Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
ISPConfig
ISPConfig 3
Commits
709aed2c
Commit
709aed2c
authored
Feb 03, 2016
by
Jesse Norell
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add smtpd_helo_restrictions
parent
bc3a7750
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
106 additions
and
0 deletions
+106
-0
install/lib/installer_base.lib.php
install/lib/installer_base.lib.php
+22
-0
install/tpl/blacklist_helo.master
install/tpl/blacklist_helo.master
+57
-0
install/tpl/debian_postfix.conf.master
install/tpl/debian_postfix.conf.master
+2
-0
install/tpl/fedora_postfix.conf.master
install/tpl/fedora_postfix.conf.master
+2
-0
install/tpl/gentoo_postfix.conf.master
install/tpl/gentoo_postfix.conf.master
+2
-0
install/tpl/helo_access.master
install/tpl/helo_access.master
+19
-0
install/tpl/opensuse_postfix.conf.master
install/tpl/opensuse_postfix.conf.master
+2
-0
No files found.
install/lib/installer_base.lib.php
View file @
709aed2c
...
...
@@ -903,6 +903,7 @@ class installer_base {
'{rbl_list}'
=>
$rbl_list
,
'{greylisting}'
=>
$greylisting
,
'{reject_slm}'
=>
$reject_sender_login_mismatch
,
'{myhostname}'
=>
$conf
[
'hostname'
],
);
$postconf_tpl
=
rfsel
(
$conf
[
'ispconfig_install_dir'
]
.
'/server/conf-custom/install/debian_postfix.conf.master'
,
'tpl/debian_postfix.conf.master'
);
...
...
@@ -933,6 +934,27 @@ class installer_base {
if
(
!
is_file
(
'/var/lib/mailman/data/transport-mailman'
))
touch
(
'/var/lib/mailman/data/transport-mailman'
);
exec
(
'/usr/sbin/postmap /var/lib/mailman/data/transport-mailman'
);
//* Create auxillary postfix conf files
$configfile
=
'helo_access'
;
if
(
is_file
(
$config_dir
.
'/'
.
$configfile
))
{
copy
(
$config_dir
.
'/'
.
$configfile
,
$config_dir
.
'/'
.
$configfile
.
'~'
);
}
chmod
(
$config_dir
.
'/'
.
$configfile
.
'~'
,
0400
);
$content
=
rfsel
(
$conf
[
'ispconfig_install_dir'
]
.
'/server/conf-custom/install/'
.
$configfile
.
'.master'
,
'tpl/'
.
$configfile
.
'.master'
);
$content
=
strtr
(
$content
,
$postconf_placeholders
);
# todo: look up this server's ip addrs and loop through each
# todo: look up domains hosted on this server and loop through each
wf
(
$config_dir
.
'/'
.
$configfile
,
$content
);
$configfile
=
'blacklist_helo'
;
if
(
is_file
(
$config_dir
.
'/'
.
$configfile
))
{
copy
(
$config_dir
.
'/'
.
$configfile
,
$config_dir
.
'/'
.
$configfile
.
'~'
);
}
chmod
(
$config_dir
.
'/'
.
$configfile
.
'~'
,
0400
);
$content
=
rfsel
(
$conf
[
'ispconfig_install_dir'
]
.
'/server/conf-custom/install/'
.
$configfile
.
'.master'
,
'tpl/'
.
$configfile
.
'.master'
);
$content
=
strtr
(
$content
,
$postconf_placeholders
);
wf
(
$config_dir
.
'/'
.
$configfile
,
$content
);
//* Make a backup copy of the main.cf file
copy
(
$config_dir
.
'/main.cf'
,
$config_dir
.
'/main.cf~'
);
...
...
install/tpl/blacklist_helo.master
0 → 100644
View file @
709aed2c
# blacklist_helo - after permit_sasl, used to stop common spammers/misconfigurations
#
# probably just put REJECT lines in here,
# as OK lines will bypass a lot of other checks you may want done
# (use DUNNO instead of OK)
#
# common for spammers (check https://data.iana.org/TLD/tlds-alpha-by-domain.txt and remove valid tld's occasionally)
/.*\.administrator$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.admin$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.adsl$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.arpa$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.bac$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.coma$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dhcp$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dlink$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dns$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.domain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dynamic$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dyndns\.org$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.dyn$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.firewall$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.gateway$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.home$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.internal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.intern$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.janak$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.kornet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.lab$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.lan$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.localdomain$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.localhost$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
# .local is used by spammers a lot, but too many otherwise legit servers hit it
# (instead of REJECT, should send to greylisting)
#/.*\.local$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.loc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.lokal$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.mail$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.nat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.netzwerk$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.pc$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.privat$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.private$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.router$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.setup$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.119$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.beeline$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.cici$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.gt_3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.gt-3g$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.hananet$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.skbroadband$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
/.*\.tbroad$/ REJECT HELO hostname is using a top level domain that does not exist. See RFC 2821 section 3.6.
install/tpl/debian_postfix.conf.master
View file @
709aed2c
...
...
@@ -24,6 +24,8 @@ relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
...
...
install/tpl/fedora_postfix.conf.master
View file @
709aed2c
...
...
@@ -21,6 +21,8 @@ relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
...
...
install/tpl/gentoo_postfix.conf.master
View file @
709aed2c
...
...
@@ -20,6 +20,8 @@ relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
...
...
install/tpl/helo_access.master
0 → 100644
View file @
709aed2c
# helo_access - before permit_sasl
# be sure to list your own hostname(s), domain(s) and IP address(es) here
# Reject others identifying with this machine's hostnames and IP addresses
{myhostname} REJECT
#/^((smtp|mx|mail)\.domain1\.com$/ REJECT
#/^mail\.domain2\.com$/ REJECT
# TODO: this server's ip addr loop here
#/^\[?1\.2\.3\.4\]?$/ REJECT
#/^\[?12\.34\.56\.78\]?$/ REJECT
#/^\[?123\.234\.123\.234\]?$/ REJECT
# Reject others identifying as domains we host
# TODO: this server's hosted mail domains loop here
#/^domain1\.com$/ REJECT
#/^domain2\.com$/ REJECT
#/^domain3\.net$/ REJECT
install/tpl/opensuse_postfix.conf.master
View file @
709aed2c
...
...
@@ -23,6 +23,8 @@ relay_domains = mysql:{config_dir}/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:{config_dir}/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:{config_dir}/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:{config_dir}/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:{config_dir}/blacklist_helo, warn_if_reject reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = check_sender_access mysql:{config_dir}/mysql-virtual_sender.cf regexp:{config_dir}/tag_as_originating.re{reject_slm}, permit_mynetworks, check_sender_access regexp:{config_dir}/tag_as_foreign.re
smtpd_client_restrictions = check_client_access mysql:{config_dir}/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment