{"id":287,"date":"2010-05-29T00:47:12","date_gmt":"2010-05-28T23:47:12","guid":{"rendered":"http:\/\/www.nooblet.org\/blog\/?p=287"},"modified":"2013-01-10T02:42:26","modified_gmt":"2013-01-10T02:42:26","slug":"postfwd-example-configuration","status":"publish","type":"post","link":"https:\/\/www.nooblet.org\/blog\/2010\/postfwd-example-configuration\/","title":{"rendered":"PostFWD example configuration"},"content":{"rendered":"

This is something I’ve been tweaking for a few months now. I’ve got it filtering 99% of spam before it hits content filtering.<\/p>\n

Postfix v2.5.5 using PostFWD v1.18 as a policy daemon with PostGrey v1.31 for greylisting.<\/p>\n

## ----------------------------------\r\n# Trusted networks (internal usually)\r\n&&TRUSTED_NETS { \r\n                client_address=192.168.0.0\/16 ;   \r\n};\r\n \r\n# Trusted hostnames\r\n&&TRUSTED_HOSTS { \r\n                client_name~=.nooblet.org$ ;  \r\n};\r\n \r\n# Trusted sasl usernames\r\n&&TRUSTED_USERS { \r\n                sasl_username==stalks ; \r\n};\r\n \r\n# Free mailers we don&#039;t need to greylist\r\n&&FREEMAIL { \r\n                client_name~=.gmx.net$ ; \r\n                client_name~=.web.de$ ;  \r\n                client_name~=.(aol|yahoo|h(ush|ot)mail).co(.uk|m)$ ; \r\n};\r\n \r\n# Static IPs, no need to greylist\r\n# contains freemailers\r\n&&STATIC { \r\n                &&FREEMAIL ; \r\n                client_name~=[.-]static[[.-] ;               \r\n                client_name~=^(mail|smtp|mout|mx)[-]*[0-9]*. ; \r\n};\r\n \r\n# Client reverse != smtp helo\r\n&&BADHELO { \r\n         client_name==!!($$(helo_name)) ; \r\n};\r\n \r\n&&NORDNS { \r\n                client_name==unknown ; \r\n};\r\n \r\n&&DYNAMIC { \r\n                &&NORDNS ; \r\n                client_name~=(-.+){4} ; \r\n                client_name~=d{5} ;     \r\n                client_name~=[_.-]([axt]{0,1}dsl|br(e|oa)dband|ppp|pppoe|dynamic|dynip|adsl|dial(up|in)|pool|dhcp|leased)[_.-] ; \r\n};\r\n&&DYNL { \r\n                rbl=zen.spamhaus.org\/^127.0.0.1[0-1]$\/3600 ; \r\n                rbl=dul.dnsbl.sorbs.net ;      \r\n};\r\n \r\n&&RWL { \r\n                rbl=list.dnswl.org ;                                             \r\n                rbl=hostkarma.junkemailfilter.com\/^127.0.0.1$\/3600 ;          \r\n                rhsbl_client=hostkarma.junkemailfilter.com\/^127.0.0.1$\/3600 ; \r\n};\r\n \r\n&&RBL { \r\n                rbl=zen.spamhaus.org\/^127.0.0.[2-8]$\/3600 ;                   \r\n                rbl=hostkarma.junkemailfilter.com\/^127.0.0.(2|4)$\/3600 ;          \r\n                rbl=bl.spamcop.net ;                                             \r\n                rbl=problems.dnsbl.sorbs.net ;                                   \r\n                rhsbl_client=hostkarma.junkemailfilter.com\/^127.0.0.(2|4)$\/3600 ; \r\n                rhsbl=rhsbl.ahbl.org ;                                           \r\n                rhsbl=rhsbl.sorbs.net ;                                          \r\n};\r\n \r\n##\r\n## Ruleset\r\n##\r\n \r\n# stress-friendly behaviour (will not match on postfix version pre 2.5)\r\nid=STRESS   ;  stress==yes        ;  action=dunno\r\n \r\n# Whitelists (fixed)\r\nid=WL_001   ;  &&TRUSTED_NETS     ;  action=dunno\r\nid=WL_002   ;  &&TRUSTED_HOSTS    ;  action=dunno\r\nid=WL_003   ;  &&TRUSTED_USERS    ;  action=dunno\r\n \r\n# Dynamic Counter\r\nid=DYNL_001 ; &&DYNL ; rblcount=all ; action=set(HIT_dynls=$$rblcount, DYNL_text=$$dnsbltext)\r\n \r\n# DNS Block Lists\r\nid=RBL_001 ; &&RBL ;  \r\n        rhsblcount=all ; rblcount=all ; \r\n        action=set( \r\n                