From 548dfb250399802d0908fb7e93e24a4656e7e0f2 Mon Sep 17 00:00:00 2001 From: marcelloc Date: Mon, 5 Sep 2011 15:32:33 -0300 Subject: Postfix Forwarder package v2 postfix + postscreen + rbl + spf + ldap search Author: marcelloc --- config/postfix/adexport.pl | 189 ++++++++++ config/postfix/postfix.inc | 651 +++++++++++++++++++++++++++++++-- config/postfix/postfix.xml | 150 +++++++- config/postfix/postfix_acl.xml | 208 +++++++++++ config/postfix/postfix_antispam.xml | 268 ++++++++++++++ config/postfix/postfix_recipientes.php | 4 + config/postfix/postfix_recipients.xml | 207 +++++++++++ config/postfix/postfix_sync.xml | 167 +++++++++ config/postfix/postfix_syslog.php | 5 + config/postfix/postfix_view_config.php | 111 ++++++ 10 files changed, 1932 insertions(+), 28 deletions(-) create mode 100755 config/postfix/adexport.pl create mode 100644 config/postfix/postfix_acl.xml create mode 100644 config/postfix/postfix_antispam.xml create mode 100644 config/postfix/postfix_recipientes.php create mode 100644 config/postfix/postfix_recipients.xml create mode 100644 config/postfix/postfix_sync.xml create mode 100644 config/postfix/postfix_syslog.php create mode 100644 config/postfix/postfix_view_config.php (limited to 'config/postfix') diff --git a/config/postfix/adexport.pl b/config/postfix/adexport.pl new file mode 100755 index 00000000..185848f1 --- /dev/null +++ b/config/postfix/adexport.pl @@ -0,0 +1,189 @@ +#!/usr/bin/perl -w +############################################################################## +# +# Script to export a list of all email addresses from Active Directory +# Brian Landers +# +# This code is in the public domain. Your use of this code is at your own +# risk, and no warranty is implied. The author accepts no liability for any +# damages or risks incurred by its use. +# +############################################################################## +# This script would be most useful for generating an access.db file on a +# sendmail gateway server. You would run it to generate a list of all +# valid email addresses, then insert those addresses into access.db as +# follows: +# +# To:bob@example.com RELAY +# To:jim@example.com RELAY +# To:joe@example.com RELAY +# +# Then, you'd create a default entry for the domain that rejects all other +# recipients (since if they're not in the list, they're by definition invalid). +# +# To:example.com ERROR:"User unknown" +# +# For this to work, you need to have "example.com" in your relay-domains +# file (normally /etc/mail/relay-domains), and you need to enable the +# "blacklist_recipients" FEATURE in your sendmail.mc file. +# +# FEATURE(`blacklist_recipients') +# +# See also my genaccessdb script at packetslave.com for ideas on how to +# generate the access.db file from this list of addresses +# +############################################################################## +# $Id: adexport,v 1.2 2011/08/20 23:30:52 blanders Exp $ + +use strict; +$|++; + +use Net::LDAP; +use Net::LDAP::Control::Paged; +use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED ); + +#our ($cn,$passwd,$base); +#($cn,$passwd,$base)=@_ARGV; +#print "$cn \n $passwd \n $base"; +#exit; + +# ---- Constants ---- +our $bind = $ARGV[2].','.$ARGV[1]; # AD account +our $passwd = $ARGV[3]; # AD password +our $base = $ARGV[1]; # Start from root +our @servers; +push (@servers,$ARGV[0]); +our $filter = '(|(objectClass=publicFolder)(&(sAMAccountName=*)(mail=*)))'; +# ------------------- + + +# We use this to keep track of addresses we've seen +my %gSeen; + +# Connect to the server, try each one until we succeed +my $ldap = undef; +foreach( @servers ) { + $ldap = Net::LDAP->new( $_ ); + last if $ldap; + + # If we get here, we didn't connect + die "Unable to connect to any LDAP servers!\n"; +} + +# Create our paging control. Exchange has a maximum recordset size of +# 1000 records by default. We have to use paging to get the full list. + +my $page = Net::LDAP::Control::Paged->new( size => 100 ); + +# Try to bind (login) to the server now that we're connected +my $msg = $ldap->bind( dn => $bind, + password => $passwd + ); + +# If we can't bind, we can't continue +if( $msg->code() ) { + die( "error while binding:", $msg->error_text(), "\n" ); +} + +# Build the args for the search +my @args = ( base => $base, + scope => "subtree", + filter => $filter, + attrs => [ "proxyAddresses" ], + callback => \&handle_object, + control => [ $page ], + ); + +# Now run the search in a loop until we run out of results. This code +# is taken pretty much directly from the example code in the perldoc +# page for Net::LDAP::Control::Paged + +my $cookie; +while(1) { + # Perform search + my $mesg = $ldap->search( @args ); + + # Only continue on LDAP_SUCCESS + $mesg->code and last; + + # Get cookie from paged control + my($resp) = $mesg->control( LDAP_CONTROL_PAGED ) or last; + $cookie = $resp->cookie or last; + + # Set cookie in paged control + $page->cookie($cookie); +} + +if( $cookie ) { + # We had an abnormal exit, so let the server know we do not want any more + $page->cookie($cookie); + $page->size(0); + $ldap->search( @args ); +} + +# Finally, unbind from the server +$ldap->unbind; + +# ------------------------------------------------------------------------ +# Callback function that gets called for each record we get from the server +# as we get it. We look at the type of object and call the appropriate +# handler function +# + +sub handle_object { + + my $msg = shift; # Net::LDAP::Message object + my $data = shift; # May be Net::LDAP::Entry or Net::LDAP::Reference + + # Only process if we actually got data + return unless $data; + + return handle_entry( $msg, $data ) if $data->isa("Net::LDAP::Entry"); + return handle_reference( $msg, $data ) if $data->isa("Net::LDAP::Reference"); + + # If we get here, it was something we're not prepared to handle, + # so just return silently. + + return; +} + +# ------------------------------------------------------------------------ +# Handler for a Net::LDAP::Entry object. This is an actual record. We +# extract all email addresses from the record and output only the SMTP +# ones we haven't seen before. + +sub handle_entry { + + my $msg = shift; + my $data = shift; + + # Extract the email addressess, selecting only the SMTP ones, and + # filter them so that we only get unique addresses + + my @mails = grep { /^smtp:/i && !$gSeen{$_}++ } + $data->get_value( "proxyAddresses" ); + + # If we found any, strip off the SMTP: identifier and print them out + if( @mails ) { + print map { s/^smtp:(.+)$/\L$1\n/i; $_ } @mails; + } +} + +# ------------------------------------------------------------------------ +# Handler for a Net::LDAP::Reference object. This is a 'redirect' to +# another portion of the directory. We simply extract the references +# from the object and resubmit them to the handle_object function for +# processing. + +sub handle_reference { + + my $msg = shift; + my $data = shift; + + foreach my $obj( $data->references() ) { + + # Oooh, recursion! Might be a reference to another reference, after all + return handle_object( $msg, $obj ); + } +} + diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index cf470c8f..2a762ae4 100644 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -27,50 +27,523 @@ POSSIBILITY OF SUCH DAMAGE. */ - require_once("util.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("globals.inc"); -function sync_package_postfix() { +function px_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} + +function px_get_real_interface_address($iface) { global $config; + $iface = convert_friendly_interface_to_real_interface_name($iface); + $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + return array($ip, long2ip(hexdec($netmask))); +} +function sync_relay_recipients($via_cron="cron"){ + global $config; + #relay recipients + if ($config['installedpackages']['postfixrecipients']['config']) { + $relay_recipients=""; + $relay_ldap_recipients=""; + $ad_export="/usr/local/etc/postfix/adexport.pl"; + foreach ($config['installedpackages']['postfixrecipients']['config'] as $postfix_recipients_config) { + if($postfix_recipients_config['location'] && file_exists($postfix_recipients_config['location'])) + $relay_recipients .= file_get_contents($postfix_recipients_config['location']); + if($postfix_recipients_config['custom_recipients']) + $relay_recipients .= px_text_area_decode($postfix_recipients_config['custom_recipients']); + if($postfix_recipients_config['enable_ldap']){ + #validate cront job + if(preg_match("/(\d+)(\w)/",$postfix_recipients_config['freq'],$matches)){ + $cron_sufix="\t*\t*\troot\t/usr/local/bin/php /usr/local/www/postfix_recipientes.php"; + switch ($matches[2]){ + case m: + $cron= "*/".$matches[1]."\t*\t*".$cron_sufix; + break; + case h: + $cron= "0\t*/".$matches[1]."\t*".$cron_sufix; + break; + case d: + $cron= "0\t0\t*/".$matches[1].$cron_sufix; + break; + default: + $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; + } + #update cront job file + $crontab = file('/etc/crontab'); + foreach ($crontab as $line) + $new_cron.=(preg_match("/postfix_recipientes.php/",$line)?$cron."\n":$line); + #include if conf does not exist in crontab + $new_cron.=(!preg_match("/postfix_recipientes.php/",$new_cron)?"\n".$cron."\n\n":""); + file_put_contents("/etc/crontab",$new_cron, LOCK_EX); + #check crontab changes + $md5_new_file = trim(md5_file('/etc/crontab')); + if(file_exists('/etc/crontab.md5')) + $md5_old_file = trim(file_get_contents('/etc/crontab.md5')); + if($md5_new_file <> $md5_old_file){ + mwexec('/usr/bin/killall -HUP cron'); + file_put_contents("/etc/crontab.md5",$md5_new_file, LOCK_EX); + } + } + $relay_ldap_recipients=""; + if ($via_cron == "gui"){ + #running via pfsense gui, not time for ldap fetch. + $ldap_recipients='/usr/local/etc/postfix/relay_ldap_recipients.txt'; + if (!file_exists($ldap_recipients)) + system('/usr/bin/touch '. $ldap_recipients); + $relay_ldap_recipients=file_get_contents($ldap_recipients); + } + else{ + #running via crontab, time to get ldap content. + $ldap_temp=array(); + foreach ($postfix_recipients_config['row'] as $postfix_ldap) { + print "extracting from ".$postfix_ldap['dc']."..."; + $filename="/usr/local/etc/postfix/relay_ldap_recipients.".$postfix_ldap['dc'].".txt"; + exec($ad_export." ".$postfix_ldap['dc']." ".$postfix_ldap['cn']." ".$postfix_ldap['username']." ".$postfix_ldap['password'],$ldap_fetch,$status); + if ($status == 0){ + #write backup conf for ldap server + $fp=fopen($filename,"w+"); + foreach($ldap_fetch as $key => $value) + fwrite($fp,$value."\n"); + fclose($fp); + } + else{ + if (file_exists($filename)) { + #LDAP fetch failed...read backup file. + print "Restoring backup file for ".$postfix_ldap['dc']."..."; + $ldap_fetch=file($filename); + } + else{ + #we never got any info from this server. + print "There is no backup file for ".$postfix_ldap['dc']."..."; + $ldap_fetch=array(); + } + } + $ldap_all = array_merge($ldap_temp,$ldap_fetch); + $ldap_temp=$ldap_all; + print "(".count($ldap_fetch).")\n"; + $ldap_fetch=array(); + } + $ldap_unique=array_unique($ldap_all); + print "Total ldap recipients:".count($ldap_all)."\tunique:".count($ldap_unique)."\n"; + foreach($ldap_unique as $recipient) + $relay_ldap_recipients.=($recipient != ""?$recipient." OK\n":""); + + #save ldap relay recipients + file_put_contents("/usr/local/etc/postfix/relay_ldap_recipients.txt",$relay_ldap_recipients, LOCK_EX); + } + } + } + #save all relay recipients and reload postfix + file_put_contents("/usr/local/etc/postfix/relay_recipientes",$relay_ldap_recipients."\n".$relay_recipients, LOCK_EX); + exec("/usr/local/sbin/postmap /usr/local/etc/postfix/relay_recipientes"); + mwexec("/usr/local/sbin/postfix reload"); + } + if($relay_recipients !="" || $relay_ldap_recipients!="") + return("relay_recipient_maps = hash:/usr/local/etc/postfix/relay_recipientes\n"); +} +function sync_package_postfix() { + global $config; $relay_domains = ""; $transport = ""; - $message_size_limit = "10240000"; - - if (is_array($config['installedpackages']['postfix']['config'])) { - foreach ($config['installedpackages']['postfix']['config'] as $postfix_config) { - if (isset($postfix_config['message_size_limit'])) - $message_size_limit = $postfix_config['message_size_limit']; - if (is_array($postfix_config['row'])) { - foreach ($postfix_config['row'] as $postfix_row) { - $relay_domains .= ' ' . $postfix_row['domain']; - if (!empty($postfix_row['mailserverip'])) - $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; + $postfix_config=$config['installedpackages']['postfix']['config'][0]; + $message_size_limit=($postfix_config['message_size_limit']?$postfix_config['message_size_limit']:"10240000"); + $process_limit=($postfix_config['process_limit']?$postfix_config['process_limit']:"100"); + if (is_array($postfix_config['row'])) { + foreach ($postfix_config['row'] as $postfix_row) { + $relay_domains .