From: Florent Bruneau Date: Tue, 16 Sep 2008 15:16:02 +0000 (+0200) Subject: Configuration example (and documentation). X-Git-Url: http://git.madism.org/?p=apps%2Fpfixtools.git;a=commitdiff_plain;h=0641f1d7426b95424efd3ee823feea97b1ff7751 Configuration example (and documentation). Signed-off-by: Florent Bruneau --- diff --git a/example/postlicyd.conf b/example/postlicyd.conf new file mode 100644 index 0000000..fa99670 --- /dev/null +++ b/example/postlicyd.conf @@ -0,0 +1,155 @@ +# POSTLICYD configuration +# +# Postlicyd configuration contains: +# - a set of filter definition +# - the entry point in the filters for each smtp states +# +# The configuration format use 2 types of data: +# Token: [[:alpha:]]([[:alnum:]_]*) +# String: string format is a bit more complex. It can be one of the two following +# format: +# - C-like strings "[^\n\r]*". In this kind of string, the \ character is used to +# escape any character \c = c (\n = n, \\ = \, ...). This format allow non-ascii +# strings and string concatenation " abcd " "ef" = " abcd ef". +# - ASCII-only strings can be written without double-quotes. They can be splitted +# into several lines using shell-like escaping of EOL. A string begins on the +# first non-blank character. This king of string can not contain semi-colons. +# eg: +# The following format are equivalent: +# (1) this is a str\ +# (1) ing +# +# (2) "this is a string" +# +# (3) "this " "is a " +# (3) "string" +# +# Most of the configuration use a format: +# Token = String ; +# +# When not in a string, spaces and line breaks are ignored. You can use comments +# everywhere out of a string. It starts with a '#' character and ends at the end of the +# line. Comments are strictly equivalents to white spaces. + +# FILTER DEFINITION +# +# A definition of a filter contains: +# - the name of the filter. This name MUST be uniq (non-uniq names can lead to undefined +# behaviour) +# - a type +# - a list of type-specific parameters +# - a list of hooks (on_hookname) +# +# Hooks: +# A filter can returns different values. Each return value is given a name. The +# configuration associates an action to run to a return value name. +# +# The action can be either a postfix access(5) value or a filter name. Postfix access +# parameters must be prefixed by 'postfix:'. +# +# eg: +# on_match = postfix:REJECT Blacklisted; +# +# Filter: +# Current defined filter types are: +# - rbl: match the client_address against one or more blacklist files from a rbl +# Parameters: +# - file: (non)?lock:weight:filename +# declare a file to load. If lock is given, the blacklist is locked into the +# RAM. The weight is a number giving the weight of this blaclist file in the +# score of the IP +# - soft_threshold: score (default: 0) +# minimum score to match the soft_match return value +# - hard_threshold: score (default: 0) +# minimum score to match the hard_match return value +# Return value: +# The score of a query is the sum of the weight of the blacklist it matched. +# - If the IP can not be parsed, returns error +# - If the score is strictly greater than hard_threshold, returns hard_match +# - If the score is strictly greater than soft_threshold, returns soft_match +# - Else, returns fail +# +# - greylist: greylister +# Paramters: +# - path: /my/path/ (required) +# path where to store the greylist database +# - prefix: name (default: "") +# prefix to the name of the greylist database +# - lookup_by_host: boolean (default: false) +# perform lookup per host instead of domain. +# - delay: number (default: 300) +# number of seconds the client must wait before retrial. +# - retry_window: (default: 2 * 24 * 3600) +# number of seconds we wait for a retry. +# - client_awl: number (default: 5) +# number of successful greylisting before the client get whitelisted (0 means, +# no-auto-whitelist). +# Return value: +# - if the client is whitelisted, returns whitelist +# - if the client is greylisted, returns greylist +# - if a error occured (not currently possible), returns error +# +# Format: +# A filter look likes that: +# +# filter_name { +# type = type_name; +# param1 = parameter value 1; +# ... +# on_action1 = action; +# } + + +greylist { + type = greylist; + + # configuration + path = /var/spool/postlicyd/; + prefix = greylist_; + + # hooks + on_greylist = postfix:DEFER_IF_PERMIT optional text; + on_whitelist = postfix:OK; +} + +spamhaus_and_abuseat { + type = rbl; + + # configuration + file = lock:10:/var/spool/postlicyd/rbl.spamhaus.org; + file = lock:1:/var/spool/postlicyd/cbl.abuseat.org; + soft_threshold = 0; + hard_threshold = 10; + + # hooks + on_soft_match = greylist; + on_hard_match = postfix:REJECT optional text; + on_fail = postfix:OK; + on_error = postfix:DUNNO; +} + + +# ENTRY POINTS +# +# Access policy daemon can be used at several protocol states. For each of this states, +# you can define a different entry point in the filtering tree. This entry points have +# the following format: +# +# state = filter_name; +# +# The filter_name MUST be one of the filter you previously defined. +# +# The available states are: +# - client_filter: called on CONNECT state (smtpd_client_restrictions) +# - helo_filter (or ehlo_filter): called on HELO/EHLO command (smtpd_helo_restrictions) +# - sender_filter: called on the MAIL FROM command (stmpd_sender_restrictions) +# - recipient_filter: called on the RCPT TO command (smtpd_recipient_restrictions) +# - data_filter: called on the DATA command (smtpd_data_restrictions) +# - end_of_data_filter: called on the END-OF-DATA command +# (smtpd_end_of_data_restrictions) +# - ertn_filter: called on the ETRN command (stmpd_etrn_restrictions) +# - verify_filter: called on the VRFY command (no postfix hook ?) + +recipient_filter = spamhaus_and_abuseat; + +# vim:set syntax=conf: