# reject @domain.local if request comes from outside 10.0.0.0/8 network id=RULE-01 ; sender_domain=domain.local ; client_address=!!(10.0.0.0/8) ; action=REJECT not allowed # reject if sender equals recipient id=RULE-02 ; sender==$$recipient ; action=REJECT not allowed # check some rbls and reject, if listed on >= 2 of them id=RULE-03 ; rbl=zen.spamhaus.org,bl.spamcop.net,ix.dnsbl.manitu.net ; rblcount>=2 ; action=REJECT not allowedNow save these rules to a file (e.g. /etc/postfwd.cf). Please note that these are just very basic examples. Please read the documentation for more information on postfwd's capabilities. To check your ruleset you should use the "-C" command line option. This displays postfwd's view of your ruleset, like:
# postfwd -f /etc/postfwd.cf -C Rule 0: id->"RULE-01"; action->"REJECT not allowed"; sender_domain->"=;domain.local"; client_address->"=;!!(10.0.0.0/8)" Rule 1: id->"RULE-02"; action->"REJECT not allowed"; sender->"==;$$recipient" Rule 2: id->"RULE-03"; action->"REJECT not allowed"; rblcount->"2"; rbl->"=;zen.spamhaus.org, =;bl.spamcop.net, =;ix.dnsbl.manitu.net"If you just want to see that anything works a single rule like "id=DEFAULT; action=dunno" is fine, too.
# groupadd postfwd # useradd -g postfwd -d /var/empty -s /bin/false -c "postfwd daemon user" postfwd # passwd -l postfwd
# postfwd --daemon -f /etc/postfwd.cf -u postfwd -g postfwd -p 10040Now watch your logs (default facility: mail) for lines like:
Jun 8 12:14:33 jupiter postfwd[20270]: postfwd 1.11 starting Jun 8 12:14:33 jupiter postfwd[20271]: Process Backgrounded Jun 8 12:14:33 jupiter postfwd[20271]: 2009/06/08-12:14:33 postfwd (type Net::Server::Multiplex) starting! pid(20271) Jun 8 12:14:33 jupiter postfwd[20271]: Binding to TCP port 10040 on host 127.0.0.1 Jun 8 12:14:33 jupiter postfwd[20271]: Setting gid to "1003 1003" Jun 8 12:14:33 jupiter postfwd[20271]: Setting uid to "1010" Jun 8 12:14:33 jupiter postfwd[20271]: postfwd 1.11 ready for inputTo control further daemon operations the commands `postfwd --kill` and `postfwd --reload` may be used. Please see `postfwd -h` and the documentation for more information.
smtpd_recipient_restrictions = ...To place the postfwd check here, modify this as follows:
# note the leading whitespaces from the 2nd line! smtpd_recipient_restrictions = permit_mynetworks, # recommended ..., # optional reject_unauth_destination, # recommended check_policy_service inet:127.0.0.1:10040, # **postfwd integration** ... # optionalPlease note that for some checks (like the 'size' attribute) postfwd has to be integrated at another level of the smtp transaction (smtpd_end_of_data_restrictions). More information on that can be found in the postfix documentation.
http://www.postfwd.org/ | 2007 - 2009 by Jan Peter Kessler | info (AT) postfwd (DOT) org |