' => $rbl_list,
			'{greylisting}' => $greylisting,
			'{reject_slm}' => $reject_sender_login_mismatch,
			'{myhostname}' => $tmp,
			);

			$postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master');
			@@ -933,6 +936,27 @@
			if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman');
			exec('/usr/sbin/postmap /var/lib/mailman/data/transport-mailman');

			//* Create auxillary postfix conf files
			$configfile = 'helo_access';
			if(is_file($config_dir.'/'.$configfile)) {
			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
			chmod($config_dir.'/'.$configfile.'~', 0400);
			}
			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
			$content = strtr($content, $postconf_placeholders);
			# todo: look up this server's ip addrs and loop through each
			# todo: look up domains hosted on this server and loop through each
			wf($config_dir.'/'.$configfile, $content);

			$configfile = 'blacklist_helo';
			if(is_file($config_dir.'/'.$configfile)) {
			copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~');
			chmod($config_dir.'/'.$configfile.'~', 0400);
			}
			$content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master');
			$content = strtr($content, $postconf_placeholders);
			wf($config_dir.'/'.$configfile, $content);

			//* Make a backup copy of the main.cf file
			copy($config_dir.'/main.cf', $config_dir.'/main.cf~');

New file
			@@ -0,0 +1,22 @@
			# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
			#
			# This file can be used to block hostnames used in smtp HELO command which are known bad.
			# Occasionally you will run into legitimate mail servers which are misconfigured and end
			# up blocked here, so this is not enabled by default, but it is useful if you are prepared
			# to address those cases.
			#
			# See docs/extras/blacklist_helo.master from ispconfig source for a more complete example list.
			#
			# If you make changes here, also copy them to /usr/local/ispconfig/server/conf-custom/install/blacklist_helo.master,
			# so your changes are not overwritten with ispconfig updates.


			#/.*\.administrator$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.admin$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.dns$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.domain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
			#/.*\.dynamic$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.

			@@ -24,6 +24,8 @@
			relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
			smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
			proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
			smtpd_helo_required = yes
			smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
			smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
			smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
			smtpd_client_message_rate_limit = 100
			@@ -41,3 +43,8 @@
			smtp_tls_protocols = !SSLv2,!SSLv3
			smtpd_tls_exclude_ciphers = RC4, aNULL
			smtp_tls_exclude_ciphers = RC4, aNULL
			strict_rfc821_envelopes = yes
			disable_vrfy_command = yes
			allow_percent_hack = no
			swap_bangpath = no
			smtpd_reject_unlisted_sender = yes

			@@ -21,6 +21,8 @@
			relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
			smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
			proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
			smtpd_helo_required = yes
			smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
			smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
			smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
			smtpd_client_message_rate_limit = 100
			@@ -38,3 +40,8 @@
			smtp_tls_protocols = !SSLv2,!SSLv3
			smtpd_tls_exclude_ciphers = RC4, aNULL
			smtp_tls_exclude_ciphers = RC4, aNULL
			strict_rfc821_envelopes = yes
			disable_vrfy_command = yes
			allow_percent_hack = no
			swap_bangpath = no
			smtpd_reject_unlisted_sender = yes

			@@ -20,6 +20,8 @@
			relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
			smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
			proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
			smtpd_helo_required = yes
			smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
			smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
			smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
			smtpd_client_message_rate_limit = 100
			@@ -37,3 +39,8 @@
			smtp_tls_protocols = !SSLv2,!SSLv3
			smtpd_tls_exclude_ciphers = RC4, aNULL
			smtp_tls_exclude_ciphers = RC4, aNULL
			strict_rfc821_envelopes = yes
			disable_vrfy_command = yes
			allow_percent_hack = no
			swap_bangpath = no
			smtpd_reject_unlisted_sender = yes

New file
			@@ -0,0 +1,19 @@
			# helo_access - before permit_sasl
			# be sure to list your own hostname(s), domain(s) and IP address(es) here

			# Reject others identifying with this machine's hostnames and IP addresses
			/^{myhostname}$/ REJECT
			#/^((smtp\|mx\|mail)\.domain1\.com$/ REJECT
			#/^mail\.domain2\.com$/ REJECT

			# TODO: this server's ip addr loop here
			#/^\[?1\.2\.3\.4\]?$/ REJECT
			#/^\[?12\.34\.56\.78\]?$/ REJECT
			#/^\[?123\.234\.123\.234\]?$/ REJECT

			# Reject others identifying as domains we host
			# TODO: this server's hosted mail domains loop here
			#/^domain1\.com$/ REJECT
			#/^domain2\.com$/ REJECT
			#/^domain3\.net$/ REJECT

			@@ -23,6 +23,8 @@
			relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
			smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
			proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
			smtpd_helo_required = yes
			smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
			smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
			smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
			smtpd_client_message_rate_limit = 100
			@@ -40,3 +42,8 @@
			smtp_tls_protocols = !SSLv2,!SSLv3
			smtpd_tls_exclude_ciphers = RC4, aNULL
			smtp_tls_exclude_ciphers = RC4, aNULL
			strict_rfc821_envelopes = yes
			disable_vrfy_command = yes
			allow_percent_hack = no
			swap_bangpath = no
			smtpd_reject_unlisted_sender = yes