+
+# Lookup in a rbl
+spamhaus_and_abuseat {
+ type = iplist;
+
+ # configuration
+ file = lock:10:/var/spool/postlicyd/rbl.spamhaus.org;
+ file = lock:1:/var/spool/postlicyd/cbl.abuseat.org;
+ soft_threshold = 1;
+ hard_threshold = 11;
+
+ # hooks
+ on_soft_match = greylist;
+ on_hard_match = postfix:REJECT optional text;
+ on_fail = postfix:OK;
+ on_error = postfix:DUNNO;
+}
+
+
+# - strlist: match strings from the query against a list of list.
+# Parameters:
+# - file: (no)?lock:(partial-)?(pre|suf)fix:weight:filename
+# declare a file to load. If lock is given, the list is locked into the
+# RAM. Prefix/Suffix is a parameter to tell the matcher which is the most
+# efficient storage order. The strings are internally stored into a trie that
+# allow high compression if a lot of prefix are shared by several strings. If
+# you choose "prefix", string are stored in the natural order in memory and
+# prefix compression is performed. If you choose "suffix", strings are stored
+# in reverse order in memory and suffix compression is performed. If you add "partial-"
+# to the match order, the entry will match if the file contains a prefix (resp. suffix)
+# of the string. The weight is a number giving the weight of this list in the string score.
+# e.g.:
+# * a file that contains ".polytechnique.org" in "partial-suffix" mode will match
+# all subdomains of "polytechnique.org".
+# * a file that contains "postmaster@" in "partial-prefix" mode will match all
+# postmaster emails.
+# * a file open without "partial-" modifier match exact strings.
+# - rbldns: (no)?lock:weight:filename
+# declare a rbldns zone file to load. This is exactly the same as file excepted that it wraps
+# parsing of hostname to split them into 2 categories:
+# * names beginning with '*' are sorted as 'domains' and are matched as suffix
+# * names starting with an alphanumirical character are sorted as 'hostnames' and are
+# process via exact matching.
+# - dns: weight:hostname
+# use a rhbl via DNS resolution with the given weight. If a DNS lookup error occurs
+# the hostname is considered as beeing "not found". This can only be used with "hostnames"
+# typed fields.
+# - soft_threshold: score (default: 1)
+# minimum score to match the soft_match return value
+# - hard_threshold: score (default: 1)
+# minimum score to match the hard_match return value
+# - fields: field_name(,field_name)*
+# list of field the match the string against.
+# currently only email OR hostname fields are supported. You MUST choose only
+# one of these types per strlist, and be carefull that the field you requested
+# are available in the protocol state you want to use this filter for.
+# * hostname fields: helo_name, client_name, reverse_client_name, sender_domain,
+# recipient_domain
+# * email fields: sender, recipient
+# No space is allowed in this parameter.
+# Return value:
+# The score of a query is the sum of the weight of the list it matched.
+# - If no rhbl was available (no file and all dns down), returns error.
+# - If the score is strictly greater >= than hard_threshold, returns hard_match
+# - If the score is strictly greater >= than soft_threshold, returns soft_match
+# - Else, returns fail
+# State:
+# - to match helo_name, you must be on HELO state or later
+# (stmpd_helo_restrictions)
+# - to match sender, you must be on MAIL state or later
+# (smtpd_sender_restrictions)
+# - to match recipient, you must on RCPT state (stmpd_recipient_restrictions)
+# - client_name and reverse_client_name are always available
+
+# Whitelist some clients
+client_whitelist {
+ type = strlist;
+
+ # configuration
+ file = lock:1:suffix:/var/spool/postlicyd/client_whitelist;
+ rbldns = lock:1:/va/spool/postlicyd/abuse.rfc-ignorant.org;
+ fields = client_name,sender_domain,helo_name;
+
+ # hooks
+ on_hard_match = postfix:OK;
+ on_fail = spamhaus_and_abuseat;
+}
+
+