# escape any character \c = c (\n = n, \\ = \, ...). This format allow non-ascii
# strings and string concatenation " abcd " "ef" = " abcd ef".
# - ASCII-only strings can be written without double-quotes. They can be splitted
-# into several lines using shell-like escaping of EOL. A string begins on the
-# first non-blank character. This king of string can not contain semi-colons.
+# into several lines using shell-like escaping of EOL. A string begins and ends on
+# on a non-blank character. This king of string can not contain semi-colons.
# eg:
# The following format are equivalent:
# (1) this is a str\
#
# Filter:
# Current defined filter types are:
-# - rbl: match the client_address against one or more blacklist files from a rbl
+# - iplist: match the client_address against one or more blacklist files from a rbl
# Parameters:
# - file: (non)?lock:weight:filename
-# declare a file to load. If lock is given, the blacklist is locked into the
+# declare a file to load. If lock is given, the klist is locked into the
# RAM. The weight is a number giving the weight of this blaclist file in the
# score of the IP
-# - soft_threshold: score (default: 0)
+# - soft_threshold: score (default: 1)
# minimum score to match the soft_match return value
-# - hard_threshold: score (default: 0)
+# - hard_threshold: score (default: 1)
# minimum score to match the hard_match return value
# Return value:
# The score of a query is the sum of the weight of the blacklist it matched.
# - If the IP can not be parsed, returns error
-# - If the score is strictly greater than hard_threshold, returns hard_match
-# - If the score is strictly greater than soft_threshold, returns soft_match
+# - If the score is strictly greater >= than hard_threshold, returns hard_match
+# - If the score is strictly greater >= than soft_threshold, returns soft_match
# - Else, returns fail
#
+# - strlist: match strings from the query against a list of list.
+# Parameters:
+# - file: (non)?lock:(pre|suf)fix:weight:filename
+# declare a file to load. If lock is given, the list is locked into the
+# RAM. Prefix/Suffix is a parameter to tell the matcher which is the most
+# efficient storage order. The strings are internally stored into a trie that
+# allow high compression if a lot of prefix are shared by several strings. If
+# you choose "prefix", string are stored in the natural order in memory and
+# prefix compression is performed. If you choose "suffix", strings are stored
+# in reverse order in memory and suffix compression is performed. The weight
+# is a number giving the weight of this list in the string score.
+# - soft_threshold: score (default: 1)
+# minimum score to match the soft_match return value
+# - hard_threshold: score (default: 1)
+# minimum score to match the hard_match return value
+# - fields: field_name(,field_name)*
+# list of field the match the string against.
+# currently only email OR hostname fields are supported. You MUST choose only
+# one of these types per strlist, and be carefull that the field you requested
+# are available in the protocol state you want to use this filter for.
+# * hostname fields: helo_name, client_name, reverse_client_name
+# * email fields: sender, recipient
+# Return value:
+# The score of a query is the sum of the weight of the list it matched.
+# - If the score is strictly greater >= than hard_threshold, returns hard_match
+# - If the score is strictly greater >= than soft_threshold, returns soft_match
+# - Else, returns fail
+# State:
+# - to match helo_name, you must be on HELO state or later
+# (stmpd_helo_restrictions)
+# - to match sender, you must be on MAIL state or later
+# (smtpd_sender_restrictions)
+# - to match recipient, you must on RCPT state (stmpd_recipient_restrictions)
+# - client_name and reverse_client_name are always available
+#
# - greylist: greylister
# Paramters:
# - path: /my/path/ (required)
# }
+# Perform greylisting
greylist {
type = greylist;
on_whitelist = postfix:OK;
}
+
+# Lookup in a rbl
spamhaus_and_abuseat {
- type = rbl;
+ type = iplist;
# configuration
file = lock:10:/var/spool/postlicyd/rbl.spamhaus.org;
file = lock:1:/var/spool/postlicyd/cbl.abuseat.org;
- soft_threshold = 0;
- hard_threshold = 10;
+ soft_threshold = 1;
+ hard_threshold = 11;
# hooks
on_soft_match = greylist;
}
+# Whitelist some clients
+client_whitelist {
+ type = strlist;
+
+ # configuration
+ file = lock:1:/var/spool/postlicyd/client_whitelist;
+ fields = client_name;
+
+ # hooks
+ on_hard_match = postfix:OK;
+ on_fail = spamhaus_and_abuseat;
+}
+
+
# ENTRY POINTS
#
# Access policy daemon can be used at several protocol states. For each of this states,
# - data_filter: called on the DATA command (smtpd_data_restrictions)
# - end_of_data_filter: called on the END-OF-DATA command
# (smtpd_end_of_data_restrictions)
-# - ertn_filter: called on the ETRN command (stmpd_etrn_restrictions)
+# - etrn_filter: called on the ETRN command (stmpd_etrn_restrictions)
# - verify_filter: called on the VRFY command (no postfix hook ?)
-recipient_filter = spamhaus_and_abuseat;
+recipient_filter = client_whitelist;
# vim:set syntax=conf: