No description
.pc | ||
debian | ||
tpl | ||
.depend | ||
ChangeLog | ||
COPYING | ||
Makefile | ||
policy.ml | ||
policy.mli | ||
README | ||
rules.ml | ||
rules.mli | ||
server.ml | ||
server.mli | ||
whitelister-example.conf | ||
whitelister.ml |
whitelister is a Postfix Policy Server (see [1]). the aim is to accept every really clean mail immediately, and to reserve the evil treatments (like greylisting) to suspicious mails. BUILDING WHITELISTER ~~~~~~~~~~~~~~~~~~~~ you need : * a recent ocaml distribution (like 3.08.3), supporting Unix module and native compilation. * ocamlfind * the package syslog then you only have to run `make' and it should produce a `whitelister' executable. Note for Debian : if you have a deb-src line in your /etc/apt/source.list, you can get the Build Dependecies of whitelister by simply running : `apt-get build-dep whitelister' POSTFIX CONFIGURATION ~~~~~~~~~~~~~~~~~~~~~ It is intended to be used like that : (1) Default inet socket : in your main.cf : smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service inet:127.0.0.1:10000 ... here your nasty treatments , like postgrey ... in your whitelister.conf, don't specify sock as its default value is OK. (2) Unix socket if you use a unix socket (more efficient on most systems) : smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/whitelister.ctl ... here your nasty treatments , like postgrey ... in your whitelister.conf, set : sock: /var/spool/postfix/private/whitelister.ctl Some Notes : ~~~~~~~~~~ Postfix DOC states : In case of trouble the policy server must not send a reply. Instead the server must log a warning and disconnect. Postfix will retry the request at some later time. But whitelister does not work that way. Either the mail seems to be clean (wrt whitelister checks) and whitelister returns 'OK' (and the mail is also accepted), or one check fails and it returns 'DUNNO' in order to let the mail go through the nexts checks (like greylister). That's why, you *have* to use whitelister as one of the *last* rules in your smtpd_recipient_restrictions. Else, it can transform your smtp server into an open-relay. Any failure (in DNS e.g.) is also interpreted as a suspicious mail, and it will also go through the next restrictions checks too. WHITELISTER CONFIGURATION ~~~~~~~~~~~~~~~~~~~~~~~~~ whitelister search for two config files, named whitelister.conf in : o /etc/whitelister.conf o the same directory as itself and it aggregates the configuration of both files. the syntax is : <20> key: value <20> where key is the setting key, and value its value without quotes or anything. Comments begin with a # at the first char of the line see whitelister-example.conf for an example config file. current settings are : (1) Daemon Options -------------- verb verbosity of the logs. `0' means don't log `Clean' mails `1' means log everything pidf path to the pidfile whitelister will write its pid into. default is /var/run/whitelister.pid , use /dev/null if you don't want to use the feature sock the socket whitelister will listen to. the value is the path for a unix socket, or ip:port for a TCP one. last setting is used (/etc/whitelister.conf overrides local configs) user name of the user used to run whitelister if launched as root default is nobody group name of the group used to run whitelister if launched as root default is nogroup (2) Rules Configuration ------------------- rbl hostname of a rbl service rhbl_rcpt / rhbl_helo / rhbl_client / rhbl_sender hostname of a rhbl service. rcpt/helo/client/sender refers to the classical postfix terminology related to the settings : smtpd_(recipient, helo, client, sender)_restriction it means that an rhbl check is performed on (resp.) : - the domain of the recipient - the domain from the HELO/EHLO command - the domain of the client connection - the domain part of the sender address spf spf checkings : 0 means no check. for the rest, see the table : -------+-------+----------+----------------+------- level | pass | neutal | empty record | other -------+-------+----------+----------------+------- 1 | ok | ok | ok | !!!! 2 | ok | ok | !!!! | !!!! 3 | ok | !!!! | !!!! | !!!! -------+-------+----------+----------------+------- spfrej reject mail on invalid SPF (default is yes), possible values are on/off/yes/no/0/1 APPENDIX [1] http://www.postfix.org/SMTPD_POLICY_README.html