From 63b5aa587947a4e76a1207b49897d2fb0029bea8 Mon Sep 17 00:00:00 2001 From: Zeljko Boros Date: Fri, 30 Apr 2021 13:25:15 +0200 Subject: [PATCH] Preslagivanje access i check lista, ovisnost o postfix-pcre --- access_body_cn => cn-body-checks | 0 access_client_cn => cn-client-access | 0 access_header_cn => cn-header-checks | 0 access_helo_cn => cn-helo-access | 0 access_mime_header_cn => cn-mime-header-checks | 0 cn-nested-header-checks | 3 +++ access_recipient_cn => cn-recipient-access | 0 access_sender_cn => cn-sender-access | 0 debian/control | 2 +- debian/install | 15 ++++++------ debian/postinst | 31 ++++++++++++++++++------ 11 files changed, 35 insertions(+), 16 deletions(-) rename access_body_cn => cn-body-checks (100%) rename access_client_cn => cn-client-access (100%) rename access_header_cn => cn-header-checks (100%) rename access_helo_cn => cn-helo-access (100%) rename access_mime_header_cn => cn-mime-header-checks (100%) create mode 100644 cn-nested-header-checks rename access_recipient_cn => cn-recipient-access (100%) rename access_sender_cn => cn-sender-access (100%) diff --git a/access_body_cn b/cn-body-checks similarity index 100% rename from access_body_cn rename to cn-body-checks diff --git a/access_client_cn b/cn-client-access similarity index 100% rename from access_client_cn rename to cn-client-access diff --git a/access_header_cn b/cn-header-checks similarity index 100% rename from access_header_cn rename to cn-header-checks diff --git a/access_helo_cn b/cn-helo-access similarity index 100% rename from access_helo_cn rename to cn-helo-access diff --git a/access_mime_header_cn b/cn-mime-header-checks similarity index 100% rename from access_mime_header_cn rename to cn-mime-header-checks diff --git a/cn-nested-header-checks b/cn-nested-header-checks new file mode 100644 index 0000000..3bf8ee4 --- /dev/null +++ b/cn-nested-header-checks @@ -0,0 +1,3 @@ +# OPREZ: Ukoliko niste dobro upoznati s regularnim izrazima, dobro istestirajte prije puštanja u rad! +# Ova pravila se primjenjuju na zaglavlja poruka koja se nalaze u prilogu mailu (attachmentu), osim za +# zaglavlja koja su već procesirana sa "mime_header_checks" diff --git a/access_recipient_cn b/cn-recipient-access similarity index 100% rename from access_recipient_cn rename to cn-recipient-access diff --git a/access_sender_cn b/cn-sender-access similarity index 100% rename from access_sender_cn rename to cn-sender-access diff --git a/debian/control b/debian/control index 77b7e48..5c73459 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Standards-Version: 3.9.8 Package: postfix-cn Architecture: all -Depends: ${misc:Depends}, postfix (>= 3.4.10), carnet-tools-cn (>= 3.2.1), sasl2-bin (>= 2.1.27), libsasl2-modules (>= 2.1.27), debconf, openssl, adduser +Depends: ${misc:Depends}, postfix (>= 3.4.10), carnet-tools-cn (>= 3.2.2), sasl2-bin (>= 2.1.27), libsasl2-modules (>= 2.1.27), debconf, openssl, adduser, postfix-pcre Conflicts: sendmail-cn, amavisd-cn (<< 2:20030616p10-10), amavisd-new-milter, sendmail-base Suggests: amavisd-cn Description: High-performance mail transport agent diff --git a/debian/install b/debian/install index fad4a87..afe79e8 100644 --- a/debian/install +++ b/debian/install @@ -1,9 +1,10 @@ carnet_whitelist_clients