[postfix] On fait une configuration un peu plus propre, et on ajoute postscreen.

2013-07-27 19:43:37 +02:00 · 2013-07-27 19:43:37 +02:00 · 171186bb04
commit 171186bb04
parent c23d310bec
3 changed files with 55 additions and 25 deletions
--- a/Python/etc/postfix/main.cf
+++ b/Python/etc/postfix/main.cf
@ -203,9 +203,9 @@ tls_daemon_random_source = "dev:/dev/urandom"
 if main:
    @# Authentification SASL pour relayer du mail
-    smtpd_sasl_auth_enable = True
+    @smtpd_sasl_auth_enable=yes
    @# Auth que si tls pour eviter des pass en clair sur le reseau
-    smtpd_tls_auth_only = True
+    @smtpd_tls_auth_only=yes
@# +--------------------------+
@# | Filtrages et limitations |
@ -213,16 +213,13 @@ if main:
 if main:
    @# Filtrage sur les sources de connexions
-    print "smtpd_client_restrictions = permit_mynetworks"
+    @smtpd_client_restrictions=permit_mynetworks
    #print "    reject_rbl_client dnsbl.ahbl.org"
    #print "    reject_rbl_client dnsbl.njabl.org"
    #print "    reject_rbl_client dnsbl.inps.de"
    @
    @#
    @# Requiring this will stop some UCE software. 
    @# (UCE = Unsolicited Commercial Email = SPAM)
    @#
-    smtpd_require_helo = "yes"
+    @smtpd_require_helo=yes
    @
    @# Reject the request when the client HELO or EHLO parameter has a bad hostname syntax.
    @# reject_unknown_hostname value not recommended, because it may causes mail losting.
@ -238,20 +235,20 @@ if main:
@## Limitation des messages envoyés par minute
@# On n'ignore que les messages venant d'adresses "protégées"
-smtpd_client_event_limit_exceptions = local_networks
+@smtpd_client_event_limit_exceptions=local_networks
 if mx:
    add(adm_networks)
@# On limite à 10 messages par minute
-smtpd_client_message_rate_limit = 10
+@smtpd_client_message_rate_limit=10
@## Filtrage au MAIL FROM
@# Rejet si le domaine de l'envoyeur n'est pas dans un DNS
-smtpd_sender_restrictions = "reject_unknown_sender_domain"
+@smtpd_sender_restrictions=reject_unknown_sender_domain
@## Filtrage au RCPT TO
@# permet si le client est dans le reseau local
-smtpd_recipient_restrictions = "permit_mynetworks"
+@smtpd_recipient_restrictions=permit_mynetworks
@# rejette les recipients sans nom de domaine totalement qualifie
 add("reject_non_fqdn_recipient")
 if main:
@ -294,4 +291,36 @@ if not secondary:
    relayhost = "[ovh.adm.crans.org]:25"
 if has("titanic"):
-    @relayhost = "[ovh.adm.crans.org]:25"
+    @relayhost=[ovh.adm.crans.org]:25
@# PostScreen configuration
@# Access List
@postscreen_access_list = cidr:/etc/postfix/postscreen_access.cidr
@## Tu es blacklisté ? VTFF
@postscreen_blacklist_action = drop
@
@# Bannière d'accueil multi valuée
@postscreen_greet_banner = Bienvenue au crans, veuillez patienter quelques secondes.
@## On fait semblant d'aller à RCPT TO, puis poubelle
@postscreen_greet_action = enforce 
@
@# RBL, le retour
@postscreen_dnsbl_sites =
@    zen.spamhaus.org*2
@    dnsbl.inps.de*2
@    dnsbl.ahbl.org
@    b.barracudacentral.org
@
@# Score >= 3 ? Bye bye
@postscreen_dnsbl_threshold = 3
@postscreen_dnsbl_action = enforce
@
@# Filtre utilisé par postfix, mis en amont via postscreen
@postscreen_non_smtp_command_enable = yes
@postscreen_non_smtp_command_action = enforce
@
@postscreen_bare_newline_enable = yes
@postscreen_bare_newline_action = enforce
@
@postscreen_pipelining_enable = yes
@postscreen_pipelining_action = enforce
--- a/Python/etc/postfix/master.cf
+++ b/Python/etc/postfix/master.cf
@ -95,24 +95,24 @@ if has("titanic"):
@# service type	private	unpriv	chroot	wakeup	maxproc	command + args
@# 		(yes)	(yes)	(yes)	(never)	(50)
@# ==========================================================================
@smtp      inet  n       -       -       -       1       postscreen
@smtpd     pass  -       -       -       -       -       smtpd
 if tracker:
    @  -o receive_override_options=no_address_mappings
@dnsblog   unix  -       -       -       -       0       dnsblog
 if main:
-    @smtp      inet  n       -       -       -       -       smtpd
+    @submission inet n       -       -       -       -       smtpd
    @  -o smtpd_tls_security_level=encrypt
    @  -o smtpd_sasl_auth_enable=yes
    @  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    @  -o milter_macro_daemon_name=ORIGINATING
    @smtps     inet  n       -       -       -       -       smtpd
    @  -o smtpd_tls_wrappermode=yes
    @  -o smtpd_sasl_auth_enable=yes
    @  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 elif tracker:
    @smtp      inet  n       -       -       -       -       smtpd
    @  -o receive_override_options=no_address_mappings
 else:
    if has("titanic"):
        print ext + ":smtp inet	n	-	-	-	-	smtpd"
    print pub + ":smtp inet	n	-	-	-	-	smtpd"
    print adm + ":smtp inet	n	-	-	-	-	smtpd"
    if not public:
        print "  -o content_filter=lmtp:[amavis.adm.crans.org]:10024"
-    print loc + ":smtp inet	n	-	-	-	-	smtpd"
+@#628	  inet	n	-	-	-	-	qmqpd
 #628	  inet	n	-	-	-	-	qmqpd
@pickup   fifo	n	-	-	60	1	pickup
@cleanup  unix	n	-	-	-	0	cleanup
@qmgr     fifo	n	-	-	300	1	qmgr
@ -159,8 +159,6 @@ if has("news"):
@  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store $${nexthop} $${user} $${extension}
@# only used by postfix-tls
@smtps	  inet	n	-	-	-	-	smtpd -o smtpd_tls_wrappermode=yes
@587	  inet	n	-	-	-	-	smtpd -o smtpd_enforce_tls=yes
@tlsmgr    unix  -       -       n       300     1       tlsmgr
 if users:
--- a/Python/etc/postfix/postscreen_access.cidr
+++ b/Python/etc/postfix/postscreen_access.cidr
@ -0,0 +1,3 @@
 127.0.0.1           permit
 138.231.0.0/16      permit
 10.231.136.0/24     permit