Log connection time on smtpd disconnect
Hi, i recently had to analyse slow/long held connections on postfix servers. Parsing the logs for connect/disconnect lines can take some time if you have a lot of logs. So i patched the smtpd to log the connection time with the disconnect stats: May 9 10:30:07 server01 postfix/smtpd[1234]: disconnect from remotehost.example.com[1.2.3.4] ehlo=1 mail=1 rcpt=0/1 commands=2/3 conn_time=13 (connection took 13 seconds) Would this be usefull for others too and should it be considered for inclusion in postfix? Markus -- Markus Benning, https://markusbenning.de/
Re: tracking progress of messages
Am Mittwoch, den 15.06.2016, 17:01 +0100 schrieb Rob Maidment: > I am intending to replace Sendmail with Postfix as the MTA component > in a secure email appliance. One of the features of the appliance is > the ability to search for messages by subject, sender, etc, and show > the progress of those messages through the appliance. To this end a > customised version of Sendmail writes key events to a FIFO e.g. > message accepted, message deferred, message delivered. (The main > use-case for this is when a message goes missing - the admin can run > the report to see whether the message was received, held, delivered, > etc.) > > I would like to find a way of achieving something similar with > Postfix, but without customising the Postfix source code (because > that becomes a barrier to upgrading). All I can come up with is to > parse the Postfix logging output and to generate the events when key > messages appear, but this is a fragile solution because it's > vulnerable to changes in logging output in future Postfix releases. Hi Rob, I wrote a logfile analyser for postfix: https://github.com/benningm/saftpresse/ It was based on pflogsumm(a postfix log analyzer) but is now a general purpose log analyzer with still postfix as its main scope. The daemon 'saftpresse' reads inputs, processes them with plugins and outputs logs and counter to output plugins. You could send your logs from (r)syslog to the saftsumm daemon and output the analyzed log lines to elasticsearch and graphit. Similar to logstash if you know that. With the log data in an elasticsearch it should be easy to provide a search interface on it. Or you may just use kibana. In the last version I added a tracking feature which tries to assign a unique identifier to all logs related to a message. It does so by keeping track of pids/port/queueid etc. Markus
Re: TLS Logging per MsgId
Am Montag, den 04.01.2016, 20:40 +0100 schrieb Markus Benning: > My log analyser "saftpresse" implements this: > > https://metacpan.org/release/Log-Saftpresse > > Theres a commandline interface "saftsumm" which tries to provide the > classic pflogsumm inteface. > Try '--tls-stats' > > The saftpresse command implements a non-blocking log anaylser with > plugins. It is designed with output to elasticsearch and graphit in > mind. > > The Postfix plugin included is based on the pflogsumm code but heavy > refactured and modularized. > > There currently no packages, but i plan to provide debian packages > and > a docker image for non-debian users. I released 1.3 with some minor improvements and build debian/jessie packages for it. To install the packages use: $ apt-get install -y apt-transport-https $ curl https://markusbenning.de/debian/repo.gpg.key | apt-key add - $ curl -o /etc/apt/sources.list.d/markusbenning.list \ "https://markusbenning.de/debian/markusbenning.list"; $ apt-get update $ apt-get install -y saftpresse Markus
Re: TLS Logging per MsgId
Am Montag, den 04.01.2016, 10:21 -0500 schrieb Wietse Venema: > > > No, but you could use a better stateful logfile analyzer. The TLS > > > session status is always logged with the name of the remote MTA > > > example.com[x.x.x.x]:25, and it is always logged before the > > > status= > > > record. > Consider that an smtp(8) process makes only one connection at a > time. The close is therefore implied when the smtp process logs a > new "TLS established" record, or when it logs any activity with > a different example.com[x.x.x.x]:25. My log analyser "saftpresse" implements this: https://metacpan.org/release/Log-Saftpresse Theres a commandline interface "saftsumm" which tries to provide the classic pflogsumm inteface. Try '--tls-stats' The saftpresse command implements a non-blocking log anaylser with plugins. It is designed with output to elasticsearch and graphit in mind. The Postfix plugin included is based on the pflogsumm code but heavy refactured and modularized. There currently no packages, but i plan to provide debian packages and a docker image for non-debian users. Markus
Re: I need sample configuration files for rate-limiting with HOLD verdict
On Mon, Sep 21, 2015 at 07:25:53AM +0100, Kianoosh Kashefi wrote:
> I use Postfix with Postfwd as policy service. and I want to limit all
> outgoing messages with exceptions for several SASL users with HOLD verdict.
> I'm new to postfwd so I need configuration example for rate-limiting with
> HOLD verdict (for instance limit all users outgoing messages to 10 messages
> per minute and HOLD messages exceeding that limit) also I need the same
> configuration to apply only to certain SASL users again with HOLD verdict
> (for example limit a certain user's outgoing messages to 100 message per
> minute and HOLD messages exceeding that limit). I appreciate if you reply
> with full configuration examples for these two cases.
It can be done with the Accounting/Quota support of mtpolicyd:
https://www.mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::HowtoAccountingQuota
First you'll have to setup an SQL database and configure it in mtpolicyd:
db_dsn="dbi:mysql:mail"
db_user=mtpolicyd
db_password=secret
Then configure the a VirtualHost with the accounting plugin to record mails
sent based on
sasl_username:
name="rate-limit"
module = "Accounting"
fields = "sasl_username"
time_pattern = "%Y-%m-%d %H:%M"
# more plugins come here later...
Then add a query to this policyd vhost in your postfix configuration:
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:12345
At this point mtpolicyd will create a table acct_sasl_username with the
first recieved mail and record accounting data in it.
To limit the rate add the following Quota plugin configuration:
module = "Quota"
field = "sasl_username"
metric = "count"
threshold = 10
action = "hold"
time_pattern = "%Y-%m-%d %H:%M"
This should limit the message count per sasl_username.
To add different limits per user you can use the per user configuration
features of mtpolicyd.
Create a database schema for it:
CREATE TABLE `user_policy` (
`id` int(11) NOT NULL auto_increment,
`desc` VARCHAR(64) NOT NULL,
`config` TEXT NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB;
// configuration is expected as JSON format hash
INSERT INTO user_policy VALUES(1, 'privileged user', '{"rate-limit":"100"}');
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`sasl_username` VARCHAR(64) NOT NULL,
`user_policy` int(11) NOT NULL,
PRIMARY KEY (`id`),
KEY `user_policy` (`user_policy`),
CONSTRAINT `users_ibfk_1` FOREIGN KEY (`user_policy`) REFERENCES
`user_policy` (`id`)
) ENGINE=InnoDB;
INSERT INTO users VALUES(NULL, 'kianoosh@saslauth', 1);
Add a query to retrieve the user configuration _before_ the Quota plugin:
module = "SqlUserConfig"
sql_query = "SELECT p.config FROM user_policy p JOIN users u ON
(u.relay_policy = p.id) WHERE u.sasl_username=?"
field = "sasl_username"
That will retrieve the user configuration by the sasl_username.
Then edit the Quota plugin and add uc_threshold parameter:
uc_threshold="rate-limit"
This will overwrite the threshold option if there is a value for
"rate-limit" defined in the current session.
In my option the time slice is a little bit small with 1 minute.
I would use a per hour or per day limit.
Markus
--
Markus Benning, https://markusbenning.de/
Re: [PATCH] check_policy_service "virtual hosts" feature
On Wed, Sep 02, 2015 at 11:46:10AM -0400, Wietse Venema wrote:
> Reusing the same client socket for multiple policy clients requires
> a reference-counting mechanism that is best implemented in the lower
> layers of the Postfix infrastructure. It is a unlikely that one
> Postfix daemon process will be making multiple simultaneous requests
> to the same endpoint, but it if does at some point in the future,
> then the *_clnt APIs would need to be updated with an extra flag
> to prevent client endpoint sharing.
Thanks for pointing that out.
Would that connection reuse feature be specific to the attr_clnt
or is it better implemented in auto_clnt?