HIT_rbls=$$rblcount, \r\n                HIT_rbls+=$$rhsblcount, \r\n                RBL_text=$$dnsbltext)\r\nid=RBL_002  ; HIT_rbls&gt;=2                  ;  action=REJECT You are listed on $$HIT_rbls RBLs. [$$RBL_text]\r\nid=RBL_003  ; HIT_rbls&gt;=1  ; HIT_dynls&gt;=1  ;  action=REJECT Host listed as dynamic and listed on RBL. [$$RBL_text]\r\nid=RBL_004  ; HIT_rbls&gt;=1  ; &&NORDNS      ;  action=REJECT No reverse DNS and listed on RBL. [$$RBL_text]\r\nid=RBL_005  ; HIT_rbls&gt;=1  ; &&DYNAMIC     ;  action=REJECT Host looks dynamic and listed on RBL. [$$RBL_text]\r\nid=RBL_006  ; HIT_rbls&gt;=1  ; &&BADHELO     ;  action=REJECT (helo $$helo_name) != ($$client_name) and listed on RBL. [$$RBL_text]\r\n \r\n# Whitelists (rwl)\r\nid=RWL_001 ; &&RWL ; \r\n        rhsblcount=all ; rblcount=all ; \r\n        action=set( \r\n                HIT_rwls=$$rblcount, \r\n                HIT_rwls+=$$rhsblcount, \r\n                RWL_text=$$dnsbltext)\r\nid=RWL_002 ; HIT_rwls&gt;=1 ; action=PREPEND X-POSTFWD: Listed on $$HIT_rwls whitelists. [$$RWL_text]\r\n \r\n# Rate limits\r\nid=RATE_001 ;  HIT_rbls&gt;=1  ;  action=rate($$client_address\/1\/300\/450 4.7.1 Throttled. Listed on RBL. Limited to 1 message every 5 minutes. [$$RBL_text])\r\nid=RATE_002 ;  HIT_dynls&gt;=1 ;  action=rate($$client_address\/1\/300\/450 4.7.1 Throttled. Listed as dynamic. Limited to 1 message every 5 minutes.)\r\nid=RATE_003 ;  &&NORDNS     ;  action=rate($$client_address\/1\/300\/450 4.7.1 Throttled. No reverse DNS. Limited to 1 message every 5 minutes.)\r\nid=RATE_004 ;  &&DYNAMIC    ;  action=rate($$client_address\/1\/300\/450 4.7.1 Throttled. Host is probably dynamic. Limited to 1 message every 5 minutes.)\r\n \r\n# Selective greylist\r\nid=GREY_001 ;  action=greylist        ;  HIT_rbls&gt;=1\r\nid=GREY_002 ;  action=dunno           ;  &&STATIC\r\nid=GREY_003 ;  action=dunno           ;  $$client_name~=$$(sender_domain)$\r\nid=GREY_004 ;  action=dunno           ;  HIT_rwls&gt;=1\r\nid=GREY_005 ;  action=greylist        ;  HIT_dynls&gt;=1\r\nid=GREY_006 ;  action=greylist        ;  &&DYNAMIC\r\n## greylist should be safe during out-of-office-hours\r\n# id=GREY_007 ;  action=greylist        ;  days=Sat-Sun\r\n# id=GREY_008 ;  action=greylist        ;  days=Mon-Fri ; time=!!06:00:00-20:00:0<\/pre>\n","protected":false},"excerpt":{"rendered":"
This is something I’ve been tweaking for a few months now. I’ve got it filtering 99% of spam before it hits content filtering. Postfix v2.5.5 using PostFWD v1.18 as a policy daemon with PostGrey v1.31 for greylisting. ## ———————————- # Trusted networks (internal usually) &&TRUSTED_NETS { client_address=192.168.0.0\/16 ; }; # Trusted hostnames &&TRUSTED_HOSTS { client_name~=.nooblet.org$ […]<\/p>\n","protected":false},"author":1,"featured_media":647,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[233,102,126,127],"class_list":["post-287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-mail","tag-postfix","tag-postfwd"],"_links":{"self":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/comments?post=287"}],"version-history":[{"count":2,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions"}],"predecessor-version":[{"id":690,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/posts\/287\/revisions\/690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/media\/647"}],"wp:attachment":[{"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/media?parent=287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/categories?post=287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nooblet.org\/blog\/wp-json\/wp\/v2\/tags?post=287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}