From ae4b9f6b624426d9a238f930be11d1d7e82e2d98 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Tue, 3 Feb 2004 22:16:17 +0000
Subject: Big rewrite, mainly to make UCE rules more flexible and finegrained.

---
 postfix/maps_rbl_domains             | 23 ++++++-------
 postfix/postfix.sh                   | 62 +++++++++++++++++++++++++++---------
 postfix/reject_rhsbl_client          | 14 ++++++++
 postfix/reject_rhsbl_sender          | 14 ++++++++
 postfix/smtpd_client_restrictions    | 11 +++++++
 postfix/smtpd_data_restrictions      | 10 ++++++
 postfix/smtpd_helo_restrictions      | 12 +++++++
 postfix/smtpd_recipient_restrictions | 16 +++-------
 postfix/smtpd_sender_restrictions    | 13 ++++++++
 9 files changed, 136 insertions(+), 39 deletions(-)
 create mode 100644 postfix/reject_rhsbl_client
 create mode 100644 postfix/reject_rhsbl_sender
 create mode 100644 postfix/smtpd_client_restrictions
 create mode 100644 postfix/smtpd_data_restrictions
 create mode 100644 postfix/smtpd_helo_restrictions
 create mode 100644 postfix/smtpd_sender_restrictions

(limited to 'postfix')

diff --git a/postfix/maps_rbl_domains b/postfix/maps_rbl_domains
index f1875b2..265b985 100644
--- a/postfix/maps_rbl_domains
+++ b/postfix/maps_rbl_domains
@@ -1,5 +1,5 @@
 #
-# List of RBL blackhole services.
+# List of DNS BlockList (DNSbl) services.
 #
 # Used by Postfix.
 #
@@ -13,21 +13,18 @@
 # Example usage for Postfix 2.x:
 #
 # smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, reject_unauth_destination,
-#  reject_rbl_client list.dsbl.org, reject_rbl_sender relays.ordb.org, reject_rbl_sender spam.dnsrbl.net,
+#  reject_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_client spam.dnsrbl.net,
 #  reject
 #
-# $Id: maps_rbl_domains,v 1.4 2004-01-27 19:26:51 jonas Exp $
+# $Id: maps_rbl_domains,v 1.5 2004-02-03 22:16:17 jonas Exp $
 #
 
 #relays.visi.com
-#bl.spamcop.net # Avoided: times out
-block.blars.org # Carefully maintained list
-list.dsbl.org # Carefully maintained list
-multihop.dsbl.org # Somewhat aggressive list
+#bl.spamcop.net		# Avoided: times out
+block.blars.org		# Carefully maintained list
+list.dsbl.org		# Carefully maintained list
+#multihop.dsbl.org	# Somewhat aggressive list
 relays.ordb.org
-spam.dnsrbl.net # Automated using honey pots
-#inputs.relays.osirusoft.com
-#dialups.relays.osirusoft.com
-#spews.relays.osirusoft.com # spews is bad: http://www.antispews.org/
-cbl.abuseat.org # Fully automated spamtrap-generated list
-dnsbl.sorbs.net # Somewhat aggressive list including non-dialup dynamic address pools
+spam.dnsrbl.net		# Automated using honey pots
+cbl.abuseat.org		# Fully automated spamtrap-generated list
+#dnsbl.sorbs.net	# Somewhat aggressive list including non-dialup dynamic address pools
diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index 53bb63f..c5a5546 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -3,15 +3,16 @@
 # /etc/local-COMMON/postfix/postfix.sh
 # Copyright 2002-2003 Jonas Smedegaard <dr@jones.dk>
 #
-# $Id: postfix.sh,v 1.23 2004-01-27 19:49:53 jonas Exp $
+# $Id: postfix.sh,v 1.24 2004-02-03 22:16:17 jonas Exp $
 #
 # Auto-tweak plain installed postfix Debian package
 #
-# TODO: Implement stuff from here: http://www.wsrcc.com/spam/
-#
-# TODO: Implement stuff from here: http://www.muine.org/~hoang/postfix.html
-#
-# TODO: Figure out a way to use chroot jail for TLS stuff.
+# TODO:
+#  * Implement stuff from here: http://www.wsrcc.com/spam/
+#  * Implement stuff from here: http://www.muine.org/~hoang/postfix.html
+#  * Implement stuff from here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
+#  * Figure out a way to use chroot jail for TLS stuff.
+#  * Resolve 1.x/2.x differences in RBL map expansion within getlinesfromfile()
 
 set -e
 
@@ -24,12 +25,45 @@ if $postconf -d mail_version | grep -q '= 2'; then
 	pf2=1
 fi
 
+#function getlinesfromfile() {
+#	param="$1"
+#	echo -n "$param = "
+#	cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, 	]*//' -e 's/[, 	]\+/,/g' -e 's/,$//'
+#}
+
 function getlinesfromfile() {
 	param="$1"
+	shift
+	replacements=
+	for subparam in $@; do
+		case "$subparam" in
+		    *=*=*)
+			oldparam="`echo $subparam | awk -F= '{print $1}'`"
+			newparam="`echo $subparam | awk -F= '{print $2}'`"
+			newparamfile="`echo $subparam | awk -F= '{print $3}'`"
+			shift
+			;;
+		    *)
+			oldparam=$subparam
+			newparam=$subparam
+			newparamfile=$subparam
+			shift
+			;;
+		esac
+		newparamvalues="`getlinesfromfile $newparamfile | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
+		newstring=
+		for newparamvalue in $newparamvalues; do
+			newstring="${newstring}$newparam $newparamvalue,"
+		done
+		replacements="$replacements;s/$oldparam/$newstring/"
+	done
 	echo -n "$param = "
-	cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, 	]*//' -e 's/[, 	]\+/,/g' -e 's/,$//'
+	cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, 	]*//;s/[, 	]\+/,/g' -e "s/,\$//$replacements"
 }
 
+# Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html
+$postconf -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)'
+
 # Some badly configured setup use hostname instead of FQDN
 # Disable completely: Effective, but hurts executive type guys using windows servers... :-(
 #if $postconf myhostname | grep -q '\.'; then
@@ -38,17 +72,15 @@ function getlinesfromfile() {
 $postconf -e 'smtpd_helo_required = no'
 $postconf -e "`getlinesfromfile permit_mx_backup_networks`"
 if [ "$pf2" ]; then
-	rbl_domains="`getlinesfromfile maps_rbl_domains | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
-	rbl_domain_line=
-	for rbl_domain in $rbl_domains; do
-		rbl_domain_line="${rbl_domain_line}reject_rbl_client $rbl_domain,"
-	done
-	recipient_restrictions="`getlinesfromfile smtpd_recipient_restrictions | sed 's/.*=[ ]*//' | sed \"s/reject_maps_rbl/$rbl_domain_line/\"`"
 	$postconf -e "maps_rbl_domains ="
-	$postconf -e "smtpd_recipient_restrictions = $recipient_restrictions"
-	$postconf -e "smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org"
+	$postconf -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`"
+	$postconf -e "`getlinesfromfile smtpd_helo_restrictions`"
+	$postconf -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender`"
+	$postconf -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`"
+	$postconf -e "`getlinesfromfile smtpd_data_restrictions`"
 else
 	$postconf -e "`getlinesfromfile maps_rbl_domains`"
+	$postconf -e "`getlinesfromfile smtpd_helo_restrictions`"
 	$postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
 fi
 
diff --git a/postfix/reject_rhsbl_client b/postfix/reject_rhsbl_client
new file mode 100644
index 0000000..075b5ac
--- /dev/null
+++ b/postfix/reject_rhsbl_client
@@ -0,0 +1,14 @@
+#
+# List of Right-Hand Side BlockList (RHSbl) services checked against clients.
+#
+# Used by Postfix 2.x.
+#
+# Example usage:
+#
+# smtpd_client_restrictions = reject_rhsbl_client dsn.rfc-ignorant.org
+#
+# $Id: reject_rhsbl_client,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+#dsn.rfc-ignorant.org		# RFCs are too strict for Real World :-(
+blackhole.securitysage.com
diff --git a/postfix/reject_rhsbl_sender b/postfix/reject_rhsbl_sender
new file mode 100644
index 0000000..9de1779
--- /dev/null
+++ b/postfix/reject_rhsbl_sender
@@ -0,0 +1,14 @@
+#
+# List of Right-Hand Side BlockList (RHSbl) services checked against senders.
+#
+# Used by Postfix 2.x.
+#
+# Example usage:
+#
+# smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
+#
+# $Id: reject_rhsbl_sender,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+#dsn.rfc-ignorant.org		# RFCs are too strict for Real World :-(
+blackhole.securitysage.com
diff --git a/postfix/smtpd_client_restrictions b/postfix/smtpd_client_restrictions
new file mode 100644
index 0000000..ebd268a
--- /dev/null
+++ b/postfix/smtpd_client_restrictions
@@ -0,0 +1,11 @@
+#
+# Ordered list of rules for postfix option smtpd_recipient_restrictions
+#
+# Used by tweak script postfix.sh
+#
+# $Id: smtpd_client_restrictions,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+permit_mynetworks
+reject_rhsbl_client		# (ignored with Postfix 1.x; with Postfix 2.x, expanded to content of file of same name)
+permit
diff --git a/postfix/smtpd_data_restrictions b/postfix/smtpd_data_restrictions
new file mode 100644
index 0000000..b61711a
--- /dev/null
+++ b/postfix/smtpd_data_restrictions
@@ -0,0 +1,10 @@
+#
+# Ordered list of rules for postfix option smtpd_data_restrictions
+#
+# Used by tweak script postfix.sh
+#
+# $Id: smtpd_data_restrictions,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+reject_unauth_pipelining
+permit
diff --git a/postfix/smtpd_helo_restrictions b/postfix/smtpd_helo_restrictions
new file mode 100644
index 0000000..1eeef4c
--- /dev/null
+++ b/postfix/smtpd_helo_restrictions
@@ -0,0 +1,12 @@
+#
+# Ordered list of rules for postfix option smtpd_helo_restrictions
+#
+# Used by tweak script postfix.sh
+#
+# $Id: smtpd_helo_restrictions,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+reject_invalid_hostname
+#permit_mynetworks		# (enable this too if the below; move this below FQDN-checks on a "true mailhub" - some Debian daemons send to "localhost")
+#reject_non_fqdn_hostname	# (false rejects if the remote server or related DNS information is not configured properly)
+permit
diff --git a/postfix/smtpd_recipient_restrictions b/postfix/smtpd_recipient_restrictions
index d919d7e..59d5dd6 100644
--- a/postfix/smtpd_recipient_restrictions
+++ b/postfix/smtpd_recipient_restrictions
@@ -3,20 +3,14 @@
 #
 # Used by tweak script postfix.sh
 #
-# $Id: smtpd_recipient_restrictions,v 1.5 2004-01-27 19:49:53 jonas Exp $
+# $Id: smtpd_recipient_restrictions,v 1.6 2004-02-03 22:16:17 jonas Exp $
 #
 
-reject_invalid_hostname
-permit_mynetworks		# Move this below FQDN-checks on a "true mailhub" - some Debian daemons send to localhost
+reject_unknown_recipient_domain
+permit_mynetworks		# Move this below FQDN-checks on a "true mailhub" - some Debian daemons send to "localhost"
 permit_sasl_authenticated	# Silently ignored if TLS not in use
-reject_non_fqdn_hostname
-reject_non_fqdn_sender
 reject_non_fqdn_recipient
-reject_unknown_sender_domain
-reject_unknown_recipient_domain
-reject_unauth_pipelining
-#permit_mynetworks		# Moved to top to allow Debian daemons sending to localhost
 permit_mx_backup
 reject_unauth_destination
-reject_maps_rbl
-reject				# Not really needed, but just to be on the safe side...
+reject_maps_rbl			# Activate Realtime Blackhole Lists (with Postfix 2.x, expanded to content of file maps_rbl_domains)
+permit
diff --git a/postfix/smtpd_sender_restrictions b/postfix/smtpd_sender_restrictions
new file mode 100644
index 0000000..3d8b9a6
--- /dev/null
+++ b/postfix/smtpd_sender_restrictions
@@ -0,0 +1,13 @@
+#
+# Ordered list of rules for postfix option smtpd_sender_restrictions
+#
+# Used by tweak script postfix.sh
+#
+# $Id: smtpd_sender_restrictions,v 1.1 2004-02-03 22:16:17 jonas Exp $
+#
+
+permit_mynetworks		# (needed to allow some Debian daemons send to localhost)
+reject_non_fqdn_sender
+reject_unknown_sender_domain
+reject_rhsbl_sender		# Activate Realtime Hostbased Sender Blackhole Lists (with Postfix 2.x, expanded to content of file of same name)
+permit
-- 
cgit v1.2.3