最後更新: 2015-10-28
介紹
cluebringer = Policyd v2
Program: perl
Modules:
- CheckHelo
- Amavis
- Access Control
- CheckSPF
- Greylisting
- Accounting
- Quotas
Requirements:
yum install mysql-server
yum install perl-Net-Server perl-Net-CIDR perl-Config-IniFiles perl-Cache-FastMmap perl-Mail-SPF
yum install httpd php php-pdo php-mysql
Install:
repoforge:
加 repos
yum install cluebringer
offical:
wget http://download.policyd.org/v2.0.14/cluebringer-2.0.14-1.noarch.rpm
rpm -Uvh cluebringer-2.0.14-1.noarch.rpm
Apache Setting:
/etc/httpd/conf.d/cluebringer.conf
Alias /cluebringer /usr/share/cluebringer/webui
<Directory /usr/share/cluebringer/webui>
# Comment out the following 3 lines to make web ui accessible from anywhere
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
DB Setting:
rpm -ql cluebringer | grep 'policyd.mysql.sql'
mysql -p
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON cluebringer.* TO "cluebringer"@"localhost" IDENTIFIED BY 'cb_password';
mysql> FLUSH PRIVILEGES;
mysql> CREATE DATABASE cluebringer;
mysql> USE cluebringer;
mysql> SOURCE /usr/share/doc/cluebringer-2.0.14/database/policyd.mysql.sql;
Configure:
事先建立 cbpolicyd 執行的 user
groupadd cluebringer
useradd -m -d /home/cluebringer -s /sbin/nologin -g cluebringer cluebringer
/etc/policyd/
- cluebringer.conf
- webui.conf
webui.conf
<?php $DB_DSN="mysql:host=localhost;dbname=cluebringer"; $DB_USER="cluebringer"; $DB_PASS="???????????"; ?>
cluebringer.conf
protocols=<<EOT Postfix Bizanga EOT modules=<<EOT Core AccessControl CheckHelo CheckSPF Greylisting Quotas EOT # Small mailserver: min_servers=2 min_spare_servers=2 max_spare_servers=4 max_servers=10 max_requests=1000 # Warnings and errors log_level = 1 log_file=/var/log/cbpolicyd.log log_detail=modules,tracking,policies,protocols host=127.0.0.1 proto=tcp port=10031 cidr_allow=0.0.0.0/0 [database] DSN=DBI:mysql:database=cluebringer;host=localhost Username=cluebringer Password= # 另有 "pass" bypass_mode=tempfail bypass_timeout=30 ############ Modules Configure ########### # HOLD, REJECT, DISCARD, FILTER, REDIRECT [AccessControl] enable=1 [Greylisting] enable=1 [CheckHelo] enable=0 [CheckSPF] enable=1 [Quotas] enable=1
Startup:
chkconfig cbpolicyd on
service cbpolicyd start
Postfix Configure:
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 # 注意這裡的次序 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, ...
Testing:
netstat -ntlp | grep 10031
logrotate
chmod 640 cbpolicyd.log
/etc/logrotate.d/cluebringer
/var/log/cbpolicyd.log { create 0660 cluebringer cluebringer weekly rotate 4 copytruncate compress missingok }
cbpadmin
cbpadmin is responsible for deleting old entries from the database.
- Quotas: 30 days
- session tracking: 24 hours
- Greylisting: GreylistAuthValidity, GreylistUnAuthValidity
設定檔:
ln -s /etc/policyd/cluebringer.conf /etc/cluebringer.conf
Troubleshoot:
<1>
Can't locate cbp/logging.pm in @INC (@INC contains: /usr/local/lib/policyd-2.0 /usr/lib/policyd-2.0 /usr/local/lib/perl5 /usr/local/share/perl5 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5 /usr/share/perl5 .) at /usr/sbin/cbpadmin line 30.
which cbpadmin
/usr/sbin/cbpadmin
25 use lib('/usr/local/lib/policyd-2.0','/usr/lib/policyd-2.0');
改成
use lib('/usr/local/lib/policyd-2.0','/usr/lib/policyd-2.0',/usr/lib64/policyd-2.0);
Usage:
Policyd Admin Tool (ClueBringer) v2.0.14-1 - Copyright (c) 2007-2009 AllWorldIT => AccessControl: enabled => CheckSPF: enabled => Greylisting: enabled => Quotas: enabled Module: Core -> running cleanup... [CORE] Removed 0 records from session tracking table Module: Access Control Plugin Module: HELO/EHLO Check Plugin -> running cleanup... Module: SPF Check Plugin Module: Greylisting Plugin -> running cleanup... Module: Quotas Plugin -> running cleanup... [QUOTAS] Removed 0
Usage:
Default 安裝後
Access Control > Greylisting
Access Control > Quotas
Access Control > SASL Login
設定:
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:10031,
permit_mynetworks,
permit_sasl_authenticated,
.....................
Quotas:
tables: quota, quotas_limits, quotas_tracking
當在 Period 內 Counter 超過了 CounterLimit 時,
會採取 Verdict 的 Action 並回應 Data 的 msg.
table: quotas_tracking:
TrackKey 的格式:
SASLUsername:????
Sender:????
SenderIP:/28
Sender:????
Recipient:????
Table id 的關係:
`quotas_tracking`.QuotasLimitsID --> `quotas_limits`.id
`quotas_limits`.QuotasID --> `quotas`.ID
`quotas`.PolicyID --> `policies`.ID
webui
/usr/share/cluebringer/webui
index.php
"Features Supported"
header.php
<td id="menu">
greylisting-whitelist-add.php
policy-group-member-add.php
quotas-add.php
# 找 "Disabled"
i.e.
$stmt = $db->prepare("INSERT INTO policy_group_members (PolicyGroupID,Member,Comment,Disabled) VALUES (?,?,?,1)");
Greylisting
Table: greylisting
Track: SenderIP:/28
UseGreylisting: 1
GreylistPeriod: 120
451, '4.7.1 <x@x>: Recipient address rejected: Greylisting in effect, please come back later'
Table: greylisting_tracking
TrackKey, Sender, Recipient, FirstSeen, LastUpdate, Tries (不成功的次數), Count (成功信的次數)
SPF Checks
table: checkspf
UseSPF: 1
RejectFailedSPF: 1
AddSPFHeader: 1
# Add SPF Header
If the mail is not rejected, add an SPF header.
i.e.
Nov 6 16:20:44 ispconfig cbpolicyd[16668]: module=CheckSPF, action=add_header, host=x.x.x.x, helo=sender.helo, from=sender@sender_domain, to=test@recipient_domain, reason=no_spf_record Received-SPF: none (sender_domain: No applicable sender policy available) receiver=recipient_domain; identity=mailfrom; envelope-from="sender@sender_domain"; helo=mail.sender_domain; client-ip=x.x.x.x
log:
module=CheckSPF, action=pass host= ............ reason=spf_pass
White List
[1]
Policies - Groups: add mxserver
Add Members to mxserver - x.x.x.x
INSERT INTO `policy_groups` (`ID`, `Name`, `Disabled`, `Comment`) VALUES (5, 'mxserver', 0, ''); INSERT INTO `policy_group_members` (`ID`, `PolicyGroupID`, `Member`, `Disabled`, `Comment`) VALUES (10, 5, 'x.x.x.x', 0, 'test');
[2]
Policies -> Main -> "Default Inbound" -> add Members
Source: %mxserver
Destination: any
INSERT INTO `policy_members` (`ID`, `PolicyID`, `Source`, `Destination`, `Comment`, `Disabled`) VALUES (8, 3, '%mxserver', 'any', 'mxserver', 0);
[3]
SPF Checks - Configure -> Add "Policy" ("Default Inbound")["Use SPF": No]
INSERT INTO `checkspf` (`ID`, `PolicyID`, `Name`, `UseSPF`, `RejectFailedSPF`, `AddSPFHeader`, `Comment`, `Disabled`) VALUES (3, 3, 'Whitelist', 2, 2, 2, '', 0);
Priorities
0 will be processed before 1 and 10 before 20 (0~100)
Member
@domain This will match all email @domain.
user@domain This will match all email user@domain.
@ This will match < >
a.b.c.d Matches a single sending server IP address.
a.b.c.d/e Matches a CIDR formatted range of sending server IP addresses.
whatever.example.com reverse dns of the IP where the client is connecting from.
%group Matches a group
Pre-configured default polices
Default System Policy
Priority: 0
Source: ANY
Desination: ANY
Default Outbound Policy
Priority: 10
Source: %internal_ips,%internal_domains
Destination: !%internal_domains
Default Inbound Policy
Priority: 10
Source: !%internal_ips,!%internal_domains
Destination: %internal_domains
groups
internal_ips
10.0.0.0/8
internal_domains
example.org
example.com
example.net