= ' ' . $postfix_row['domain']; + if (!empty($postfix_row['mailserverip'])) + $transport .= $postfix_row['domain'] . " smtp:[" . $postfix_row['mailserverip'] . "]\n"; } } + #check logging + if ($postfix_config['log_to']){ + switch($postfix_config['log_to']){ + case 'maillog': + system("/usr/bin/touch /var/log/maillog"); + $mail_syslog="mail.crit;"; + break; + case 'none': + $mail_syslog="mail.crit;"; + break; + default: + $mail_syslog='mail.*;'; + break; + } + #update /etc/inc/system.inc + $sys_log_file='/etc/inc/system.inc'; + $sys_log = file($sys_log_file); + $new_sys_log=""; + $found_mail=0; + foreach ($sys_log as $line){ + $new_line=preg_replace('/mail.(.|crit);/',$mail_syslog,$line); + #set syslog entry mail.* %/var/log/maillog when log_to = system + if (preg_match ('/mail.(.|crit);/',$line) && $postfix_config['log_to'] =="maillog") + $new_sys_log .= 'mail.*'."\t\t\t\t\t\t".'/var/log/maillog'."\n"; + #remove syslog entry mail.* %/var/log/maillog when log_to != system + if (preg_match ("/^mail/",$line)) + $new_sys_log .=""; + else + $new_sys_log .= $new_line; + } + file_put_contents($sys_log_file,$new_sys_log, LOCK_EX); + #mwexec('/usr/local/bin/php -q /usr/local/www/postfix_syslog.php'); + #restart syslog daemon + system_syslogd_start(); + } + + /* + #insert new syslog definition + if (preg_match("/.*mail.crit.(.*)/",$line,$matches)){ + if ($postfix_config['log_to'] == "/var/log/system.log"){ + system("/usr/bin/touch /var/log/maillog"); + $new_sys_log .= $postfix_log.$matches[1]."\n".$line; + } + else + {$new_sys_log .= $postfix_log.$postfix_log_sufix."\n".$line;} + } + else{ + #remove previous syslog definition + $new_sys_log .= (preg_match("/mail.(info|debug|log)/",$line)?"":$line); + } + } + file_put_contents($sys_log_file,$new_sys_log, LOCK_EX); + + } + + #update /var/etc/syslog.conf + $sys_log_file="/var/etc/syslog.conf"; + $sys_log = file($sys_log_file); + $postfix_log .= $postfix_log_sufix; + $new_sys_log=""; + foreach ($sys_log as $line) + $new_sys_log.=(preg_match("/mail.(info|debug|log)/",$line)?$postfix_log."\n":$line); + #include if conf does not exist in crontab + $new_sys_log.=(!preg_match("/mail.(info|debug|log)/",$new_sys_log)?"\n".$postfix_log."\n\n":""); + file_put_contents($sys_log_file,$new_sys_log, LOCK_EX); + #check crontab changes + $md5_new_file = trim(md5_file($sys_log_file)); + $md5_old_file = trim(file_get_contents($sys_log_file.'.md5')); + if($md5_new_file <> $md5_old_file){ + mwexec('/usr/bin/killall -HUP syslogd'); + file_put_contents($sys_log_file.'.md5',$md5_new_file, LOCK_EX); } + */ + #} + + #check_debug + if($postfix_config['debug_list'] && $postfix_config['debug_list']!=""){ + $check_debug ="\n#Debugging postfix\n"; + $check_debug.="debug_peer_list = ".px_text_area_decode($postfix_config['debug_list'])."\n"; + $check_debug.="debug_peer_level = ".$postfix_config['debug_level']."\n\n"; } + #check relay recipients + $all_relay_recipients=sync_relay_recipients('gui'); + + $copyright=<< $iface) { + $real_ifaces[] = px_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 postscreen\n"; + $postfix_master .=($antispam['soft_bounce'] == "postscreen"?" -o soft_bounce=yes\n":""); + } + } + $postfix_master .= $postfix_inets.<< $iface) { + $real_ifaces[] = px_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $postfix_master .=$real_ifaces[$i][0].":25 inet n - n - 1 smtpd\n"; + } + } + + } + $rbl2.=($rbl2 !=""?"\t\t\t\tpermit\n":"permit\n"); + $postfix_main=preg_replace("/RBLRBLRBL/",$rbl2,$postfix_main); + $postfix_master .= << $value) { if (empty($value)) continue; + if($key == "greet_time" && !preg_match("/(\d+),(\d+)(s|m|h|w)/",$value)) + $input_errors[] = "Wrong greet time sintax."; + if($key == "message_size_limit" && !is_numeric($value)) + $input_errors[] = "Message size limit must be numeric."; + if($key == "process_limit" && !is_numeric($value)) + $input_errors[] = "Process limit must be numeric."; + if($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0)) + $input_errors[] = "A valid number with a time reference is required for the field 'Frequency'"; + if (substr($key, 0, 2) == "dc" && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid host name."; if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { if (!is_domain($value)) $input_errors[] = "{$value} is not a valid domain name."; @@ -103,6 +592,9 @@ function postfix_validate_input($post, &$input_errors) { } function postfix_php_install_command() { + #small freebsd packages for full functional ldap and spf options + system('/usr/sbin/pkg_add -r postfix-policyd-spf'); + system('/usr/sbin/pkg_add -r p5-perl-ldap'); sync_package_postfix(); } @@ -114,4 +606,117 @@ function postfix_php_deinstall_command() { conf_mount_ro(); } -?> \ No newline at end of file +/* Uses XMLRPC to synchronize the changes to a remote node */ +function postfix_sync_on_changes() { + global $config, $g; + log_error("[postfix] postfix_xmlrpc_sync.php is starting."); + $synconchanges = $config['installedpackages']['postfixsync']['config'][0]['synconchanges']; + if(!$synconchanges) + return; + foreach ($config['installedpackages']['postfixsync']['config'] as $rs ){ + foreach($rs['row'] as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($password && $sync_to_ip) + postfix_do_xmlrpc_sync($sync_to_ip, $password); + } + } + log_error("[postfix] postfix_xmlrpc_sync.php is ending."); +} + +/* Do the actual XMLRPC sync */ +function postfix_do_xmlrpc_sync($sync_to_ip, $password) { + global $config, $g; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['postfix'] = $config['installedpackages']['postfix']; + $xml['postfixacl'] = $config['installedpackages']['postfixacl']; + $xml['postfixrecipients'] = $config['installedpackages']['postfixrecipients']; + $xml['postfixantispam'] = $config['installedpackages']['postfixantispam']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning Postfix XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } else { + log_error("Postfix XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell postfix to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/postfix.inc');\n"; + $execcmd .= "sync_package_postfix();"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("postfix XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } else { + log_error("postfix XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} + +?> diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 831be1e4..11d0c92a 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -10,8 +10,10 @@ postfix.xml part of the Postfix package for pfSense Copyright (C) 2010 Erik Fonnesbeck + Copyright (C) 2011 Marcello Coutinho + All rights reserved. - */ + */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without @@ -42,8 +44,8 @@ Describe your package requirements here Currently there are no FAQ items provided. postfix - 1.1 - Services: Postfix Forwarder + 1.2 + Services: Postfix relay and antispam /usr/local/pkg/postfix.inc Postfix Forwarder @@ -61,19 +63,157 @@ /usr/local/pkg/ 0755 + + http://www.pfsense.org/packages/config/postfix/postfix_acl.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_sync.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_view_config.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/adexport.pl + /usr/local/etc/postfix + 0755 + + + + General + /pkg_edit.php?xml=postfix.xml&id=0 + + + + ACLs / Filter Maps + /pkg_edit.php?xml=postfix_acl.xml&id=0 + + + Valid recipients + /pkg_edit.php?xml=postfix_recipients.xml&id=0 + + + Antispam + /pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + XMLRPC Sync + /pkg_edit.php?xml=postfix_sync.xml&id=0 + + + View config files + /postfix_view_config.php + + Postfix General Settings listtopic + + Enable Postfix + enable_postfix + checkbox + + + + Listen interface(s) + enabled_interface + Do not listen on WAN without a good "antispam/close relay" configuration.]]> + interfaces_selection + + loopback + + Maximum message size message_size_limit input + 10 This setting governs the largest message size that will be accepted by this mail server. Ensure you have enough space to accommodate this size, and ensure this setting matches or is lower than the destination server(s).<br/>Default: 10240000 (10MB). + + Process Limit + process_limit + input + 10 + + The default maximal number of Postfix child processes that provide a given service.<br/>Default: 100 + + + + custom main.cf options + maincf + Paste your custom code here. This code will be included at main.cf postfix file + textarea + 70 + 03 + base64 + + + Logging + listtopic + + + Destination + log_to + + Using system log you can forward logging to a syslog server.
