summaryrefslogtreecommitdiff
path: root/postfix/postfix.sh
blob: 2860cdc620918a3c0e1f90dd84276b26a8b6c652 (plain)
  1. #!/bin/sh
  2. #
  3. # /etc/local-COMMON/postfix/postfix.sh
  4. # Copyright 2002-2007 Jonas Smedegaard <dr@jones.dk>
  5. #
  6. # $Id: postfix.sh,v 1.76 2008-05-25 19:00:16 jonas Exp $
  7. #
  8. # Auto-tweak plain installed postfix Debian package
  9. #
  10. # TODO:
  11. # * Implement stuff from here: http://www.wsrcc.com/spam/
  12. # * Implement stuff from here: http://www.muine.org/~hoang/postfix.html
  13. # * Implement stuff from here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
  14. # * Figure out a way to use chroot jail for TLS stuff.
  15. set -e
  16. # Let's standardize sort
  17. export LC_ALL=C
  18. warn() {
  19. echo >&2 "Warning: $1"
  20. }
  21. exit1() {
  22. echo >&2 "Error: $1"
  23. echo >&2 "Exiting..."
  24. exit 1
  25. }
  26. # Favor specific CA for our own server and client certificates
  27. # (comment out to trust any CA)
  28. #cacert_smtpd="/etc/ssl/certs/cacert.org.pem"
  29. cacert_smtp=
  30. cacert_lmtp=
  31. # File containing all trusted CA certificates
  32. # (comment out if no chroot or it contains all individual files)
  33. cacert_default="/etc/ssl/certs/ca-certificates.crt"
  34. realmsdir='/etc/local-REDPILL'
  35. configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON'
  36. confdir='/etc/postfix'
  37. postconf=/usr/sbin/postconf
  38. sp='[[:space:]]'
  39. pfver="$($postconf -d mail_version | cut -d= -f2 -s)"
  40. echo "$pfver" | grep -q '2\.[2-9]' \
  41. || exit1 "ERROR: Bad postfix version - this script is known to work only for postfix 2.2 and later"
  42. pf23=
  43. ! echo "$pfver" | grep -q '2\.[3-9]' || pf23=1
  44. if ! [ -d "$realmsdir" ]; then
  45. warn "Realms directory \"$realmsdir\" does not exist."
  46. fi
  47. #postgrey=
  48. #if [ -x /usr/sbin/postgrey ]; then
  49. # # FIXME: Use this somehow, and only warn below
  50. # postgrey=1
  51. #else
  52. # exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
  53. #fi
  54. cyrus=
  55. if [ -x /usr/sbin/saslauthd ]; then
  56. if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
  57. cyrus=1
  58. else
  59. warn "Cyrus SASL too old - requires >= 2.1.1)."
  60. fi
  61. else
  62. warn "Cyrus SASL missing - (Debian package sasl2-bin)."
  63. fi
  64. dovecot=
  65. dovecot_deliver=
  66. if [ -x /usr/sbin/dovecot ]; then
  67. dovecot=1
  68. if [ -x /usr/lib/dovecot/deliver ]; then
  69. dovecot_deliver=1
  70. else
  71. warn "Dovecot deliver missing."
  72. fi
  73. else
  74. warn "Dovecot missing - (Debian package dovecot-core or dovecot)."
  75. fi
  76. sslcert=
  77. if [ -f /etc/ssl/certs/postfix.pem ]; then
  78. sslcert=1
  79. else
  80. warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem."
  81. fi
  82. sasl_main_type=
  83. sasl_dovecot=
  84. sasl_cyrus=
  85. if [ -n "$sslcert" ]; then
  86. # FIXME: We really want to check for at least 2.1.1 but that's tricky...
  87. if [ -n "$cyrus" ]; then
  88. sasl_cyrus=1
  89. sasl_main_type=cyrus
  90. fi
  91. if [ -n "$dovecot" ]; then
  92. if [ -n "$pf23" ]; then
  93. sasl_dovecot=1
  94. sasl_main_type=dovecot
  95. else
  96. warn "No Dovecot SASL - requires postfix >= 2.3."
  97. fi
  98. fi
  99. if [ -z "$sasl_main_type" ]; then
  100. warn "No SASL authentication - requires Cyrus SASL or Dovecot."
  101. fi
  102. else
  103. warn "No SASL authentication - requires TLS encryption."
  104. fi
  105. amavis=
  106. default_amavis_maxproc=2
  107. if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then
  108. amavis=1
  109. else
  110. warn "AMaViS missing (Debian package amavisd-new)."
  111. fi
  112. dkimproxy=
  113. #dkimproxy_maxproc_in=5
  114. # FIXME: update actual outgoing maxproc from /etc/default/dkimproxy (and /etc/dkimproxy/dkimproxy_out.conf too?)
  115. dkimproxy_maxproc_out=5
  116. if [ -x /usr/sbin/dkimproxy.in ]; then
  117. if [ "1" = "$amavis" ]; then
  118. dkimproxy=1
  119. else
  120. warn "No DKIM/Domainkey - requires DKIMproxy and AMaViS."
  121. fi
  122. else
  123. warn "DKIMproxy missing (Debian package dkimproxy)."
  124. fi
  125. catfilefromownrealm() {
  126. set -e
  127. file="$1"
  128. [ -d "$realmsdir" ] || exit 0
  129. thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"
  130. cat "$realmsdir/$thisrealm/$file"
  131. }
  132. catallfilesfromotherrealms() {
  133. set -e
  134. file="$1"
  135. [ -d "$realmsdir" ] || exit 0
  136. [ -f "$realmsdir/realms" ] || exit 0
  137. realms="$(cat "$realmsdir/realms" | sed 's/#.*//')"
  138. thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"
  139. for realm in $realms; do
  140. if [ "$thisrealm" != "$realm" ]; then
  141. cat "$realmsdir/$realm/$file"
  142. fi
  143. done
  144. }
  145. catfirstfile() {
  146. set -e
  147. file="$1"
  148. context="${2:-postfix}"
  149. configdir=''
  150. for dir in $configdirs; do
  151. if [ -d "$dir/$context" ] && [ -f "$dir/$context/$file" ]; then
  152. configdir="$dir/$context"
  153. break
  154. fi
  155. done
  156. if [ -z "$configdir" ]; then
  157. exit1 "ERROR: file \"$file\" not found."
  158. fi
  159. cat "$configdir/$file"
  160. }
  161. # TODO: support quoted string, and trailing comment.
  162. getperlvarfromfile() {
  163. set -e
  164. export var="$1"
  165. export default="$2"
  166. file="$3"
  167. context="${4:-postfix}"
  168. catfirstfile "$file" "$context" \
  169. | perl -nE'/^\$$ENV{"var"}\h*=\h*(\d+)/ and $s=$1; END {print length($s) ? $s : $ENV{'default'}}'
  170. }
  171. getlinesfromfile() {
  172. set -e
  173. param="$1"
  174. shift
  175. replacements=
  176. for subparam in $@; do
  177. case "$subparam" in
  178. *=)
  179. oldparam="`echo $subparam | awk -F= '{print $1}'`"
  180. replacements="$replacements;s/$oldparam[^,]*,\?//"
  181. continue
  182. ;;
  183. *=*=*)
  184. oldparam="`echo $subparam | awk -F= '{print $1}'`"
  185. newparam="`echo $subparam | awk -F= '{print $2}'`"
  186. newparamfile="`echo $subparam | awk -F= '{print $3}'`"
  187. ;;
  188. *)
  189. oldparam=$subparam
  190. newparam=$subparam
  191. newparamfile=$subparam
  192. ;;
  193. esac
  194. newparamvalues="`getlinesfromfile $newparamfile | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
  195. newstring=
  196. for newparamvalue in $newparamvalues; do
  197. newstring="${newstring}$newparam $newparamvalue,"
  198. done
  199. replacements="$replacements;s/$oldparam/$newstring/"
  200. done
  201. echo -n "$param = "
  202. catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//;s/[, ]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements"
  203. }
  204. addoroverwritewithindents() {
  205. set -e
  206. file="$1"
  207. export token="$2"
  208. # provide replacement as STDIN
  209. perl -0777 -pi \
  210. -E 'BEGIN{ $s=<STDIN>; chomp $s }'\
  211. -E 's/$ENV{"token"}.*(?:\n\h.*)+\n/$s/m and $seen=1;'\
  212. -E 'END{ unless ($seen) { print $s } }'\
  213. "$file"
  214. }
  215. postmapfiles=
  216. tempdir="$(mktemp -td postfix.XXXXXX)"
  217. cp -a -t "$tempdir" "$confdir"/*
  218. # Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html
  219. $postconf -c "$tempdir" -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)'
  220. # Some badly configured setup use hostname instead of FQDN
  221. # Disable completely: Effective, but hurts executive type guys using windows servers... :-(
  222. #if $postconf -c "$tempdir" myhostname | grep -q '\.'; then
  223. # $postconf -c "$tempdir" -e 'smtpd_helo_required = yes'
  224. #fi
  225. $postconf -c "$tempdir" -e 'smtpd_helo_required = no'
  226. $postconf -c "$tempdir" -e "`getlinesfromfile permit_mx_backup_networks`"
  227. $postconf -c "$tempdir" -e "maps_rbl_domains ="
  228. $postconf -c "$tempdir" -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`"
  229. $postconf -c "$tempdir" -e "`getlinesfromfile smtpd_helo_restrictions`"
  230. $postconf -c "$tempdir" -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender ${dkimproxy:-check_sender_access=}`"
  231. $postconf -c "$tempdir" -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`"
  232. $postconf -c "$tempdir" -e "`getlinesfromfile smtpd_data_restrictions`"
  233. # FIXME: clear only specific line (not whole file) when dkimproxy unused
  234. if [ -f "$tempdir/sender_access_regex" ]; then
  235. if [ -n "$dkimproxy" ]; then
  236. grep -q -F '/^/ FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex" \
  237. || echo '/^/ FILTER dkimsign:[127.0.0.1]:10026' >> "$tempdir/sender_access_regex"
  238. else
  239. if grep -q -F '/^/ FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex"; then
  240. echo "echo '' > \"$confdir/sender_access_regex\"" >> "$tempdir/COMMANDS"
  241. rm "$tempdir/sender_access_regex"
  242. fi
  243. fi
  244. postmapfiles="$postmapfiles sender_access_regex"
  245. fi
  246. # Support exceptions to default response
  247. # (Day Old Bread (dob) lists need to reject only temporarily)
  248. $postconf -c "$tempdir" -e "rbl_reply_maps = hash:$confdir/rbl_reply_map"
  249. cat /etc/local-COMMON/postfix/rbl_reply_map \
  250. | sed 's/#.*//' \
  251. > "$tempdir/rbl_reply_map"
  252. postmapfiles="$postmapfiles rbl_reply_map"
  253. # Verify senders of common suspicious and known verifiable domains
  254. # (exclude verification of postmaster@ to not verify verification probes)
  255. # (add own domains before peers for (rare) cases of duplicates)
  256. # FIXME: somehow do this step only if enabled in smtpd_sender_restrictions
  257. # TODO: Properly implement exception exclusion like yahoo (which does not want to be checked any longer!)
  258. cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/ reject_unverified_sender/' > "$tempdir/sender_access"
  259. ( catfilefromownrealm maildomains | sort; catallfilesfromotherrealms maildomains | sort ) \
  260. | sed 's/\(.*\)$/postmaster@\1 permit\n\1 reject_unverified_sender/' >> "$tempdir/sender_access"
  261. [ ! -f "$tempdir/sender_access.addon" ] || cat "$tempdir/sender_access.addon" >> "$tempdir/sender_access"
  262. postmapfiles="$postmapfiles sender_access"
  263. $postconf -c "$tempdir" -e "unverified_sender_reject_code = 550"
  264. # Trust recipient verification too
  265. $postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550"
  266. if [ -n "$dovecot_deliver" ]; then
  267. $postconf -c "$tempdir" -e mailbox_command=/usr/lib/dovecot/deliver
  268. fi
  269. if [ -n "$sasl_cyrus" ]; then
  270. saslsubdir="sasl"
  271. mkdir -p "$tempdir/$saslsubdir"
  272. echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf"
  273. echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf"
  274. echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf"
  275. echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf"
  276. groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS"
  277. # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
  278. sed --in-place \
  279. -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
  280. -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
  281. -e "s/^#\(tlsmgr$sp\)/\1/" \
  282. "$tempdir/master.cf"
  283. addoroverwritewithindents $tempdir/master.cf '^tlsmgr\h' << EOF
  284. tlsmgr unix - - - 300 1 tlsmgr
  285. EOF
  286. fi
  287. case "$sasl_main_type" in
  288. '') ;;
  289. dovecot)
  290. $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot
  291. $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth
  292. ;;
  293. cyrus)
  294. $postconf -c "$tempdir" -e smtpd_sasl_type=cyrus
  295. [ -z "$pf23" ] || $postconf -c "$tempdir" -e smtpd_sasl_path=smtpd
  296. [ -n "$pf23" ] || $postconf -c "$tempdir" -e smtpd_sasl_application_name=smtpd
  297. ;;
  298. *) exit1 "ERROR: Wrong SASL type \"$sasl_main_type\"!";;
  299. esac
  300. if [ -n "$sslcert" ]; then
  301. $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
  302. $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1'
  303. $postconf -c "$tempdir" -e 'smtpd_use_tls = yes'
  304. $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs'
  305. $postconf -c "$tempdir" -e 'smtpd_tls_CApath = /etc/ssl/certs'
  306. $postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs'
  307. $postconf -c "$tempdir" -e smtpd_tls_CAfile="${cacert_smtpd:-$cacert_default}"
  308. $postconf -c "$tempdir" -e smtp_tls_CAfile="${cacert_smtp:-$cacert_default}"
  309. $postconf -c "$tempdir" -e lmtp_tls_CAfile="${cacert_lmtp:-$cacert_default}"
  310. $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache'
  311. $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s'
  312. $postconf -c "$tempdir" -e 'tls_random_exchange_name = ${data_directory}/prng_exch'
  313. $postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes'
  314. $postconf -c "$tempdir" -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport
  315. $postconf -c "$tempdir" -e 'smtpd_sasl_security_options = noanonymous'
  316. $postconf -c "$tempdir" -e 'smtpd_sasl_local_domain = '
  317. $postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes'
  318. $postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes'
  319. $postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom'
  320. # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic)
  321. $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no'
  322. if [ -e /etc/ssl/private/postfix.pem ]; then
  323. $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
  324. # Enable client side TLS only when private certificate is present
  325. $postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem'
  326. $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem'
  327. $postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1'
  328. $postconf -c "$tempdir" -e 'smtp_use_tls = yes'
  329. $postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option
  330. $postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache'
  331. # Force using TLS for peers
  332. catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy"
  333. [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy"
  334. postmapfiles="$postmapfiles tls_policy"
  335. $postconf -c "$tempdir" -e "smtp_tls_policy_maps = hash:$confdir/tls_policy"
  336. else
  337. $postconf -c "$tempdir" -e 'smtp_use_tls = no'
  338. warn "No client-side TLS - requires private SSL certificate at /etc/ssl/private/postfix.pem."
  339. fi
  340. fi
  341. if [ -n "$amavis" ]; then
  342. $postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse
  343. amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis)
  344. addoroverwritewithindents $tempdir/master.cf '^smtp-amavis\h' << EOF
  345. smtp-amavis unix - - n - $amavis_maxproc smtp
  346. -o smtp_data_done_timeout=1200s
  347. -o smtp_never_send_ehlo=yes
  348. -o smtp_send_xforward_command=yes
  349. -o disable_dns_lookups=yes
  350. -o max_use=20
  351. EOF
  352. addoroverwritewithindents $tempdir/master.cf '^127.0.0.1:10025\h' << EOF
  353. 127.0.0.1:10025 inet n - n - - smtpd
  354. -o content_filter=
  355. -o local_recipient_maps=
  356. -o relay_recipient_maps=
  357. -o smtpd_restriction_classes=
  358. -o smtpd_delay_reject=no
  359. -o smtpd_client_restrictions=permit_mynetworks,reject
  360. -o smtpd_helo_restrictions=
  361. -o smtpd_sender_restrictions=
  362. -o smtpd_recipient_restrictions=permit_mynetworks,reject
  363. -o mynetworks_style=host
  364. -o mynetworks=127.0.0.0/8
  365. -o strict_rfc821_envelopes=yes
  366. -o smtpd_error_sleep_time=0
  367. -o smtpd_soft_error_limit=1001
  368. EOF
  369. if [ -n "$dkimproxy" ]; then
  370. $postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10028'
  371. # FIXME: needs multiline replacementroutine (using perl?)
  372. # addoroverwritewithindents $tempdir/master.cf '^submission\h' << EOF
  373. #submission inet n - n - - smtpd
  374. # -o smtpd_etrn_restrictions=reject
  375. # -o smtpd_enforce_tls=yes
  376. # -o smtpd_sasl_auth_enable=yes
  377. # -o content_filter=dkimsign:[127.0.0.1]:10028
  378. # -o receive_override_options=no_address_mappings
  379. # -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  380. #EOF
  381. # addoroverwritewithindents $tempdir/master.cf '^pickup\h' << EOF
  382. #pickup fifo n - - 60 1 pickup
  383. # -o content_filter=dkimsign:127.0.0.1:10028
  384. #EOF
  385. addoroverwritewithindents $tempdir/master.cf '^dkimsign\h' << EOF
  386. dkimsign unix - - n - $dkimproxy_maxproc_out smtp
  387. -o smtp_send_xforward_command=yes
  388. -o smtp_discard_ehlo_keywords=8bitmime,starttls
  389. EOF
  390. addoroverwritewithindents $tempdir/master.cf '^127\.0\.0\.1:10029\h' << EOF
  391. 127.0.0.1:10029 inet n - n - - smtpd
  392. -o content_filter=
  393. -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  394. -o smtpd_helo_restrictions=
  395. -o smtpd_client_restrictions=
  396. -o smtpd_sender_restrictions=
  397. -o smtpd_recipient_restrictions=permit_mynetworks,reject
  398. -o mynetworks=127.0.0.0/8
  399. -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  400. EOF
  401. else
  402. $postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
  403. fi
  404. fi
  405. diff -ruN "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; else needs_reload="1"; fi
  406. if [ "$force" = "1" ]; then
  407. do_update="y"
  408. elif [ "1" = "$needs_reload" ]; then
  409. echo -n "Above is the intended changes. OK to update (y/N)? "
  410. read do_update
  411. fi
  412. case $do_update in
  413. y|Y)
  414. if [ -f "$tempdir/COMMANDS" ]; then
  415. cat "$tempdir/COMMANDS" | sh -s
  416. fi
  417. rm -f "$tempdir/COMMANDS"
  418. diff -q "$confdir/master.cf" "$tempdir/master.cf" || if [ $? -gt 1 ]; then exit $?; else needs_restart="1"; fi
  419. cp -a -f -t "$confdir" "$tempdir"/*
  420. rm -rf "$tempdir"
  421. for file in $postmapfiles; do
  422. postmap "$confdir/$file"
  423. done
  424. if [ "1" = "$needs_restart" ]; then
  425. invoke-rc.d postfix restart
  426. else
  427. invoke-rc.d postfix force-reload
  428. fi
  429. if [ "1" = "$needs_reload" ]; then
  430. echo >&2 "Changes applied!"
  431. fi
  432. ;;
  433. *)
  434. if [ "1" = "$needs_reload" ]; then
  435. exit1 "Aborted!"
  436. fi
  437. ;;
  438. esac
  439. if [ "1" != "$needs_reload" ]; then
  440. echo >&2 "No changes needed!"
  441. fi
  442. # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
  443. # Support for trusted MX backup networks added
  444. # PCRE stuff avoided, as PCRE is only optional on newest Debian packages
  445. # RBLs replaced with those recommended by http://www.antispews.org/
  446. # AMaViS tweaks as documented in amavisd-new package
  447. # AUTH-SMTP based on these:
  448. # http://lists.q-linux.com/pipermail/plug/2003-July/029503.html
  449. # http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html
  450. # Here's a convenient overview of different blackholes:
  451. # http://rbls.org/