New in upgrade tutorial: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction.
This commit is contained in:
parent
c6dbd75cae
commit
052fbfaeda
|
@ -8,10 +8,11 @@ __This is still a DRAFT document, do NOT apply it.__
|
|||
|
||||
> We offer remote upgrade service, check [the price](../support.html) and [contact us](../contact.html).
|
||||
|
||||
* 2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
|
||||
* 2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support
|
||||
* 2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file
|
||||
* 2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
|
||||
* 2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
|
||||
* 2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
|
||||
* 2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log
|
||||
* 2015-11-03: SOGo: enable isolated per-domain global address book.
|
||||
* 2015-10-08: OpenLDAP: Fix improper ACL control.
|
||||
* 2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.
|
||||
|
@ -567,7 +568,7 @@ dovecot unix - n n - - pipe
|
|||
flags=DRh ...
|
||||
```
|
||||
|
||||
### [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log
|
||||
### [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log
|
||||
|
||||
We added one new regular expression to catch postscreen log to help reduce
|
||||
spam, please follow steps below to add it.
|
||||
|
@ -584,7 +585,7 @@ Restarting Fail2ban service is required.
|
|||
|
||||
* Save your change and restart Postfix service.
|
||||
|
||||
### [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction
|
||||
### [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction
|
||||
|
||||
iRedMail ships a Postfix HELO rule file, `/etc/postfix/helo_access.pcre`, it
|
||||
contains some HELO identities which were treated as spammers by analizing
|
||||
|
@ -598,6 +599,47 @@ or `/usr/local/etc/postfix/helo_access.pcre` (FreeBSD), and remove it.
|
|||
/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
|
||||
```
|
||||
|
||||
### [OPTIONAL] Postfix: add some more restriction methods
|
||||
|
||||
> Note: this is an optional operation, not required but recommended.
|
||||
|
||||
If you need flexible rules to restrict senders, this change will be helpful.
|
||||
for example, reject spammer whom sends emails with different domain names.
|
||||
|
||||
Please open Postfix config file `main.cf`, add below 2 settings:
|
||||
|
||||
* On Linux and OpenBSD, it's `/etc/postfix/main.cf`.
|
||||
* On FreeBSD, it's `/usr/local/etc/postfix/main.cf`. WARNING: in below settings,
|
||||
all new files must be placed under `/usr/local/etc/postfix/`.
|
||||
|
||||
```
|
||||
header_checks = pcre:/etc/postfix/header_checks
|
||||
body_checks = pcre:/etc/postfix/body_checks.pcre
|
||||
```
|
||||
|
||||
* In `main.cf`, find parameter `smtpd_sender_restrictions =`, add a new setting
|
||||
`check_sender_access pcre:/etc/postfix/sender_access.pcre` right before
|
||||
`permit_mynetworks` like below:
|
||||
|
||||
```
|
||||
smtpd_sender_restrictions =
|
||||
...
|
||||
check_sender_access pcre:/etc/postfix/sender_access.pcre
|
||||
permit_mynetworks
|
||||
...
|
||||
```
|
||||
|
||||
* Create required files:
|
||||
|
||||
```
|
||||
# touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
|
||||
```
|
||||
|
||||
* Reloading or restarting Postfix service is required.
|
||||
|
||||
Note: each time you changed the pcre file, you should reload (not restart)
|
||||
Postfix service so that Postfix can read the changes.
|
||||
|
||||
## OpenLDAP backend special
|
||||
|
||||
### Fixed: improper ACL control
|
||||
|
|
|
@ -32,8 +32,9 @@
|
|||
<li><a href="#rhelcentos-7-remove-daemonze-line-in-etcuwsgiini">[RHEL/CentOS 7] Remove daemonze = line in /etc/uwsgi.ini</a></li>
|
||||
<li><a href="#rhelcentos-7-fix-incorrect-default-firewall-zone-name">[RHEL/CentOS 7] Fix incorrect default firewall zone name</a></li>
|
||||
<li><a href="#optional-fixed-not-preserve-the-case-of-extension-while-delivering-message-to-mailbox">[OPTIONAL] Fixed: Not preserve the case of ${extension} while delivering message to mailbox</a></li>
|
||||
<li><a href="#optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</a></li>
|
||||
<li><a href="#optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</a></li>
|
||||
<li><a href="#optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</a></li>
|
||||
<li><a href="#optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</a></li>
|
||||
<li><a href="#optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
||||
|
@ -64,10 +65,11 @@
|
|||
<p>We offer remote upgrade service, check <a href="../support.html">the price</a> and <a href="../contact.html">contact us</a>.</p>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>2015-12-12: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
|
||||
<li>2015-12-03: Web server: Enable HSTS (HTTP Strict Transport Security) support</li>
|
||||
<li>2015-12-01: SOGo: Fix improper settings in Apache/Nginx config file</li>
|
||||
<li>2015-11-17: [OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</li>
|
||||
<li>2015-11-17: [OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</li>
|
||||
<li>2015-11-17: [OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</li>
|
||||
<li>2015-11-17: [OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</li>
|
||||
<li>2015-11-03: SOGo: enable isolated per-domain global address book.</li>
|
||||
<li>2015-10-08: OpenLDAP: Fix improper ACL control.</li>
|
||||
<li>2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.</li>
|
||||
|
@ -553,7 +555,7 @@ dovecot unix - n n - - pipe
|
|||
<pre><code> flags=DRh ...
|
||||
</code></pre>
|
||||
|
||||
<h3 id="optional-update-one-fail2ban-filter-regular-expression-to-catch-postscreen-log">[OPTIONAL] Update one Fail2ban filter regular expression to catch postscreen log</h3>
|
||||
<h3 id="optional-fail2ban-update-regular-expression-to-catch-postscreen-log">[OPTIONAL] Fail2ban: Update regular expression to catch postscreen log</h3>
|
||||
<p>We added one new regular expression to catch postscreen log to help reduce
|
||||
spam, please follow steps below to add it.</p>
|
||||
<p>Open file <code>/etc/fail2ban/filter.d/postfix.iredmail.conf</code> or
|
||||
|
@ -566,7 +568,7 @@ below line under <code>[Definition]</code> section:</p>
|
|||
<ul>
|
||||
<li>Save your change and restart Postfix service.</li>
|
||||
</ul>
|
||||
<h3 id="optional-remove-one-non-spam-helo-identity-in-postfix-helo-restriction">[OPTIONAL] Remove one non-spam HELO identity in Postfix helo restriction</h3>
|
||||
<h3 id="optional-postfix-remove-one-non-spam-helo-identity-in-helo-restriction">[OPTIONAL] Postfix: Remove one non-spam HELO identity in helo restriction</h3>
|
||||
<p>iRedMail ships a Postfix HELO rule file, <code>/etc/postfix/helo_access.pcre</code>, it
|
||||
contains some HELO identities which were treated as spammers by analizing
|
||||
Postfix log files, and one of them, <code>bezeqint.net</code> is not spammer and we should
|
||||
|
@ -576,6 +578,45 @@ or <code>/usr/local/etc/postfix/helo_access.pcre</code> (FreeBSD), and remove it
|
|||
<pre><code>/(bezeqint\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1})
|
||||
</code></pre>
|
||||
|
||||
<h3 id="optional-postfix-add-some-more-restriction-methods">[OPTIONAL] Postfix: add some more restriction methods</h3>
|
||||
<blockquote>
|
||||
<p>Note: this is an optional operation, not required but recommended.</p>
|
||||
</blockquote>
|
||||
<p>If you need flexible rules to restrict senders, this change will be helpful.
|
||||
for example, reject spammer whom sends emails with different domain names.</p>
|
||||
<p>Please open Postfix config file <code>main.cf</code>, add below 2 settings:</p>
|
||||
<ul>
|
||||
<li>On Linux and OpenBSD, it's <code>/etc/postfix/main.cf</code>.</li>
|
||||
<li>On FreeBSD, it's <code>/usr/local/etc/postfix/main.cf</code>. WARNING: in below settings,
|
||||
all new files must be placed under <code>/usr/local/etc/postfix/</code>.</li>
|
||||
</ul>
|
||||
<pre><code>header_checks = pcre:/etc/postfix/header_checks
|
||||
body_checks = pcre:/etc/postfix/body_checks.pcre
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>In <code>main.cf</code>, find parameter <code>smtpd_sender_restrictions =</code>, add a new setting
|
||||
<code>check_sender_access pcre:/etc/postfix/sender_access.pcre</code> right before
|
||||
<code>permit_mynetworks</code> like below:</li>
|
||||
</ul>
|
||||
<pre><code>smtpd_sender_restrictions =
|
||||
...
|
||||
check_sender_access pcre:/etc/postfix/sender_access.pcre
|
||||
permit_mynetworks
|
||||
...
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Create required files:</li>
|
||||
</ul>
|
||||
<pre><code># touch /etc/postfix/{header_checks,body_checks.pcre,sender_access.pcre}
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Reloading or restarting Postfix service is required.</li>
|
||||
</ul>
|
||||
<p>Note: each time you changed the pcre file, you should reload (not restart)
|
||||
Postfix service so that Postfix can read the changes.</p>
|
||||
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
||||
<h3 id="fixed-improper-acl-control">Fixed: improper ACL control</h3>
|
||||
<p>With default OpenLDAP ACL control set by iRedMail, every mail user has
|
||||
|
|
Loading…
Reference in New Issue