Witam, Jestem w fazie testow (od ok. tygodnia) policyd. Bardzo fajna sprawa, wiec chcialbym aby pojawil sie ten pakiet w PLD. Jesli opiekujesz sie serverem poczty chodzacym na Postfixie namawiam do sprobowania PolicyD.
Jezeli ktos mialby jakies pytania co do Postfix'a lub PolicyD, postaram sie pomoc, wiec smialo pisac. Prosze o komentarze co do spec'a, jakby ktos chcial wprowadzic jakies znaczace zmiany, prosze mi dac znac na priv'a. ps. Mozna sie gdzies zapisac, by sledzis zmiany w cvs'ie pojedynczych spec'ow? -- best regards q#
###################################################################### # POLICY DAEMON CONFIGURATION # ###################################################################### # DATABASE CONFIG # ###################################################################### # # ip address or hostname to connect to: # # if you want to connect to a host/ip, enter it here. # if you want to via a unix socket, set MYSQLHOST="" # MYSQLHOST="127.0.0.1" # # database name: # # name of database to connect to # MYSQLDBASE="policyd_database" # # database username: # # username to connect to database as # MYSQLUSER="policyd_username" # # database password: # # password to for username # MYSQLPASS="secret_password" # # failsafe/failover mode: default: on # # if the database or queries fail, continue accepting mail # # 1=on 0=off FAILSAFE=1 # # database keep alive: default: off # # if you recieve very little mail, your connection you the # mysql database will time out. enabling this option pings # the database to ensure the database connection is alive. # if it is not, it reconnects to the database. this option # is not needed on mail servers that recieve more than one # mail every 60 to 120 seconds. disabling this increases # performance a little. # # 1=on 0=off DATABASE_KEEPALIVE=0 ###################################################################### # DAEMON CONFIG # ###################################################################### # # debugging information: default: 3 # # only use debugging when there are problems # # 0 -> off (recommended) # 1 -> standard debugging # 2 -> 1+mysql queries+results # 3 -> 1+2+network debugging # 0=off DEBUG=0 # # daemon/background mode: default: on # # detach policyd from terminal # # 1=on 0=off DAEMON=1 # # bind to ip address: # # ip address which the policy daemon will listen on # BINDHOST=127.0.0.1 # # port to bind to: # # port which the policy daemon will listen on # BINDPORT=10031 # # path to pidfile: # # where policyd will write its current pid to # PIDFILE=/var/run/policyd.pid # # syslog facility # # what syslog facility to log to # SYSLOG_FACILITY="LOG_MAIL | LOG_INFO" ###################################################################### # SECURITY # ###################################################################### # # chroot: # # directory to change to before binding # CHROOT=/usr/share/empty # # uid: # # userid for the policy daemon to run as # UID=121 # # gid: # # groupid for the policy daemon to run as # GID=121 ##################################################################### # WHITELISTING (functional) # ##################################################################### # # whitelisting: default: on # # this enables whitelisting of ip/netblocks. this is needed # if you want to allow any of the whitelisting features. # # 1=on 0=off WHITELISTING=1 # # whitelist null sender: default: off # # null senders are normally used for bounce messages. many # viruses use null senders so its wise to leave this disabled. # # 1=on 0=off WHITELISTNULL=0 # # whitelist sender address/domain # # this allows you to do whitelisting based on envelope sender # address or envelope sender domain. a number of people have # been asking for this. please AVOID using this as spammers # forge senders and domains a lot. # # 1=on 0=off WHITELISTSENDER=0 # # whitelist client dns name # # this allows you whitelist clients that have proper resolving # records. for example, i could whitelist 'bulk.scd.yahoo.com'. # so any connections from n6a.bulk.scd.yahoo.com or # n6b.bulk.scd.yahoo.com would be whitelisted. this type of # whitelisting gives far greater power when it comes to # whitelisting ISPs or big companies which you know do not # house spammers. please note. this table must NOT have more # than 10 000 -> 15 000 entries. # # 1=on 0=off WHITELISTDNSNAME=0 # # automatic whitelisting default: off # # this allows whitelisting of remote networks who have sent # more than AUTO_WHITELIST_NUMBER of authenticated triplets. # # 1=on 0=off AUTO_WHITE_LISTING=0 # # auto whitelist number: default: 500 # # how many succesfull triplets does it require before a # network is automatically whitelisted # AUTO_WHITELIST_NUMBER=500 # # whitelist netblock/24: default: 1 # # when hosts get autowhitelisted, should the host be whitelisted # or should the entire netblock (class C). # # 1=class 0=host AUTO_WHITELIST_NETBLOCK=0 # # whitelist expiry default: 7 days # # this allows you to specify for what peroid of time any # host will be whitelisted for when auto whitelisted. # a setting of 0 sets a permanent whitelist # AUTO_WHITELIST_EXPIRE=7d ##################################################################### # BLACKLISTING (functional) # ##################################################################### # # blacklisting: default: off # # this enables blacklisting of ip/netblocks. this is needed # if you want to allow any of the blacklisting features and # the the spamtrapping module. # # 1=on 0=off BLACKLISTING=1 # # blacklist temp rejection: default: 4xx # # this allows you to either temp reject (4xx) blacklisted # hosts or if you're sure that blacklisted hosts are safe # to reject, you can hard reject (5xx) blacklisted hosts. # # 1=4xx 0=5xx BLACKLIST_TEMP_REJECT=0 # # blacklist netblock/24: default: class # # when hosts get blacklisted, should the host be blacklisted # or should the entire netblock (class C). this applies to # both when a host gets blacklisted via the spamtrap module # or via the blacklist helo module. # # 1=class 0=host BLACKLIST_NETBLOCK=0 # # blacklist rejection default: "Abuse. Go Away" # # what error message blacklisted hosts will recieve. # BLACKLIST_REJECTION="Abuse. Go away." # # automatic blacklisting default: off # # this allows blacklisting of remote networks who have sent # more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets. # # 1=on 0=off AUTO_BLACK_LISTING=0 # # auto blacklist number: default: 500 # # how many succesfull untriplets does it require before a # network is automatically blacklisted # AUTO_BLACKLIST_NUMBER=500 # # blacklist expiry default: 7 days # # this allows you to specify for what peroid of time any # host will be blacklisted for when auto blacklisted. # a setting of 0 sets a permanent blacklist # AUTO_BLACKLIST_EXPIRE=7d ##################################################################### # BLACKLISTING HELO (functional) # ##################################################################### # # blacklisting helo: default: off # # this enables blacklisting of ip/netblocks. this is needed # if you want to allow any of the blacklisting features and # the the spamtrapping module. # # 1=on 0=off BLACKLIST_HELO=1 # # blacklist helo auto expire: default: permanent # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # using your HELO to identify itself. (a setting of 0 # sets a permanent blacklist) # BLACKLIST_HELO_AUTO_EXPIRE=7d ##################################################################### # BLACKLIST SENDER (functional) # ##################################################################### # # blacklist sender: default: off # # this allows you to use policyd to block domains and/or # email addresses. # 1=on 0=off BLACKLISTSENDER=1 ##################################################################### # HELO_CHECK (functional) # ##################################################################### # # helo unique checking default: off # # (legit) hosts that connect to your mail servers 99% of # the time use static HELO information. spammers randomize # their helo. enabling this will cut down the amount of # spam entering your network. # 1=on 0=off HELO_CHECK=1 # # helo max number count: # # this allows you to specify how many unique/different # helo names a connecting host/ip is allowed to send. # spammers randomize their helo information in big # numbers. legit MTAs with floating ips also do this, # but the number of them are fairly small. # # HELO_MAX_COUNT=10 # # helo blacklist auto expire: # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # randomizing their helo information. (a setting of 0 # sets a permanent blacklist) # HELO_BLACKLIST_AUTO_EXPIRE=14d # # helo auto expire: # # this allows you to specify for what period of time any # HELO identity will remain in the database for before it # gets expired. (a setting of 0 ensures that all HELO # information stays stored and is never expired). # HELO_AUTO_EXPIRE=7d ##################################################################### # SPAMTRAP (functional) # ##################################################################### # # enable spamtrap default: off # # the idea of this module is to allow you to capture # hosts that mail to your spamtraps without having to # resort to parsing the mails to identify senders. you # now have the ability to blacklist the host/netblock # for a period of time (definable in SPAMTRAP_AUTO_EXPIRE). # # 1=on 0=off SPAMTRAPPING=1 # # spamtrap rejection: default: "Abuse. Go Away." # # what error message the connecting host will recieve # when a message is directly sent to your spamtraps # SPAMTRAP_REJECTION="Abuse. Go away." # # spamtrap auto expire: default: 7 days # # this allows you to specify for what period of time any # host will be blacklisted for when it has been caught # mailing to your spamtrap addresses. (a setting of 0 # sets a permanent blacklist) # SPAMTRAP_AUTO_EXPIRE=7d ##################################################################### # GREYLISTING (functional) # ##################################################################### # # enable greylisting default: on # # whether greylisting should be enabled or disabled. # # 1=on 0=off GREYLISTING=1 # # greylist rejection: default: "Please try later" # # what error message the connecting host will recieve # when a new triplet has been created. # GREYLIST_REJECTION="Please try later." # # greylist x-header: default: off # # you now have the functionality of tagging all mail # that has passed greylisting. # # 1=on 0=off GREYLIST_X_HEADER=0 # # train database: default: off # # this is very usefull for people would want to build # up a collection of triplets before they start accepting # mail. training mode allows the collection of triplets # to mature to a stage that when greylisting is actually # enabled, they impact caused is far far less. # # 1=on 0=off TRAINING_MODE=0 # # training policy duration/timeout default: 0d # # when you have run TRAINING_MODE for your all your domains # and are running greylisting across the board, adding new # domains and subjecting them to greylisting without a # training period can bring unnessasary hassles. this feature # allows you to specify for how long 'new domains' are to be # trained for before being subjected to greylisting. # # a value of 0 disables this feature. # TRAINING_POLICY_TIMEOUT=5d # # # triplet timeout: default: 5 minutes # # when a triplet is created from the first mail delivery # attempt, what period of time should go by before we # allow the 'final delivery'. a study shows that there # is no difference between 1 minute and 1 hour for spam # at this point in time. a sane limit would be 5 minutes. # TRIPLET_TIME=15m # # opt in and opt out: default: off # # some people are fairly irate when it comes to mail and # refuse wanting to have any type of delay. this feature # enables each and every person the ability to not subject # themselves to greylisting. this feature is also VERY # usefull when you dont want to subject EVERY person to # greylisting at once but instead allows you to enable # it in batches/groups of users so you get a feel on the # type of complaints or praise from your users. # # 1=on 0=off OPTINOUT=0 # # optinoutall: default: off # # this allows you to either opt everyone in, or opt every # one out and only has any effect if OPTINOUT is enabled. # # 1=on 0=off OPTINOUTALL=0 # # triplet authenticated cleanup default: 30d # # if a triplet has been successfully updated (retried and # delivered), this is what is considered an 'authenticated' # triplet. this options allows some sanity so you do not # keep these triplets forever. specify the amount of days # that we keep authenticated triplets since it was last updated. # TRIPLET_AUTH_TIMEOUT=30d # # triplet unauthenticated cleanup default: 2d # # if a triplet has NOT been successfully updated (no retry # attempt), this is what is considered as an 'unathenticated' # triplet. this option allows some sanity so you do not # keep these triplets forever. specify the amount of days # that we keep unauthenticated triplets since being inserted # into the database # TRIPLET_UNAUTH_TIMEOUT=2d ##################################################################### # SENDER THROTTLE (functional) # ##################################################################### # # throttle