New in upgrade tutorial: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction.

2015-12-12 10:16:20 +08:00 · 2015-12-12 10:16:20 +08:00 · 052fbfaeda
parent c6dbd75cae
commit 052fbfaeda
2 changed files with 93 additions and 10 deletions
--- a/en_US/upgrade/0-upgrade.iredmail.0.9.2-0.9.3.md
+++ b/en_US/upgrade/0-upgrade.iredmail.0.9.2-0.9.3.md
@ -8,10 +8,11 @@ __This is still a DRAFT document, do NOT apply it.__

 > We offer remote upgrade service, check [the price](../support.html) and [contact us](../contact.html).

+* 2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
 * 2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support
 * 2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file
-* 2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
-* 2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
+* 2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
+* 2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log
 * 2015-11-03: SOGo: enable isolated per-domain global address book.
 * 2015-10-08: OpenLDAP: Fix improper ACL control.
 * 2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.
@ -567,7 +568,7 @@ dovecot unix    -       n       n       -       -      pipe
    flags=DRh ...
 ```

-### [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
+### [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log

 We added one new regular expression to catch postscreen log to help reduce
 spam, please follow steps below to add it.
@ -584,7 +585,7 @@ Restarting Fail2ban service is required.

 * Save your change and restart Postfix service.

-### [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
+### [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction

 iRedMail ships a Postfix HELO rule file, `/etc/postfix/helo_access.pcre`, it
 contains some HELO identities which were treated as spammers by analizing
@ -598,6 +599,47 @@ or `/usr/local/etc/postfix/helo_access.pcre` (FreeBSD), and remove it.
 /(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
 ```

+### [OPTIONAL] Postfix: add some more restriction methods
+
+> Note: this is an optional operation, not required but recommended.
+
+If you need flexible rules to restrict senders, this change will be helpful.
+for example, reject spammer whom sends emails with different domain names.
+
+Please open Postfix config file `main.cf`, add below 2 settings:
+
+* On Linux and OpenBSD, it's `/etc/postfix/main.cf`.
+* On FreeBSD, it's `/usr/local/etc/postfix/main.cf`. WARNING: in below settings,
+  all new files must be placed under `/usr/local/etc/postfix/`.
+
+```
+header_checks = pcre:/etc/postfix/header_checks
+body_checks = pcre:/etc/postfix/body_checks.pcre
+```
+
+* In `main.cf`, find parameter `smtpd_sender_restrictions =`, add a new setting
+  `check_sender_access pcre:/etc/postfix/sender_access.pcre` right before
+  `permit_mynetworks` like below:
+
+```
+smtpd_sender_restrictions =
+    ...
+    check_sender_access pcre:/etc/postfix/sender_access.pcre
+    permit_mynetworks
+    ...
+```
+
+* Create required files:
+
+```
+# touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
+```
+
+* Reloading or restarting Postfix service is required.
+
+Note: each time you changed the pcre file, you should reload (not restart)
+Postfix service so that Postfix can read the changes.
+
 ## OpenLDAP backend special

 ### Fixed: improper ACL control
--- a/html/upgrade.iredmail.0.9.2-0.9.3.html
+++ b/html/upgrade.iredmail.0.9.2-0.9.3.html
@ -32,8 +32,9 @@
 <li><a href="#rhelcentos-7-remove-daemonze-line-in-etcuwsgiini">[RHEL/CentOS 7] Remove daemonze = line in /etc/uwsgi.ini</a></li>
 <li><a href="#rhelcentos-7-fix-incorrect-default-firewall-zone-name">[RHEL/CentOS 7] Fix incorrect default firewall zone name</a></li>
 <li><a href="#optional-fixed-not-preserve-the-case-of-extension-while-delivering-message-to-mailbox">[OPTIONAL] Fixed: Not preserve the case of ${extension} while delivering message to mailbox</a></li>
-<li><a href="#optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</a></li>
-<li><a href="#optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</a></li>
+<li><a href="#optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</a></li>
+<li><a href="#optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</a></li>
+<li><a href="#optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</a></li>
 </ul>
 </li>
 <li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
@ -64,10 +65,11 @@
 <p>We offer remote upgrade service, check <a href="../support.html">the price</a> and <a href="../contact.html">contact us</a>.</p>
 </blockquote>
 <ul>
+<li>2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
 <li>2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support</li>
 <li>2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file</li>
-<li>2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</li>
-<li>2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</li>
+<li>2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
+<li>2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</li>
 <li>2015-11-03: SOGo: enable isolated per-domain global address book.</li>
 <li>2015-10-08: OpenLDAP: Fix improper ACL control.</li>
 <li>2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.</li>
@ -553,7 +555,7 @@ dovecot unix    -       n       n       -       -      pipe
 <pre><code>    flags=DRh ...
 </code></pre>

-<h3 id="optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</h3>
+<h3 id="optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</h3>
 <p>We added one new regular expression to catch postscreen log to help reduce
 spam, please follow steps below to add it.</p>
 <p>Open file <code>/etc/fail2ban/filter.d/postfix.iredmail.conf</code> or
@ -566,7 +568,7 @@ below line under <code>[Definition]</code> section:</p>
 <ul>
 <li>Save your change and restart Postfix service.</li>
 </ul>
-<h3 id="optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</h3>
+<h3 id="optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</h3>
 <p>iRedMail ships a Postfix HELO rule file, <code>/etc/postfix/helo_access.pcre</code>, it
 contains some HELO identities which were treated as spammers by analizing
 Postfix log files, and one of them, <code>bezeqint.net</code> is not spammer and we should
@ -576,6 +578,45 @@ or <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD), and remove it
 <pre><code>/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
 </code></pre>

+<h3 id="optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</h3>
+<blockquote>
+<p>Note: this is an optional operation, not required but recommended.</p>
+</blockquote>
+<p>If you need flexible rules to restrict senders, this change will be helpful.
+for example, reject spammer whom sends emails with different domain names.</p>
+<p>Please open Postfix config file <code>main.cf</code>, add below 2 settings:</p>
+<ul>
+<li>On Linux and OpenBSD, it's <code>/etc/postfix/main.cf</code>.</li>
+<li>On FreeBSD, it's <code>/usr/local/etc/postfix/main.cf</code>. WARNING: in below settings,
+  all new files must be placed under <code>/usr/local/etc/postfix/</code>.</li>
+</ul>
+<pre><code>header_checks = pcre:/etc/postfix/header_checks
+body_checks = pcre:/etc/postfix/body_checks.pcre
+</code></pre>
+
+<ul>
+<li>In <code>main.cf</code>, find parameter <code>smtpd_sender_restrictions =</code>, add a new setting
+  <code>check_sender_access pcre:/etc/postfix/sender_access.pcre</code> right before
+  <code>permit_mynetworks</code> like below:</li>
+</ul>
+<pre><code>smtpd_sender_restrictions =
+    ...
+    check_sender_access pcre:/etc/postfix/sender_access.pcre
+    permit_mynetworks
+    ...
+</code></pre>
+
+<ul>
+<li>Create required files:</li>
+</ul>
+<pre><code># touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
+</code></pre>
+
+<ul>
+<li>Reloading or restarting Postfix service is required.</li>
+</ul>
+<p>Note: each time you changed the pcre file, you should reload (not restart)
+Postfix service so that Postfix can read the changes.</p>
 <h2 id="openldap-backend-special">OpenLDAP backend special</h2>
 <h3 id="fixed-improper-acl-control">Fixed: improper ACL control</h3>
 <p>With default OpenLDAP ACL control set by iRedMail, every mail user has