| install/lib/installer_base.lib.php | ●●●●● patch | view | raw | blame | history | |
| install/tpl/blacklist_helo.master | ●●●●● patch | view | raw | blame | history | |
| install/tpl/debian_postfix.conf.master | ●●●●● patch | view | raw | blame | history | |
| install/tpl/fedora_postfix.conf.master | ●●●●● patch | view | raw | blame | history | |
| install/tpl/gentoo_postfix.conf.master | ●●●●● patch | view | raw | blame | history | |
| install/tpl/helo_access.master | ●●●●● patch | view | raw | blame | history | |
| install/tpl/opensuse_postfix.conf.master | ●●●●● patch | view | raw | blame | history |
install/lib/installer_base.lib.php
@@ -903,6 +903,7 @@ '{rbl_list}' => $rbl_list, '{greylisting}' => $greylisting, '{reject_slm}' => $reject_sender_login_mismatch, '{myhostname}' => $conf['hostname'], ); $postconf_tpl = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/debian_postfix.conf.master', 'tpl/debian_postfix.conf.master'); @@ -933,6 +934,27 @@ if(!is_file('/var/lib/mailman/data/transport-mailman')) touch('/var/lib/mailman/data/transport-mailman'); exec('/usr/sbin/postmap /var/lib/mailman/data/transport-mailman'); //* Create auxillary postfix conf files $configfile = 'helo_access'; if(is_file($config_dir.'/'.$configfile)) { copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~'); } chmod($config_dir.'/'.$configfile.'~', 0400); $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master'); $content = strtr($content, $postconf_placeholders); # todo: look up this server's ip addrs and loop through each # todo: look up domains hosted on this server and loop through each wf($config_dir.'/'.$configfile, $content); $configfile = 'blacklist_helo'; if(is_file($config_dir.'/'.$configfile)) { copy($config_dir.'/'.$configfile, $config_dir.'/'.$configfile.'~'); } chmod($config_dir.'/'.$configfile.'~', 0400); $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master'); $content = strtr($content, $postconf_placeholders); wf($config_dir.'/'.$configfile, $content); //* Make a backup copy of the main.cf file copy($config_dir.'/main.cf', $config_dir.'/main.cf~');
New file @@ -0,0 +1,57 @@ # blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations # # probably just put REJECT lines in here, # as OK lines will bypass a lot of other checks you may want done # (use DUNNO instead of OK) # # common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally) /.*\.administrator$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.admin$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.bac$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dlink$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dns$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.domain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dynamic$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dyndns\.org$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.dyn$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.gateway$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.intern$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.janak$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.kornet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.lab$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.lan$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.localdomain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.localhost$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. # .local is used by spammers a lot, but too many otherwise legit servers hit it # (instead of REJECT, should send to greylisting) #/.*\.local$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.loc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.lokal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.nat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.pc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.privat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.private$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.router$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.setup$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.119$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.beeline$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.gt_3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.gt-3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.hananet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.skbroadband$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6. /.*\.tbroad$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
@@ -24,6 +24,8 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 install/tpl/fedora_postfix.conf.master
@@ -21,6 +21,8 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 install/tpl/gentoo_postfix.conf.master
@@ -20,6 +20,8 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100 install/tpl/helo_access.master
New file @@ -0,0 +1,19 @@ # helo_access - before permit_sasl # be sure to list your own hostname(s), domain(s) and IP address(es) here # Reject others identifying with this machine's hostnames and IP addresses {myhostname} REJECT #/^((smtp|mx|mail)\.domain1\.com$/ REJECT #/^mail\.domain2\.com$/ REJECT # TODO: this server's ip addr loop here #/^\[?1\.2\.3\.4\]?$/ REJECT #/^\[?12\.34\.56\.78\]?$/ REJECT #/^\[?123\.234\.123\.234\]?$/ REJECT # Reject others identifying as domains we host # TODO: this server's hosted mail domains loop here #/^domain1\.com$/ REJECT #/^domain2\.com$/ REJECT #/^domain3\.net$/ REJECT
@@ -23,6 +23,8 @@ relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf smtpd_client_message_rate_limit = 100
