# Current defined filter types are:
# - iplist: match the client_address against one or more blacklist files from a rbl
# Parameters:
-# - file: (non)?lock:weight:filename
+# - file: (no)?lock:weight:filename
# declare a file to load. If lock is given, the klist is locked into the
# RAM. The weight is a number giving the weight of this blaclist file in the
# score of the IP
+# - rbldns: (no)?lock:weight:filename
+# this is an alias for file.
+# - dns: weight:hostname
+# use a rbl via DNS resolution with the given weight. If a DNS lookup error occurs
+# the IP is considered as beeing "not found".
# - soft_threshold: score (default: 1)
# minimum score to match the soft_match return value
# - hard_threshold: score (default: 1)
# Return value:
# The score of a query is the sum of the weight of the blacklist it matched.
# - If the IP can not be parsed, returns error
+# - If no rbl was available (no file and all dns down), returns error.
# - If the score is strictly greater >= than hard_threshold, returns hard_match
# - If the score is strictly greater >= than soft_threshold, returns soft_match
# - Else, returns fail
# - strlist: match strings from the query against a list of list.
# Parameters:
-# - file: (non)?lock:(pre|suf)fix:weight:filename
+# - file: (no)?lock:(partial-)?(pre|suf)fix:weight:filename
# declare a file to load. If lock is given, the list is locked into the
# RAM. Prefix/Suffix is a parameter to tell the matcher which is the most
# efficient storage order. The strings are internally stored into a trie that
# allow high compression if a lot of prefix are shared by several strings. If
# you choose "prefix", string are stored in the natural order in memory and
# prefix compression is performed. If you choose "suffix", strings are stored
-# in reverse order in memory and suffix compression is performed. The weight
-# is a number giving the weight of this list in the string score.
+# in reverse order in memory and suffix compression is performed. If you add "partial-"
+# to the match order, the entry will match if the file contains a prefix (resp. suffix)
+# of the string. The weight is a number giving the weight of this list in the string score.
+# e.g.:
+# * a file that contains ".polytechnique.org" in "partial-suffix" mode will match
+# all subdomains of "polytechnique.org".
+# * a file that contains "postmaster@" in "partial-prefix" mode will match all
+# postmaster emails.
+# * a file open without "partial-" modifier match exact strings.
+# - rbldns: (no)?lock:weight:filename
+# declare a rbldns zone file to load. This is exactly the same as file excepted that it wraps
+# parsing of hostname to split them into 2 categories:
+# * names beginning with '*' are sorted as 'domains' and are matched as suffix
+# * names starting with an alphanumirical character are sorted as 'hostnames' and are
+# process via exact matching.
+# - dns: weight:hostname
+# use a rhbl via DNS resolution with the given weight. If a DNS lookup error occurs
+# the hostname is considered as beeing "not found". This can only be used with "hostnames"
+# typed fields.
# - soft_threshold: score (default: 1)
# minimum score to match the soft_match return value
# - hard_threshold: score (default: 1)
# currently only email OR hostname fields are supported. You MUST choose only
# one of these types per strlist, and be carefull that the field you requested
# are available in the protocol state you want to use this filter for.
-# * hostname fields: helo_name, client_name, reverse_client_name
+# * hostname fields: helo_name, client_name, reverse_client_name, sender_domain,
+# recipient_domain
# * email fields: sender, recipient
+# No space is allowed in this parameter.
# Return value:
# The score of a query is the sum of the weight of the list it matched.
+# - If no rhbl was available (no file and all dns down), returns error.
# - If the score is strictly greater >= than hard_threshold, returns hard_match
# - If the score is strictly greater >= than soft_threshold, returns soft_match
# - Else, returns fail
type = strlist;
# configuration
- file = lock:1:/var/spool/postlicyd/client_whitelist;
- fields = client_name;
+ file = lock:1:suffix:/var/spool/postlicyd/client_whitelist;
+ rbldns = lock:1:/va/spool/postlicyd/abuse.rfc-ignorant.org;
+ fields = client_name,sender_domain,helo_name;
# hooks
on_hard_match = postfix:OK;
# - client_awl: number (default: 5)
# number of successful greylisting before the client get whitelisted (0 means,
# no-auto-whitelist).
+# - max_age: number (default: 30 * 3600)
+# lifetime of a greylist/whitelist session: ie, if a client does ne reappear during
+# max_age seconds, the entries associated to this client are invalidated.
# Return value:
# - if the client is whitelisted, returns whitelist
# - if the client is greylisted, returns greylist
}
+# - match: direct matching against the query fields
+# Parameters:
+# - match_all: boolean
+# if true, the filter won't match until all conditions
+# are verified. If false, the filter match on the first
+# verified condition.
+# - condition: field_name OP (value)
+# * the field_name is one of the field name of the query
+# emitted by postfix. This list with description of each
+# field is available at:
+# http://www.postfix.org/SMTPD_POLICY_README.html
+# postlicyd also support fields sender_domain and recipient_domain
+# * OP is an operator. Available operators are:
+# == field_name is strictly equal to value
+# =i field_name is case insensitively equal to value
+# != field_name is not equal to value
+# !i field_name is not case insensitively equal to value
+# >= field_name contains value
+# >i field_name contains case insensitively value
+# <= field_name is contained by value
+# <i field_name is contained case insensitively by value
+# #= field_name is empty or not set
+# #i field_name is not empty
+# Return value:
+# - if the conditions are verified (according to match_all strategy), return match
+# - if the conditions are not verified, return fail
+
+# match one of the condition: "stress mode activated", "client_name contains debian.org" or
+# "recipient is empty"
+match {
+ type = match;
+
+ # configuration
+ match_all = false;
+ condition = stress == yes;
+ condition = client_name >= debian.org;
+ condition = recipient #=;
+
+ # hook
+ on_match = postfix:OK;
+ on_fail = greylist;
+}
+
+
# ENTRY POINTS
#
# Access policy daemon can be used at several protocol states. For each of this states,