usr/share/postfix-cn newaliases-gecos usr/sbin -access_client_cn etc/postfix -access_helo_cn etc/postfix -access_sender_cn etc/postfix -access_recipient_cn etc/postfix -access_header_cn etc/postfix -access_mime_header_cn etc/postfix -access_body_cn etc/postfix +cn-client-access etc/postfix +cn-helo-access etc/postfix +cn-sender-access etc/postfix +cn-recipient-access etc/postfix +cn-header-checks etc/postfix +cn-mime-header-checks etc/postfix +cn-nested-header-checks etc/postfix +cn-body-checks etc/postfix diff --git a/debian/postinst b/debian/postinst index a88f6ed..0749482 100755 --- a/debian/postinst +++ b/debian/postinst @@ -41,6 +41,16 @@ if echo $rbl | grep -q dnsbl.njabl.org; then db_set postfix-cn/rbl "$rbl" || true fi +# zelja, 2021-04-29 +# ako je spamhaus.org ovdje, postavi eta.cert.hr, a sam +# spamhaus je nepotreban, jer imamo zen.dnsbl-sh.carnet.hr +if echo $rbl | grep -q zen.spamhaus.org; then + rbl="`echo $rbl | sed 's/zen.spamhaus.org, /eta.cert.hr, /g'`" + # za svaki slucaj, ako je na kraju + rbl="`echo $rbl | sed 's/zen.spamhaus.org/eta.cert.hr/g'`" + db_set postfix-cn/rbl "$rbl" || true +fi + db_get postfix-cn/matchgecos || true matchgecos="$RET" @@ -208,13 +218,10 @@ smtpd_recipient_restrictions="reject_invalid_hostname, \ permit_sasl_authenticated, \ permit_mynetworks, \ reject_unauth_destination, \ - check_client_access hash:/etc/postfix/access_client_cn, \ - check_helo_access hash:/etc/postfix/access_helo_cn, \ - check_sender_access hash:/etc/postfix/access_sender_cn, \ - check_recipient_access hash:/etc/postfix/access_recipient_cn, \ - check_header_access regexp:/etc/postfix/access_header_cn, \ - check_mime_header_access regexp:/etc/postfix/access_mime_header_cn, \ - check_body_access regexp:/etc/postfix/access_body_cn" + check_client_access hash:/etc/postfix/client_access.cn, \ + check_helo_access hash:/etc/postfix/helo_access.cn, \ + check_sender_access hash:/etc/postfix/sender_access.cn, \ + check_recipient_access hash:/etc/postfix/recipient_access.cn" # dodaj samo rbl-ove iz debconfa if [ "$rbl" ]; then @@ -227,6 +234,14 @@ fi smtpd_recipient_restrictions="$smtpd_recipient_restrictions, permit" postconf -e smtpd_recipient_restrictions="$smtpd_recipient_restrictions" +# Header & body checks + +postconf -e header_checks="pcre:/etc/postfix/header_checks.cn" +postconf -e mime_header_checks="pcre:/etc/postfix/mime_header_checks.cn" +postconf -e nested_header_checks="pcre:/etc/postfix/nested_header_checks.cn" +postconf -e body_checks="pcre:/etc/postfix/body_checks.cn" + + # SASL stuff postconf -e smtpd_sasl_auth_enable="yes" postconf -e smtpd_sasl_security_options="noanonymous" @@ -400,7 +415,7 @@ fi # rjesava gresku using backwards-compatible default setting chroot=y -for service in smtp/inet smtp/unix submission/inet pickup/fifo cleanup/unix qmgr/fifo rewrite/unix bounce/unix defer/unix trace/unix verify/unix flush/unix relay/unix showq/unix error/unix scache/unix discard/unix retry/unix +for service in smtps/inet smtp/inet smtp/unix submission/inet pickup/fifo cleanup/unix qmgr/fifo rewrite/unix bounce/unix defer/unix trace/unix verify/unix flush/unix relay/unix showq/unix error/unix scache/unix discard/unix retry/unix do postconf -F $service/chroot=y done -- 1.7.10.4