+ Status -> system Logs -> Settings]]> + select + + + + + + + + + Debug peer list + debug_list + + When an SMTP client or server host name or address matches a pattern, increase the verbose logging level by the amount specified in the "debug_peer_level" parameter.]]> + textarea + 70 + 3 + base64 + + + Debug peer level + debug_level + + select + + + + + + + + + Domains to Forward listtopic @@ -88,14 +228,14 @@ domain Enter the domain here (ex: example.com) input - 20 + 30 Mail Server IP mailserverip Enter the mail server IP to forward to here. input - 20 + 40 diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml new file mode 100644 index 00000000..9c59c102 --- /dev/null +++ b/config/postfix/postfix_acl.xml @@ -0,0 +1,208 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + postfixacl + 1.0 + Services: Postfix relay and antispam + /usr/local/pkg/postfix.inc + + Postfix Antispam and mail Relay + Configure Postfix Forwarder +
Services
+ pkg_edit.php?xml=postfix.xml&id=0 + + + postfix + postfix.sh + master + + + http://www.pfsense.org/packages/config/postfix/postfix.inc + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_acl.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml + /usr/local/pkg/ + 0755 + + + + http://www.pfsense.org/packages/config/postfix/postfix_sync.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_view_config.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.php + /usr/local/www/ + 0755 + + + + General + /pkg_edit.php?xml=postfix.xml&id=0 + + + ACLs / Filter Maps + /pkg_edit.php?xml=postfix_acl.xml&id=0 + + + + Valid recipients + /pkg_edit.php?xml=postfix_recipients.xml&id=0 + + + Antispam + /pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + XMLRPC Sync + /pkg_edit.php?xml=postfix_sync.xml&id=0 + + + View config files + /postfix_view_config.php + + + + + Filters while receiving mail + listtopic + + + Header + header_maps + REGEXP filters that are applied to initial message headers(except for the headers that are processed with mime_header_checks Hint:
+ /^Subject: viagra|cialis|levitra|day price:/i REJECT
+ /^From: spammer@myspam.net/i REJECT
+ /^From: *@mytrustdomain OK
+ See http://www.postfix.org/header_checks.5.html for more help]]> + + textarea + 80 + 10 + base64 + + + MIME + mime_maps + REGEXP filters that are applied to MIME related message headers only. Hint:
+ /^name=[^>]*\.(com|vbs|js|jse|exe|bat|cmd|vxd|scr|hlp|pif|shs|ini|dll)/ REJECT W do not allow files of type "$3" because of security concerns - "$2" caused the block.
+ /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed]]> + + textarea + 80 + 10 + base64 + + + body + body_maps + REGEXP filters that are applied to all other content, including multi-part message boundaries. Hint:
+ # First skip over base 64 encoded text to save CPU cycles.
+ ~^[[:alnum:]+/]{60,}$~ OK]]> + + textarea + 80 + 10 + base64 + + + + Client Access List + listtopic + + + CIDR + cal_cidr + + This list is used by postfix/postscreen to check who has access or not to this relay. Hint:
+ 192.168.3.2 OK
spammer.junkdomain.com REJECT]]> + + textarea + 80 + 10 + base64 + + + REGEXP + cal_regexp + + This list is used by postfix to check who has access or not to this relay.Hint:
+ /.*\.dsl\..*/ REJECT DSLs not allowed
+ /.*\.adsl\..*/ REJECT DSLs not allowed]]> + + textarea + 80 + 10 + base64 + + + + postfix_php_install_command(); + + + postfix_php_deinstall_command(); + + + postfix_validate_input($_POST, &$input_errors); + + + sync_package_postfix(); + + diff --git a/config/postfix/postfix_antispam.xml b/config/postfix/postfix_antispam.xml new file mode 100644 index 00000000..ef794776 --- /dev/null +++ b/config/postfix/postfix_antispam.xml @@ -0,0 +1,268 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + postfix_antispam + 1.0 + Services: Postfix relay and antispam + /usr/local/pkg/postfix.inc + + Postfix Antispam and mail Relay + Configure Postfix Forwarder +
Services
+ pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + postfix + postfix.sh + master + + + http://www.pfsense.org/packages/config/postfix/postfix.inc + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_acl.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml + /usr/local/pkg/ + 0755 + + + + http://www.pfsense.org/packages/config/postfix/postfix_sync.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_view_config.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.php + /usr/local/www/ + 0755 + + + + General + /pkg_edit.php?xml=postfix.xml&id=0 + + + ACLs / Filter Maps + /pkg_edit.php?xml=postfix_acl.xml&id=0 + + + Valid recipients + /pkg_edit.php?xml=postfix_recipients.xml&id=0 + + + Antispam + /pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + + XMLRPC Sync + /pkg_edit.php?xml=postfix_sync.xml&id=0 + + + View config files + /postfix_view_config.php + + + + + Postfix Antispam Settings + listtopic + + + Header verification + header_check + select + + + + + Enable sender, client, recipients and rfc verification + + + Zombie blocker + zombie_blocker + + Use postfix 2.8 Postscreen feature to detect zombie spammers]]> + + select + + + + + + + + + greet wait time + greet_time + input + 10 + syntax: 2,6s   (default: up to 2 seconds under stress, up to 6 seconds otherwise)
+ The amount of time that postscreen will wait for an SMTP client to send a command before its turn, and for DNS blocklist lookup results to arrive .
+ Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit).
+ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).]]> + + + + After greeting tests + after_greeting + + Postscreen After greeting tests. All these options are recomended.]]> + + select + + + + + + + + 10 + + + + Soft Bounce + soft_bounce + select + + + + + + + This parameter disables locally-generated bounces, and prevents the Postfix SMTP server from rejecting mail permanently, by changing 5xx reply codes into 4xx.
+ However, soft_bounce is no cure for address rewriting mistakes or mail routing mistakes.]]> + + + + RBL server List + rbl_servers + + Check some rbl servers at http://www.anti-abuse.org/multi-rbl-check/

+ You can also create a local rbl dns server to whitelist some hosts/domains
+ See how it works in http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites]]> + + textarea + 70 + 03 + + + RBL threshold + rbl_threshold + How many RBL Lists Postscreen must find clien's ip address to block sender. + select + + + + + + + + + + SPF lookup + postfix_spf + checkbox + + The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery.]]> + + + + + listtopic + + + Use Third part antispam + antispam_enabled + checkbox + + + + Software + antispam_software + Select Third part solution to use. See postfix forwarder package info page for instaling instructions + select + + + + + + + Policydv2 Location + antispam_location + inet:ipaddress:port of antispam server if it is not installed local. + input + 50 + + + + postfix_php_install_command(); + + + postfix_php_deinstall_command(); + + + postfix_validate_input($_POST, &$input_errors); + + + sync_package_postfix(); + + diff --git a/config/postfix/postfix_recipientes.php b/config/postfix/postfix_recipientes.php new file mode 100644 index 00000000..0deb2f79 --- /dev/null +++ b/config/postfix/postfix_recipientes.php @@ -0,0 +1,4 @@ + \ No newline at end of file diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml new file mode 100644 index 00000000..4172f2c8 --- /dev/null +++ b/config/postfix/postfix_recipients.xml @@ -0,0 +1,207 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + postfixrecipients + 1.0 + Services: Postfix relay and antispam + /usr/local/pkg/postfix.inc + + Postfix Antispam and mail Relay + Configure Postfix Forwarder +
