160 lines
5.1 KiB
Plaintext
160 lines
5.1 KiB
Plaintext
whitelister is a Postfix Policy Server (see [1]).
|
||
|
||
|
||
the aim is to accept every really clean mail immediately, and to reserve the
|
||
evil treatments (like greylisting) to suspicious mails.
|
||
|
||
|
||
BUILDING WHITELISTER
|
||
~~~~~~~~~~~~~~~~~~~~
|
||
|
||
you need :
|
||
* a recent ocaml distribution (like 3.08.3), supporting Unix module and
|
||
native compilation.
|
||
* ocamlfind
|
||
* the package syslog
|
||
|
||
then you only have to run `make' and it should produce a `whitelister'
|
||
executable.
|
||
|
||
Note for Debian : if you have a deb-src line in your /etc/apt/source.list,
|
||
you can get the Build Dependecies of whitelister by simply running :
|
||
`apt-get build-dep whitelister'
|
||
|
||
|
||
POSTFIX CONFIGURATION
|
||
~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
It is intended to be used like that :
|
||
|
||
(1) Default inet socket :
|
||
|
||
in your main.cf :
|
||
|
||
smtpd_recipient_restrictions =
|
||
...
|
||
reject_unauth_destination
|
||
check_policy_service inet:127.0.0.1:10000
|
||
... here your nasty treatments , like postgrey ...
|
||
|
||
in your whitelister.conf, don't specify sock as its default value is OK.
|
||
|
||
|
||
(2) Unix socket
|
||
|
||
if you use a unix socket (more efficient on most systems) :
|
||
|
||
smtpd_recipient_restrictions =
|
||
...
|
||
reject_unauth_destination
|
||
check_policy_service unix:private/whitelister.ctl
|
||
... here your nasty treatments , like postgrey ...
|
||
|
||
in your whitelister.conf, set :
|
||
|
||
sock: /var/spool/postfix/private/whitelister.ctl
|
||
|
||
|
||
Some Notes :
|
||
~~~~~~~~~~
|
||
|
||
Postfix DOC states :
|
||
|
||
In case of trouble the policy server must not send a reply. Instead the
|
||
server must log a warning and disconnect. Postfix will retry the
|
||
request at some later time.
|
||
|
||
But whitelister does not work that way. Either the mail seems to be clean
|
||
(wrt whitelister checks) and whitelister returns 'OK' (and the mail is also
|
||
accepted), or one check fails and it returns 'DUNNO' in order to let the
|
||
mail go through the nexts checks (like greylister).
|
||
|
||
That's why, you *have* to use whitelister as one of the *last* rules in your
|
||
smtpd_recipient_restrictions. Else, it can transform your smtp server into
|
||
an open-relay.
|
||
|
||
Any failure (in DNS e.g.) is also interpreted as a suspicious mail, and it
|
||
will also go through the next restrictions checks too.
|
||
|
||
|
||
WHITELISTER CONFIGURATION
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
whitelister search for two config files, named whitelister.conf in :
|
||
o /etc/whitelister.conf
|
||
o the same directory as itself
|
||
and it aggregates the configuration of both files.
|
||
|
||
|
||
the syntax is : <20> key: value <20> where key is the setting key, and value its
|
||
value without quotes or anything. Comments begin with a # at the first char
|
||
of the line see whitelister-example.conf for an example config file.
|
||
|
||
|
||
current settings are :
|
||
|
||
|
||
(1) Daemon Options
|
||
--------------
|
||
|
||
verb verbosity of the logs.
|
||
`0' means don't log `Clean' mails
|
||
`1' means log everything
|
||
|
||
pidf path to the pidfile whitelister will write its pid into.
|
||
default is /var/run/whitelister.pid ,
|
||
use /dev/null if you don't want to use the feature
|
||
|
||
sock the socket whitelister will listen to.
|
||
the value is the path for a unix socket,
|
||
or ip:port for a TCP one.
|
||
|
||
last setting is used (/etc/whitelister.conf overrides local configs)
|
||
|
||
user name of the user used to run whitelister if launched as root
|
||
default is nobody
|
||
|
||
group name of the group used to run whitelister if launched as root
|
||
default is nogroup
|
||
|
||
|
||
(2) Rules Configuration
|
||
-------------------
|
||
|
||
rbl hostname of a rbl service
|
||
|
||
rhbl_rcpt / rhbl_helo / rhbl_client / rhbl_sender
|
||
|
||
hostname of a rhbl service.
|
||
|
||
rcpt/helo/client/sender refers to the classical postfix
|
||
terminology related to the settings :
|
||
smtpd_(recipient, helo, client, sender)_restriction
|
||
|
||
it means that an rhbl check is performed on (resp.) :
|
||
- the domain of the recipient
|
||
- the domain from the HELO/EHLO command
|
||
- the domain of the client connection
|
||
- the domain part of the sender address
|
||
|
||
spf spf checkings :
|
||
0 means no check.
|
||
|
||
for the rest, see the table :
|
||
-------+-------+----------+----------------+-------
|
||
level | pass | neutal | empty record | other
|
||
-------+-------+----------+----------------+-------
|
||
1 | ok | ok | ok | !!!!
|
||
2 | ok | ok | !!!! | !!!!
|
||
3 | ok | !!!! | !!!! | !!!!
|
||
-------+-------+----------+----------------+-------
|
||
|
||
spfrej reject mail on invalid SPF (default is yes), possible values are
|
||
on/off/yes/no/0/1
|
||
|
||
|
||
APPENDIX
|
||
|
||
[1] http://www.postfix.org/SMTPD_POLICY_README.html
|
||
|