RBL & RHBL with Postfix

Discussion in 'General' started by olimortimer, Apr 25, 2014.

  1. olimortimer

    olimortimer Member

    What's the best way of implementing RBL (Realtime Blacklists) and RHBL (Same but different), Greylistings and Helo Checks with Postfix and ISPConfig?

    The guides talk about editing the '/etc/postfix/main.cf' file, but I believe this gets reset when updating ISPConfig, and I don't want to have to remember to apply the settings again. Is there any way of applying the RBL, RHBL checks etc to ISPConfig, so it remembers it during updates?

    http://www.howtoforge.com/virtual_postfix_antispam
    http://www.howtoforge.com/how-to-whitelist-hosts-ip-addresses-in-postfix
     
    olimortimer, Apr 25, 2014
    #1
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Copy the matching file from your distribution, e. g. debian_postfix.conf.master from install/tpl/ (ISPConfig release tar.gz)
    to
    /usr/local/ispconfig/server/conf-custom/install/

    Then edit this file according to your needs.
    On update ISPConfig will use the files in conf-custom instead of the ones provided with install package.
     
    Croydon, Apr 25, 2014
    #2
  3. olimortimer

    olimortimer Member

    So I tried to apply these changes to my /etc/postfix/main.cf file;

    http://www.howtoforge.com/block_spam_at_mta_level_postfix

    So my file looked like this;

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = vps1.MYHOSTNAME
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = vps1.MYHOSTNAME, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_tls_security_level = may
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $$
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
content_filter = amavis:[127.0.0.1]:10024
inet_protocols = all
smtp_tls_security_level = may

# RBL and RHBL Blacklists
smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

smtpd_recipient_restrictions =
            check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
            reject_invalid_hostname,
            reject_unknown_recipient_domain,
            reject_unauth_pipelining,
            permit_mynetworks,
            permit_sasl_authenticated,
            reject_unauth_destination,
            reject_rbl_client multi.uribl.com,
            reject_rbl_client dsn.rfc-ignorant.org,
            reject_rbl_client dul.dnsbl.sorbs.net,
            reject_rbl_client list.dsbl.org,
            reject_rbl_client sbl-xbl.spamhaus.org,
            reject_rbl_client bl.spamcop.net,
            reject_rbl_client dnsbl.sorbs.net,
            reject_rbl_client cbl.abuseat.org,
            reject_rbl_client ix.dnsbl.manitu.net,
            reject_rbl_client combined.rbl.msrbl.net,
            reject_rbl_client rabl.nuclearelephant.com,
            permit
    Note that the changes are after the '# RBL and RHBL Blacklists' comment, and still include the 'check_recipient_access' part. However, this caused the following error in the logs when postfix was restarted;

    Code:
    postfix/smtpd[15181]: fatal: bad string length 0 < 1: {config_dir}/mysql-virtual_recipient.cf_dbname =
    So it looks like it's reading in the dbname from the .cf file, but then failing due to a space?
     
    Last edited: Apr 26, 2014
    olimortimer, Apr 26, 2014
    #3
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You cannot use the file from install/tpl directly. It is just a template with placeholders that get replace during install/update.
     
    Croydon, Apr 26, 2014
    #4
  5. olimortimer

    olimortimer Member

    I didn't use the file directly, I thought I would just apply the changes to my main.cf file first, to make sure they worked ok, so the '/etc/postfix/main.cf' above is my live main.cf with the RBL clients added.
     
    olimortimer, Apr 26, 2014
    #5
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The error message says there is a {config_dir} and afaik this is a template variable.
    Check your main.cf for anything in curly brackets that might not belong there and then restart postfix.
    Maybe the error is in the mysql conf of postfix (also check the .cf files for placeholders).

    Did you check mysql-virtual_recipient.cf if there is anything strange in there?
     
    Last edited: Apr 26, 2014
    Croydon, Apr 26, 2014
    #6
  7. olimortimer

    olimortimer Member

    Thanks Croydon, maybe I messed up somewhere. Reapplied it all and it seems to be fine now. Sorry for being a pain.
     
    olimortimer, Apr 26, 2014
    #7

Share This Page