Services
+ pkg_edit.php?xml=postfix.xml&id=0 + + + postfix + postfix.sh + master + + + http://www.pfsense.org/packages/config/postfix/postfix.inc + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_acl.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml + /usr/local/pkg/ + 0755 + + + + http://www.pfsense.org/packages/config/postfix/postfix_sync.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_view_config.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.php + /usr/local/www/ + 0755 + + + + General + /pkg_edit.php?xml=postfix.xml&id=0 + + + ACLs / Filter Maps + /pkg_edit.php?xml=postfix_acl.xml&id=0 + + + Valid recipients + /pkg_edit.php?xml=postfix_recipients.xml&id=0 + + + + Antispam + /pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + XMLRPC Sync + /pkg_edit.php?xml=postfix_sync.xml&id=0 + + + View config files + /postfix_view_config.php + + + + + Get Valid recipients from Active Directory + listtopic + + + Enable LDAP fetch + enable_ldap + checkbox + Extract valid email addresses from Active Directory. + + + Frequency + freq + Wait time between each fetch HINT 30m(30 minutes), 1h(one hour), 1d(one day) + input + 15 + + + HINTS
Hostname:
dc1.mysite.com

Domain:
dc=mysite,dc=com

Username:
cn=antispam,cn=Users
]]> + none + rowhelper + + + Hostname + dc + input + 20 + + + Domain + cn + input + 22 + + + Username + username + input + 20 + + + Password + password + password + 10 + + + + + Get Valid recipients from local file + listtopic + + + Location + location + input + 80 + + + Custom Valid recipients + listtopic + + + Custom list + custom_recipients + HINT user@mycompany.com OK]]> + textarea + 60 + 15 + base64 + + + + postfix_php_install_command(); + + + postfix_php_deinstall_command(); + + + postfix_validate_input($_POST, &$input_errors); + + + sync_package_postfix(); + + diff --git a/config/postfix/postfix_sync.xml b/config/postfix/postfix_sync.xml new file mode 100644 index 00000000..f859e795 --- /dev/null +++ b/config/postfix/postfix_sync.xml @@ -0,0 +1,167 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + postfix_sync + 1.0 + Services: Postfix relay and antispam + /usr/local/pkg/postfix.inc + + Postfix Antispam and mail Relay + Configure Postfix Forwarder +
Services
+ pkg_edit.php?xml=postfix.xml&id=0 + + + postfix + postfix.sh + master + + + http://www.pfsense.org/packages/config/postfix/postfix.inc + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_acl.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_antispam.xml + /usr/local/pkg/ + 0755 + + + + http://www.pfsense.org/packages/config/postfix/postfix_sync.xml + /usr/local/pkg/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_view_config.php + /usr/local/www/ + 0755 + + + http://www.pfsense.org/packages/config/postfix/postfix_recipients.php + /usr/local/www/ + 0755 + + + + General + /pkg_edit.php?xml=postfix.xml&id=0 + + + ACLs / Filter Maps + /pkg_edit.php?xml=postfix_acl.xml&id=0 + + + Valid recipients + /pkg_edit.php?xml=postfix_recipients.xml&id=0 + + + Antispam + /pkg_edit.php?xml=postfix_antispam.xml&id=0 + + + XMLRPC Sync + /pkg_edit.php?xml=postfix_sync.xml&id=0 + + + + View config files + /postfix_view_config.php + + + + + Postfix XMLRPC Sync + listtopic + + + Automatically sync Postfix configuration changes + synconchanges + pfSense will automatically sync changes to the hosts defined below. + checkbox + + + Remote Server + none + rowhelper + + + IP Address + ipaddress + IP Address of remote server + input + 20 + + + Password + password + Password for remote server. + password + 20 + + + + + + postfix_php_install_command(); + + + postfix_php_deinstall_command(); + + + postfix_validate_input($_POST, &$input_errors); + + + sync_package_postfix(); + + diff --git a/config/postfix/postfix_syslog.php b/config/postfix/postfix_syslog.php new file mode 100644 index 00000000..5901c775 --- /dev/null +++ b/config/postfix/postfix_syslog.php @@ -0,0 +1,5 @@ + diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php new file mode 100644 index 00000000..ac6ad36b --- /dev/null +++ b/config/postfix/postfix_view_config.php @@ -0,0 +1,111 @@ + + based on varnish_view_config. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Postfix: View Configuration"; +include("head.inc"); + +?> + + + + +

+ + + + +
+ +
+ + + + + +
+ +
+
+ + + + + + + +
+   +   +   +   +   +   +   +   +
+ +
+
+
+
+
+ + + -- cgit v1.2.3