senders default: off # # sender throttling allows per-user limits of all # mail that passes the policy daemon. any envelope # sender that is not found in the database will # fall back to the config defaults listed below. # # 1=on 0=off SENDERTHROTTLE=0 # # throttle SASL users default=on # # throttling based upon envelope sender addresses does # not work very well as it can ofcourse be easily forged. # if your users are forced to authenticate via SASL, enable # this option so that quotas stick like glue regardless of # what they try. # # if this option is enabled, and a remote client connects # WITHOUT sasl, it will then use the clients sending/FROM # address. # 1=on 0=off SENDER_THROTTLE_SASL=1 # # throttle IP addresses default=on # # throttling based upon the ip address of the sender # will ensure that the host does not send more than # their allowed quota. you may only enable # SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but # *NOT* both. # 1=on 0=off SENDER_THROTTLE_HOST=0 # # throttle rejection: default: "Quota Exceeded" # # what error message the connecting host will recieve # when they have exceeded any of their quotas. # SENDER_QUOTA_REJECTION="Quota Exceeded." # # throttle max message size reject message default: Message size too big # # # SENDER_SIZE_REJECTION="Message size to big." # # maximum mail sent per time period default: 5000 # # how many messages a user is allowed to send out # before the time limit has expired. # SENDERMSGLIMIT=5000 # # maximum mail quota/size per time peroid default: 250 meg # # how much mail will be allowed from a user (in megs) # which will be accepted before the timelimit has expired. # SENDERQUOTALIMIT=250000000 # # sender time limit: default: 24 hours # # after how long does all quota last before counters # are reset back to to zero. # SENDERTIMELIMIT=24h # # sender message size: default: 10 meg # # this is the maximum sender mail size # SENDERMSGSIZE=10240000 # # inactive sender database record cleanup default: 31 days # # this allows you to specify how long the throttling # records of inactive senders kept in the database. # this allows to keep the database small. a setting # of 0 keeps all entries. # SENDER_INACTIVE_EXPIRE=31d ##################################################################### # RECIPIENT THROTTLE (functional) # ##################################################################### # # throttle recipients default: off # # recipient throttling allows per-user limits of all # mail that passes the policy daemon. any envelope # recipient that is not found in the database will # fall back to the config defaults listed below. # # 1=on 0=off RECIPIENTTHROTTLE=0 # # maximum mail sent per time period default: 5000 # # how many messages a user is allowed to send out # before the time limit has expired. # RECIPIENTMSGLIMIT=5000 # # recipient time limit: default: 24 hours # # after how long does all quota last before counters # are reset back to to zero. # RECIPIENTTIMELIMIT=24h # throttle recipient rejection: default: "Quota Exceeded" # # what error message the connecting host will recieve # when they have exceeded any of their quotas. # RECIPIENT_QUOTA_REJECTION="Quota Exceeded." # # inactive recipients database record cleanup default: 31 days # # this allows you to specify how long the throttling # records of inactive recipients are kept in the database. # this allows to keep the database small. a setting # of 0 keeps all entries. # RECIPIENT_INACTIVE_EXPIRE=31d ####### # EOF # #######
#!/bin/sh if [ -r /etc/sysconfig/policyd ]; then . /etc/sysconfig/policyd else # set default file POLICYD_CONF="/etc/policyd/policyd.conf" fi if [ ! -r /var/run/policyd.lck -a -r "${POLICYD_CONF}" ]; then touch /var/run/policyd.lck /usr/lib/policyd/cleanup -c "${POLICYD_CONF}" rm -f /var/run/policyd.lck fi
#!/bin/sh # # policyd This shell script takes care of starting and stopping # policy daemon. # # chkconfig: 345 85 35 # # description: Policyd is an anti-spam plugin for Postfix. # # pidfile: /var/run/policyd.pid # config: /etc/policyd/policyd.conf # Source function library . /etc/rc.d/init.d/functions # Get network config . /etc/sysconfig/network # Get service config [ -r /etc/sysconfig/policyd ] && . /etc/sysconfig/policyd || \ POLICYD_CONF="/etc/policyd/policyd.conf" # Check that networking is up. if is_yes "${NETWORKING}"; then if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then msg_network_down PolicyD exit 1 fi else exit 0 fi RETVAL=0 # See how we were called. case "$1" in start) # Check if the service is already running? if [ ! -f /var/lock/subsys/policyd ]; then msg_starting PolicyD daemon $SERVICE_RUN_NICE_LEVEL /usr/lib/policyd/policyd -c "${POLICYD_CONF}" RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/policyd else msg_already_running PolicyD fi ;; stop) # Stop daemon. if [ -f /var/lock/subsys/policyd ]; then msg_stopping PolicyD killproc policyd rm -f /var/lock/subsys/policyd else msg_not_running PolicyD fi ;; restart) $0 stop $0 start exit $? ;; reload|force-reload) $0 stop $0 start exit $? ;; status) status policyd exit $? ;; cleanup) if [ -r /var/run/policyd.lck ]; then echo "PolicyD cleanup process already running." 1>&2 RETVAL=1 elif [ ! -r "${POLICYD_CONF}" ]; then echo "PolicyD configuration file not found: ${POLICYD_CONF}" 1>&2 RETVAL=1 else touch /var/run/policyd.lck /usr/lib/policyd/cleanup -c "${POLICYD_CONF}" RETVAL=$? rm -f /var/run/policyd.lck fi ;; *) msg_usage "$0 {start|stop|restart|reload|force-reload|status}" exit 3 esac exit $RETVAL
# Path to policyd.conf POLICYD_CONF="/etc/policyd/policyd.conf" # Nice level for at SERVICE_RUN_NICE_LEVEL="+0"
# $Id$ # # TODO: mysql info # mysql> GRANT ALL ON policyd.* TO [EMAIL PROTECTED] IDENTIFIED BY 'secret_password'; # mysql> GRANT USAGE ON *.* TO [EMAIL PROTECTED] IDENTIFIED BY 'secret_password'; # $ zcat /usr/share/doc/policyd-%{Version}/DATABASE.mysql.gz | mysql -p -u policyd # # TODO: postfix info #smtpd_recipient_restrictions = # permit_mynetworks # permit_sasl_authenticated # reject_unauth_destination # reject_unlisted_recipient # check_policy_service inet:127.0.0.1:10031 # Summary: Policyd is an anti-spam plugin for Postfix Name: policyd Version: 1.67 Release: 0.0.18 License: GPL v2 Group: Networking Source0: http://policyd.sourceforge.net/%{name}-v%{version}.tar.gz # Source0-md5: 77c59852a7316d48a5f84bb6841fc23c Source1: policyd-cron Source2: policyd-sysconfig Source3: policyd-conf Source4: policyd-init URL: http://policyd.sourceforge.net/ BuildRequires: mysql-devel Requires: mysql-libs Requires: zlib BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %description Policyd is an anti-spam plugin for Postfix that does greylisting, sender-(envelope, SASL or host/ip)-based throttling (on messages and/or volume per defined time unit), recipient rate limiting, spamtrap monitoring/blacklisting, HELO auto blacklisting and HELO randomization preventation. %prep %setup -q -n %{name}-v%{version} %build %{__make} build %install rm -rf $RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT{%{_libdir}/%{name},%{_sysconfdir}/{%{name},rc.d/init.d},/etc/sysconfig,/etc/cron.hourly} install policyd cleanup $RPM_BUILD_ROOT%{_libdir}/%{name} install policyd.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name}.conf-dist install %{SOURCE1} $RPM_BUILD_ROOT/etc/cron.hourly/%{name} install %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/%{name} install %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name}.conf install %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/%{name} %clean rm -rf $RPM_BUILD_ROOT %pre %groupadd -g 121 -r policyd %useradd -M -o -r -u 121 -d / -s /bin/false -g policyd -c "Postfix Policy Daemon" policyd %post /sbin/chkconfig --add policyd if [ -f /var/lock/subsys/policyd ]; then /etc/rc.d/init.d/policyd restart >&2 || : else echo "Run \"/etc/rc.d/init.d/policyd start\" to start policy daemon." >&2 fi %preun if [ "$1" = "0" ]; then if [ -f /var/lock/subsys/policyd ]; then /etc/rc.d/init.d/policyd stop >&2 fi /sbin/chkconfig --del policyd fi %postun if [ "$1" = "0" ]; then %userremove policyd %groupremove policyd fi %files %defattr(644,root,root,755) %attr(755,root,root) %{_libdir}/%{name}/* %doc *.txt *.mysql doc/*.sql doc/*.txt %dir %{_sysconfdir}/%{name} %config(noreplace) %verify(not size mtime md5) /etc/sysconfig/%{name} %config(noreplace) %verify(not size mtime md5) %attr(640,root,root) %{_sysconfdir}/%{name}/%{name}.conf %config %verify(not size mtime md5) %{_sysconfdir}/%{name}/%{name}.conf-dist %config %verify(not size mtime md5) %attr(755,root,root) /etc/cron.hourly/%{name} %config %verify(not size mtime md5) %attr(755,root,root) %{_sysconfdir}/rc.d/init.d/%{name} %define date %(echo `LC_ALL="C" date +"%a %b %d %Y"`) %changelog
_______________________________________________ pld-devel-pl mailing list pld-devel-pl@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-pl