New in upgrade tutorial: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction.

This commit is contained in:
Zhang Huangbin 2015-12-12 10:16:20 +08:00
parent c6dbd75cae
commit 052fbfaeda
2 changed files with 93 additions and 10 deletions

View File

@ -8,10 +8,11 @@ __This is still a DRAFT document, do NOT apply it.__
> We offer remote upgrade service, check [the price](../support.html) and [contact us](../contact.html).
* 2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
* 2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support
* 2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file
* 2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
* 2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
* 2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
* 2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log
* 2015-11-03: SOGo: enable isolated per-domain global address book.
* 2015-10-08: OpenLDAP: Fix improper ACL control.
* 2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.
@ -567,7 +568,7 @@ dovecot unix - n n - - pipe
flags=DRh ...
```
### [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
### [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log
We added one new regular expression to catch postscreen log to help reduce
spam, please follow steps below to add it.
@ -584,7 +585,7 @@ Restarting Fail2ban service is required.
* Save your change and restart Postfix service.
### [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
### [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
iRedMail ships a Postfix HELO rule file, `/etc/postfix/helo_access.pcre`, it
contains some HELO identities which were treated as spammers by analizing
@ -598,6 +599,47 @@ or `/usr/local/etc/postfix/helo_access.pcre` (FreeBSD), and remove it.
/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
```
### [OPTIONAL] Postfix: add some more restriction methods
> Note: this is an optional operation, not required but recommended.
If you need flexible rules to restrict senders, this change will be helpful.
for example, reject spammer whom sends emails with different domain names.
Please open Postfix config file `main.cf`, add below 2 settings:
* On Linux and OpenBSD, it's `/etc/postfix/main.cf`.
* On FreeBSD, it's `/usr/local/etc/postfix/main.cf`. WARNING: in below settings,
all new files must be placed under `/usr/local/etc/postfix/`.
```
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
```
* In `main.cf`, find parameter `smtpd_sender_restrictions =`, add a new setting
`check_sender_access pcre:/etc/postfix/sender_access.pcre` right before
`permit_mynetworks` like below:
```
smtpd_sender_restrictions =
...
check_sender_access pcre:/etc/postfix/sender_access.pcre
permit_mynetworks
...
```
* Create required files:
```
# touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
```
* Reloading or restarting Postfix service is required.
Note: each time you changed the pcre file, you should reload (not restart)
Postfix service so that Postfix can read the changes.
## OpenLDAP backend special
### Fixed: improper ACL control

View File

@ -32,8 +32,9 @@
<li><a href="#rhelcentos-7-remove-daemonze-line-in-etcuwsgiini">[RHEL/CentOS 7] Remove daemonze = line in /etc/uwsgi.ini</a></li>
<li><a href="#rhelcentos-7-fix-incorrect-default-firewall-zone-name">[RHEL/CentOS 7] Fix incorrect default firewall zone name</a></li>
<li><a href="#optional-fixed-not-preserve-the-case-of-extension-while-delivering-message-to-mailbox">[OPTIONAL] Fixed: Not preserve the case of ${extension} while delivering message to mailbox</a></li>
<li><a href="#optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</a></li>
<li><a href="#optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</a></li>
<li><a href="#optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</a></li>
<li><a href="#optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</a></li>
<li><a href="#optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</a></li>
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
@ -64,10 +65,11 @@
<p>We offer remote upgrade service, check <a href="../support.html">the price</a> and <a href="../contact.html">contact us</a>.</p>
</blockquote>
<ul>
<li>2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
<li>2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support</li>
<li>2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file</li>
<li>2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</li>
<li>2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</li>
<li>2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
<li>2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</li>
<li>2015-11-03: SOGo: enable isolated per-domain global address book.</li>
<li>2015-10-08: OpenLDAP: Fix improper ACL control.</li>
<li>2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.</li>
@ -553,7 +555,7 @@ dovecot unix - n n - - pipe
<pre><code> flags=DRh ...
</code></pre>
<h3 id="optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</h3>
<h3 id="optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</h3>
<p>We added one new regular expression to catch postscreen log to help reduce
spam, please follow steps below to add it.</p>
<p>Open file <code>/etc/fail2ban/filter.d/postfix.iredmail.conf</code> or
@ -566,7 +568,7 @@ below line under <code>[Definition]</code> section:</p>
<ul>
<li>Save your change and restart Postfix service.</li>
</ul>
<h3 id="optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</h3>
<h3 id="optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</h3>
<p>iRedMail ships a Postfix HELO rule file, <code>/etc/postfix/helo_access.pcre</code>, it
contains some HELO identities which were treated as spammers by analizing
Postfix log files, and one of them, <code>bezeqint.net</code> is not spammer and we should
@ -576,6 +578,45 @@ or <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD), and remove it
<pre><code>/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
</code></pre>
<h3 id="optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</h3>
<blockquote>
<p>Note: this is an optional operation, not required but recommended.</p>
</blockquote>
<p>If you need flexible rules to restrict senders, this change will be helpful.
for example, reject spammer whom sends emails with different domain names.</p>
<p>Please open Postfix config file <code>main.cf</code>, add below 2 settings:</p>
<ul>
<li>On Linux and OpenBSD, it's <code>/etc/postfix/main.cf</code>.</li>
<li>On FreeBSD, it's <code>/usr/local/etc/postfix/main.cf</code>. WARNING: in below settings,
all new files must be placed under <code>/usr/local/etc/postfix/</code>.</li>
</ul>
<pre><code>header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre
</code></pre>
<ul>
<li>In <code>main.cf</code>, find parameter <code>smtpd_sender_restrictions =</code>, add a new setting
<code>check_sender_access pcre:/etc/postfix/sender_access.pcre</code> right before
<code>permit_mynetworks</code> like below:</li>
</ul>
<pre><code>smtpd_sender_restrictions =
...
check_sender_access pcre:/etc/postfix/sender_access.pcre
permit_mynetworks
...
</code></pre>
<ul>
<li>Create required files:</li>
</ul>
<pre><code># touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
</code></pre>
<ul>
<li>Reloading or restarting Postfix service is required.</li>
</ul>
<p>Note: each time you changed the pcre file, you should reload (not restart)
Postfix service so that Postfix can read the changes.</p>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-improper-acl-control">Fixed: improper ACL control</h3>
<p>With default OpenLDAP ACL control set by iRedMail, every mail user has