It looks like the auto_clnt is also used in other places.
If we add reuse to auto_clnt_create do we need a reuse flag
to disable the new behavior in other places?
> Can you update the patch?
The attached patch has updated parameter names.
Now it will look like that:
check_policy_service { inet:localhost:12345, timeout=10s,
default_action=DUNNO, policy_context=accounting }
and:
request=smtpd_access_policy
policy_context=reputation
...
I'll implement the policy_context attribute in mtpolicyd
and release a new version after some testing.
BTW: is it possible to add a link to mtpolicyd.org on
<http://www.postfix.org/addon.html>?
Markus
--
Markus Benning, https://markusbenning.de/
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 9abc4fa..03ff5e8 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2967,6 +2967,10 @@ extern int var_smtpd_policy_try_delay;
#define DEF_SMTPD_POLICY_DEF_ACTION "451 4.3.5 Server configuration problem"
extern char *var_smtpd_policy_def_action;
+#define VAR_SMTPD_POLICY_PCTX "smtpd_policy_service_policy_context"
+#define DEF_SMTPD_POLICY_PCTX ""
+extern char *var_smtpd_policy_policy_context;
+
#define CHECK_POLICY_SERVICE "check_policy_service"
/*
diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h
index c360906..cdd10f5 100644
--- a/postfix/src/global/mail_proto.h
+++ b/postfix/src/global/mail_proto.h
@@ -122,6 +122,7 @@ extern char *mail_pathname(const char *, const char *);
* Attribute names.
*/
#define MAIL_ATTR_REQ "request"
+#define MAIL_ATTR_PCTX "policy_context"
#define MAIL_ATTR_NREQ "nrequest"
#define MAIL_ATTR_STATUS "status"
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index c0c6e3e..1dfe63b 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1272,6 +1272,7 @@ int var_smtpd_policy_req_limit;
int var_smtpd_policy_try_limit;
int var_smtpd_policy_try_delay;
char *var_smtpd_policy_def_action;
+char *var_smtpd_policy_policy_context;
int var_smtpd_policy_idle;
int var_smtpd_policy_ttl;
char *var_xclient_hosts;
@@ -5774,6 +5775,7 @@ int main(int argc, char **argv)
VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0,
VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0,
VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0,
+ VAR_SMTPD_POLICY_PCTX, DEF_SMTPD_POLICY_PCTX, &var_smtpd_policy_policy_context, 0, 0,
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
0,
};
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 9a32490..82bd1f3 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -462,6 +462,7 @@ double smtpd_space_multf = 1.5;
typedef struct {
ATTR_CLNT *client; /* client handle */
char *def_action; /* default action */
+char *policy_context; /* context of policy request */
} SMTPD_POLICY_CLNT;
/*
@@ -483,6 +484,7 @@ static ATTR_OVER_INT int_table[] = {
};
static ATTR_OVER_STR str_table[] = {
21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
+21 + VAR_SMTPD_POLICY_PCTX, 0, 1, 0,
0,
};
@@ -498,6 +500,7 @@ static ATTR_OVER_STR str_table[] = {
#define smtpd_policy_try_limit_offset 1
#define smtpd_policy_def_action_offset 0
+#define smtpd_policy_policy_context_offset 1
/* policy_client_register - register policy service endpoint */
@@ -527,6 +530,7 @@ static void policy_client_register(const char *name)
int smtpd_policy_req_limit = var_smtpd_policy_req_limit;
int smtpd_policy_try_limit = var_smtpd_policy_try_limit;
const char *smtpd_policy_def_action = var_smtpd_policy_def_action;
+ const char *smtpd_policy_policy_context = var_smtpd_policy_policy_context;
link_override_table_to_variable(time_table, smtpd_policy_tmout);
link_override_table_to_variable(time_table, smtpd_policy_idle);
@@ -535,6 +539,7 @@ static void policy_client_register(const char *name)
link_override_table_to_variable(int_table, smt
[PATCH] check_policy_service "virtual hosts" feature
Hello,
when running multiple checks in a policy daemon each check
needs to be running on a different port in the policy daemon
for the policy daemon to be able differentiate between the
checks when processing the request.
What about adding a "virtual servers" feature to the policy check
similar to the Host: header in HTTP?
The attached patch adds a smtpd_policy_service_vhost option which
is sent to the policy daemon.
In main.cf:
smtpd_client_restrictions =
check_policy_service { inet:localhost:12345, timeout=10s,
default_action=DUNNO, vhost=reputation }
check_policy_service { inet:localhost:12345, timeout=10s,
default_action=DUNNO, vhost=accounting }
Will result in smtpd sending the vhost value with the policy requests:
request=smtpd_access_policy
vhost=reputation
protocol_state=RCPT
protocol_name=ESMTP
...
request=smtpd_access_policy
vhost=accounting
protocol_state=RCPT
protocol_name=ESMTP
May be the patch could be further improved to use the same connection
for both lookups.
Markus
--
Markus Benning, https://markusbenning.de/
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 9abc4fa..88ef714 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2967,6 +2967,10 @@ extern int var_smtpd_policy_try_delay;
#define DEF_SMTPD_POLICY_DEF_ACTION "451 4.3.5 Server configuration problem"
extern char *var_smtpd_policy_def_action;
+#define VAR_SMTPD_POLICY_VHOST "smtpd_policy_service_vhost"
+#define DEF_SMTPD_POLICY_VHOST ""
+extern char *var_smtpd_policy_vhost;
+
#define CHECK_POLICY_SERVICE "check_policy_service"
/*
diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h
index c360906..b5b634f 100644
--- a/postfix/src/global/mail_proto.h
+++ b/postfix/src/global/mail_proto.h
@@ -122,6 +122,7 @@ extern char *mail_pathname(const char *, const char *);
* Attribute names.
*/
#define MAIL_ATTR_REQ "request"
+#define MAIL_ATTR_VHOST "vhost"
#define MAIL_ATTR_NREQ "nrequest"
#define MAIL_ATTR_STATUS "status"
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index c0c6e3e..474a0a6 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1272,6 +1272,7 @@ int var_smtpd_policy_req_limit;
int var_smtpd_policy_try_limit;
int var_smtpd_policy_try_delay;
char *var_smtpd_policy_def_action;
+char *var_smtpd_policy_vhost;
int var_smtpd_policy_idle;
int var_smtpd_policy_ttl;
char *var_xclient_hosts;
@@ -5774,6 +5775,7 @@ int main(int argc, char **argv)
VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0,
VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0,
VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0,
+ VAR_SMTPD_POLICY_VHOST, DEF_SMTPD_POLICY_VHOST, &var_smtpd_policy_vhost, 0, 0,
VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
0,
};
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 9a32490..8c69e5b 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -462,6 +462,7 @@ double smtpd_space_multf = 1.5;
typedef struct {
ATTR_CLNT *client; /* client handle */
char *def_action; /* default action */
+char *vhost; /* vhost name */
} SMTPD_POLICY_CLNT;
/*
@@ -483,6 +484,7 @@ static ATTR_OVER_INT int_table[] = {
};
static ATTR_OVER_STR str_table[] = {
21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
+21 + VAR_SMTPD_POLICY_VHOST, 0, 1, 0,
0,
};
@@ -498,6 +500,7 @@ static ATTR_OVER_STR str_table[] = {
#define smtpd_policy_try_limit_offset 1
#define smtpd_policy_def_action_offset 0
+#define smtpd_policy_vhost_offset 1
/* policy_client_register - register policy service endpoint */
@@ -527,6 +530,7 @@ static void policy_client_register(const char *name)
int smtpd_policy_req_limit = var_smtpd_policy_req_limit;
int smtpd_policy_try_limit = var_smtpd_policy_try_limit;
const char *smtpd_policy_def_action = var_smtpd_policy_def_action;
+ const char *smtpd_policy_vhost = var_smtpd_policy_vhost;
link_override_table_to_variable(time_table, smtpd_policy_tmout);
link_override_table_to_variable(time_table, smtpd_policy_idle);
@@ -535,6 +539,7 @@ static void policy_client_register(const char *name)
link_override_table_to_variable(int_table, smtpd_policy_req_limit);
link_override_table_to_variable(int_table, smtpd_policy_try_limit);
link_override_table_to_variable(str_table, smtpd_policy_def_action);
+ link_override_table_to_variable(str_table, smtpd_policy_vhost);
if (*name == parens[0]) {
cp = saved_name = mystrdup(name);
@@ -551,10 +556,10 @@ static void policy_client_register(const char *name)
policy_name = name;
}
Re: connection logging in smtp client
On Thu, Feb 05, 2015 at 03:27:23PM +, Viktor Dukhovni wrote: > smtp[]: : to=<...>, ... () > entries with the same , and are almost > certainly a single "envelope" (especially if the next hop server > includes a unique queue-id in its reply). Okay, now i implemented it the following way. It looks for a TLS connection and remembers TLS parameters by the pid. The next "to=" line with the same pid gets the tls parameters assigned. Now it remembers the TLS parameters by the queue ID of this log line instead of the pid and assigns it to following "to=" lines with the same queue ID. Looks good: TLS Statistics -- 1 outgoing tls connections 4 outgoing tls messages (80.00% of 5) You can find the code at: https://github.com/benningm/saftpresse/blob/master/lib/Log/Saftpresse/Plugin/TlsStatistics.pm Markus -- Markus Benning, https://markusbenning.de/
connection logging in smtp client
Hello, for TLS statistics i'm counting the "TLS connection established" lines for per connection statistics. But i'm also collecting per message statistics. This is possible for smtpd because it is also logging connect/disconnect: smtpd[30784]: connect from english-breakfas... (unencrypted) smtpd[30784]: Anonymous TLS connection... (encrypted) smtpd[30784]: F2FE41925EB: client=... (encrypted, mail) ...more mails... (encrypted) smtpd[30784]: disconnect from english-breakfast... (unencrypted) It just tracks the TLS status per pid. For smtp there are no connect/disconnect lines in my log. I tried debug_peer* but it is too verbose and still missing a clear connect/disconnect log message. Is there a switch to enable connection logging i missed? Markus -- Markus Benning, https://markusbenning.de/
Re: Postfix with Postscreen and Fail2ban
On Wed, Jan 14, 2015 at 09:16:37PM -0500, David Mehler wrote: > If anyone has this working I'd appreciate knowing how you did it. I'm blocking bad IPs with an policyd based on a scoring. I have several RBLs configured. If multiple RBLs match i do a reject and block the IP with fail2ban. The mtpolicyd is able to talk directly to the fail2ban daemon without the way over the log: https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban Markus -- Markus Benning, https://markusbenning.de/
Re: log length in header_checks
On Tue, Nov 04, 2014 at 02:59:21PM +0200, Konstantin wrote: > Now postfix log only first 3 records. Current limit is about 200 > characters. You may want to patch the following line: https://github.com/vdukhovni/postfix/blob/master/postfix/src/global/header_body_checks.c#L457 Markus
Forwarding client information with XCLIENT instead of XFORWARD
Hello, i'm using a before queue content filter setup with smtpd_proxy_filter and smtp_send_xforward_command=yes. So far no problem. But now i want to implement a whitelisting for some checks based on the client IP address in the content filter. The content filter supports both XFORWARD and XCLIENT. Like postfix the content filter uses XFORWARD only for logging. If i send the client information within a XCLIENT command i'm able to defined restrictions/whitelistings based on the (virtual) client address in the content filter. But postfix is only able to send XFORWARD. Is there a reason why theres no option like smtp_send_xclient_command yet? Markus
Re: Support for XCLIENT STRESS=yes/no
Am Donnerstag, den 23.10.2014, 09:42 -0400 schrieb Wietse Venema: > Markus Benning: > > Hello, > > > > i'm using a lot of automated tests to test my postfix configuration. > > The XCLIENT command is very handy for such checks. > > I thought about adding a STRESS parameter to the command to be > > able to also write test plans to test under-stress-behavior. > > It cannot work. Postfix configuration parameters are expanded BEFORE > Postfix initializes the SMTP protocol engine. There is an obvious > chicken-and-egg problem if it were to do this the other way around. > > Wietse I already guessed that this may be the case. But anyways, thank you for your advise. I'll look into this again tomorrow. May be I can just add a seperate smtpd process with hardcoded stress=yes on a private port. Markus
Support for XCLIENT STRESS=yes/no
Hello, i'm using a lot of automated tests to test my postfix configuration. The XCLIENT command is very handy for such checks. I thought about adding a STRESS parameter to the command to be able to also write test plans to test under-stress-behavior. It was easy to add the parameters to the XCLIENT command, but i seems like postfix pre-parses almost every parameter. And changing the stress option at this stage is too late. For example, i could get the banner working by replacing the value with a call to mail_conf lookup: // smtpd_chat_reply(state, "220 %s", var_smtpd_banner); smtpd_chat_reply(state, "220 %s", mail_conf_lookup_eval(VAR_SMTPD_BANNER)); # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.bla.de mail server (idle) XCLIENT STRESS=yes 220 mail.bla.de mail server (stress) But to be usefull at least the restriction maps/classes must be reloaded. I was unable to find an easy way to achieve this at the XCLIENT state. Any suggestions? Markus
Re: OT: Fail2ban linux
On Sun, Oct 12, 2014 at 03:27:41AM -0300, Julio Cesar Covolato wrote:
> Hi People!
> Anyone has a good rule for postfix smtpd whit fail2ban?
> Sorry for the OT:))
The mtpolicyd policy daemon has a plugin for directly adding IPs to
a fail2ban target without the logging/parsing.
It directly uses the unix socket for communication with the fail2ban
daemon.
https://www.mtpolicyd.org/
Plugin:
http://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban
For example I use it to create a scoring based on different RBLs, SPF, GeoIP.
Clients with a very bad reputation get rejected and added to fail2ban.
Clients with a dubious reputation get greylisting applied.
Clients with a good reputation just pass.
Since it is a policy daemon it only does SMTP level checks.
For parsing of postfix logs there's already a filter.d/postfix.conf included
with the
fail2ban package.
For amavis log file i use the following configuration:
--- filter.d/amavis.local
[INCLUDES]
before = common.conf
[Definition]
_daemon = amavis
failregex = ^%(__prefix_line)s.*(Blocked|Passed) (INFECTED|SPAM|SPAMMY)
{(RejectedInbound|RelayedTaggedInbound)}, \[\]
ignoreregex =
---
- Markus
Re: blacklist senders to dead addresses?
On Wed, Sep 10, 2014 at 10:30:03AM +0200, Markus Benning wrote: > On Tue, Sep 09, 2014 at 10:52:38PM -0500, Noel Jones wrote: > > But it's not too hard to make such a feature with either a policy > > service (eg. postfwd) or a log scraper (eg. fail2ban or just a shell > > script) to update a blacklist file. > > I'm currently setting up an project for a policy daemon at > > http://www.mtpolicyd.org/ > > I think a Honeypot plugin is a good idea and i'll add one. I just pushed a basic Honeypot plugin to git. Docs: http://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Honeypot Code: https://github.com/benningm/mtpolicyd/commit/d49f71c444ffc410eafd353c12896e321dee1fba I'm currently testing it on my mail server. Maybe you want to give it also a try. - Markus
Re: blacklist senders to dead addresses?
On Tue, Sep 09, 2014 at 10:52:38PM -0500, Noel Jones wrote: > But it's not too hard to make such a feature with either a policy > service (eg. postfwd) or a log scraper (eg. fail2ban or just a shell > script) to update a blacklist file. I'm currently setting up an project for a policy daemon at http://www.mtpolicyd.org/ I think a Honeypot plugin is a good idea and i'll add one. - Markus
