diff options
Diffstat (limited to '')
-rw-r--r-- | examples/chroot-setup/AIX42 | 12 | ||||
-rw-r--r-- | examples/chroot-setup/BSDI2 | 4 | ||||
-rw-r--r-- | examples/chroot-setup/BSDI3 | 4 | ||||
-rw-r--r-- | examples/chroot-setup/FREEBSD3 | 4 | ||||
-rw-r--r-- | examples/chroot-setup/FreeBSD2 | 4 | ||||
-rw-r--r-- | examples/chroot-setup/HPUX10 | 23 | ||||
-rw-r--r-- | examples/chroot-setup/HPUX9 | 21 | ||||
-rw-r--r-- | examples/chroot-setup/IRIX5 | 39 | ||||
-rw-r--r-- | examples/chroot-setup/IRIX6 | 39 | ||||
-rw-r--r-- | examples/chroot-setup/LINUX2 | 91 | ||||
-rw-r--r-- | examples/chroot-setup/NETBSD1 | 4 | ||||
-rw-r--r-- | examples/chroot-setup/NEXTSTEP3 | 31 | ||||
-rw-r--r-- | examples/chroot-setup/OPENSTEP4 | 31 | ||||
-rw-r--r-- | examples/chroot-setup/OSF1 | 21 | ||||
-rw-r--r-- | examples/chroot-setup/Solaris10 | 112 | ||||
-rw-r--r-- | examples/chroot-setup/Solaris2 | 75 | ||||
-rw-r--r-- | examples/chroot-setup/Solaris8 | 106 | ||||
-rw-r--r-- | examples/qmail-local/qmail-local.txt | 16 | ||||
-rw-r--r-- | examples/smtpd-policy/README.SPF | 6 | ||||
-rwxr-xr-x | examples/smtpd-policy/greylist.pl | 283 |
20 files changed, 926 insertions, 0 deletions
diff --git a/examples/chroot-setup/AIX42 b/examples/chroot-setup/AIX42 new file mode 100644 index 0000000..41f15b5 --- /dev/null +++ b/examples/chroot-setup/AIX42 @@ -0,0 +1,12 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +for i in /etc/environment /etc/netsvc.conf /etc/localtime +do + test -e $i && cp $i /var/spool/postfix/etc +done +cp /etc/services /etc/resolv.conf /var/spool/postfix/etc +mkdir /var/spool/postfix/dev +chmod 755 /var/spool/postfix/dev +mknod /var/spool/postfix/dev/null c 2 2 +chmod 666 /var/spool/postfix/dev/null diff --git a/examples/chroot-setup/BSDI2 b/examples/chroot-setup/BSDI2 new file mode 100644 index 0000000..9d7f020 --- /dev/null +++ b/examples/chroot-setup/BSDI2 @@ -0,0 +1,4 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +cp /etc/localtime /etc/services /etc/resolv.conf /var/spool/postfix/etc diff --git a/examples/chroot-setup/BSDI3 b/examples/chroot-setup/BSDI3 new file mode 100644 index 0000000..9d7f020 --- /dev/null +++ b/examples/chroot-setup/BSDI3 @@ -0,0 +1,4 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +cp /etc/localtime /etc/services /etc/resolv.conf /var/spool/postfix/etc diff --git a/examples/chroot-setup/FREEBSD3 b/examples/chroot-setup/FREEBSD3 new file mode 100644 index 0000000..4afb0eb --- /dev/null +++ b/examples/chroot-setup/FREEBSD3 @@ -0,0 +1,4 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc diff --git a/examples/chroot-setup/FreeBSD2 b/examples/chroot-setup/FreeBSD2 new file mode 100644 index 0000000..4afb0eb --- /dev/null +++ b/examples/chroot-setup/FreeBSD2 @@ -0,0 +1,4 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +cd /etc ; cp host.conf localtime services resolv.conf /var/spool/postfix/etc diff --git a/examples/chroot-setup/HPUX10 b/examples/chroot-setup/HPUX10 new file mode 100644 index 0000000..c886944 --- /dev/null +++ b/examples/chroot-setup/HPUX10 @@ -0,0 +1,23 @@ +# Setup chroot jail for HP-UX (9 or 10). -- tiggr (Pieter Schoenmakers) + +if test -z "${POSTFIX_DIR}"; then + if test -d /usr/spool/postfix; then + POSTFIX_DIR=/usr/spool/postfix + elif test -d /var/spool/postfix; then + POSTFIX_DIR=/var/spool/postfix + else + echo Please indicate POSTFIX_DIR in the environment >&2 + exit 2; + fi +fi + +set -e + +umask 022 + +cd ${POSTFIX_DIR} + +mkdir etc +cp /etc/services etc +mkdir -p usr/lib +cp /usr/lib/tztab usr/lib diff --git a/examples/chroot-setup/HPUX9 b/examples/chroot-setup/HPUX9 new file mode 100644 index 0000000..ca54c65 --- /dev/null +++ b/examples/chroot-setup/HPUX9 @@ -0,0 +1,21 @@ +# Setup chroot jail for HP-UX (9 or 10). -- tiggr (Pieter Schoenmakers) + +if test -z "${POSTFIX_DIR}"; then + if test -d /usr/spool/postfix; then + POSTFIX_DIR=/usr/spool/postfix + elif test -d /var/spool/postfix; then + POSTFIX_DIR=/var/spool/postfix + else + echo Please indicate POSTFIX_DIR in the environment >&2 + exit 2; + fi +fi + +set -e + +umask 022 + +cd ${POSTFIX_DIR} + +mkdir etc +cp /etc/services etc diff --git a/examples/chroot-setup/IRIX5 b/examples/chroot-setup/IRIX5 new file mode 100644 index 0000000..a8e3a40 --- /dev/null +++ b/examples/chroot-setup/IRIX5 @@ -0,0 +1,39 @@ +From owner-postfix-testers@porcupine.org Wed Oct 7 17:19:31 1998 +Delivered-To: wietse@porcupine.org +Delivered-To: postfix-testers@porcupine.org +Received: from star.win.or.jp (star.win.or.jp [202.26.20.3]) + by spike.porcupine.org (Postfix) with ESMTP + id 3123445D04; Wed, 7 Oct 1998 17:19:24 -0400 (EDT) +Received: (from ayamura@localhost) + by star.win.or.jp (8.9.1+CL.3.10/8.9.1) id GAA26589; + Thu, 8 Oct 1998 06:19:23 +0900 (JST) + (envelope-from ayamura) +From: Ayamura Kikuchi <ayamura@ayamura.org> +To: postfix-testers@porcupine.org +Subject: chroot-setup on IRIX +X-PGP-Fingerprint: 9F 4F FD B6 47 0D 87 65 7B 67 7C A9 70 F3 8C 52 +MIME-Version: 1.0 (generated by SEMI 1.9.0 - "Isurugi") +Content-Type: text/plain; charset=US-ASCII +Date: 08 Oct 1998 06:19:22 +0900 +Message-ID: <86u31g3w9x.fsf@star.ayamura.org> +Lines: 14 +User-Agent: Semi-gnus/6.8.19 SEMI/1.9.0 (Isurugi) FLIM/1.10.1 (Miyamaki) Emacs/20.3.90 (mips-sgi-irix6.2) MULE/4.0 (HANANOEN) +Sender: owner-postfix-testers@porcupine.org +Status: RO + +# Setup chroot jail for IRIX-5.x or 6.x -- Ayamura Kikuchi <ayamura@ayamura.org> + +set -e +umask 022 + +#Default POSTFIX_DIR = /var/postfix +#Else set POSTFIX_DIR in environment +POSTFIX_DIR=${POSTFIX_DIR-/var/postfix} + +/bin/mkdir -p ${POSTFIX_DIR}/etc +/bin/chmod 755 ${POSTFIX_DIR} +/bin/cp /etc/services /etc/resolv.conf ${POSTFIX_DIR}/etc + +-- Ayamura Kikuchi + + diff --git a/examples/chroot-setup/IRIX6 b/examples/chroot-setup/IRIX6 new file mode 100644 index 0000000..a8e3a40 --- /dev/null +++ b/examples/chroot-setup/IRIX6 @@ -0,0 +1,39 @@ +From owner-postfix-testers@porcupine.org Wed Oct 7 17:19:31 1998 +Delivered-To: wietse@porcupine.org +Delivered-To: postfix-testers@porcupine.org +Received: from star.win.or.jp (star.win.or.jp [202.26.20.3]) + by spike.porcupine.org (Postfix) with ESMTP + id 3123445D04; Wed, 7 Oct 1998 17:19:24 -0400 (EDT) +Received: (from ayamura@localhost) + by star.win.or.jp (8.9.1+CL.3.10/8.9.1) id GAA26589; + Thu, 8 Oct 1998 06:19:23 +0900 (JST) + (envelope-from ayamura) +From: Ayamura Kikuchi <ayamura@ayamura.org> +To: postfix-testers@porcupine.org +Subject: chroot-setup on IRIX +X-PGP-Fingerprint: 9F 4F FD B6 47 0D 87 65 7B 67 7C A9 70 F3 8C 52 +MIME-Version: 1.0 (generated by SEMI 1.9.0 - "Isurugi") +Content-Type: text/plain; charset=US-ASCII +Date: 08 Oct 1998 06:19:22 +0900 +Message-ID: <86u31g3w9x.fsf@star.ayamura.org> +Lines: 14 +User-Agent: Semi-gnus/6.8.19 SEMI/1.9.0 (Isurugi) FLIM/1.10.1 (Miyamaki) Emacs/20.3.90 (mips-sgi-irix6.2) MULE/4.0 (HANANOEN) +Sender: owner-postfix-testers@porcupine.org +Status: RO + +# Setup chroot jail for IRIX-5.x or 6.x -- Ayamura Kikuchi <ayamura@ayamura.org> + +set -e +umask 022 + +#Default POSTFIX_DIR = /var/postfix +#Else set POSTFIX_DIR in environment +POSTFIX_DIR=${POSTFIX_DIR-/var/postfix} + +/bin/mkdir -p ${POSTFIX_DIR}/etc +/bin/chmod 755 ${POSTFIX_DIR} +/bin/cp /etc/services /etc/resolv.conf ${POSTFIX_DIR}/etc + +-- Ayamura Kikuchi + + diff --git a/examples/chroot-setup/LINUX2 b/examples/chroot-setup/LINUX2 new file mode 100644 index 0000000..f9c6184 --- /dev/null +++ b/examples/chroot-setup/LINUX2 @@ -0,0 +1,91 @@ +#! /bin/sh + +# LINUX2 - shell script to set up a Postfix chroot jail for Linux +# Tested on SuSE Linux 5.3 (libc5) and 7.0 (glibc2.1) + +# Other testers reported as working: +# +# 2001-01-15 Debian sid (unstable) +# Christian Kurz <shorty@getuid.de> + +# Copyright (c) 2000 - 2001 by Matthias Andree +# Redistributable unter the MIT-style license that follows: +# Abstract: "do whatever you want except hold somebody liable or change +# the copyright information". + +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +# IN THE SOFTWARE. + +# 2000-09-29 +# v0.1: initial release + +# 2000-12-05 +# v0.2: copy libdb.* for libnss_db.so +# remove /etc/localtime in case it's a broken symlink +# restrict find to maxdepth 1 (faster) + +# Revision 1.4 2001/01/15 09:36:35 emma +# add note it was successfully tested on Debian sid +# +# 20060101 /lib64 support by Keith Owens. +# + +CP="cp -p" + +cond_copy() { + # find files as per pattern in $1 + # if any, copy to directory $2 + dir=`dirname "$1"` + pat=`basename "$1"` + lr=`find "$dir" -maxdepth 1 -name "$pat"` + if test ! -d "$2" ; then exit 1 ; fi + if test "x$lr" != "x" ; then $CP $1 "$2" ; fi +} + +set -e +umask 022 + +POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix} +cd ${POSTFIX_DIR} + +mkdir -p etc lib usr/lib/zoneinfo +test -d /lib64 && mkdir -p lib64 + +# find localtime (SuSE 5.3 does not have /etc/localtime) +lt=/etc/localtime +if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi +if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi +if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi +rm -f etc/localtime + +# copy localtime and some other system files into the chroot's etc +$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc +$CP -f /etc/host.conf /etc/hosts /etc/passwd etc +ln -s -f /etc/localtime usr/lib/zoneinfo + +# copy required libraries into the chroot +cond_copy '/lib/libnss_*.so*' lib +cond_copy '/lib/libresolv.so*' lib +cond_copy '/lib/libdb.so*' lib +if test -d /lib64; then + cond_copy '/lib64/libnss_*.so*' lib64 + cond_copy '/lib64/libresolv.so*' lib64 + cond_copy '/lib64/libdb.so*' lib64 +fi + +postfix reload diff --git a/examples/chroot-setup/NETBSD1 b/examples/chroot-setup/NETBSD1 new file mode 100644 index 0000000..53a2361 --- /dev/null +++ b/examples/chroot-setup/NETBSD1 @@ -0,0 +1,4 @@ +umask 022 +mkdir /var/spool/postfix/etc +chmod 755 /var/spool/postfix/etc +cd /etc ; cp localtime services resolv.conf /var/spool/postfix/etc diff --git a/examples/chroot-setup/NEXTSTEP3 b/examples/chroot-setup/NEXTSTEP3 new file mode 100644 index 0000000..a2f163e --- /dev/null +++ b/examples/chroot-setup/NEXTSTEP3 @@ -0,0 +1,31 @@ +# Setup chroot jail for NeXT, NEXTSTEP3. +# Some remarks to the NEXTSTEP3 jail apply: +# syslog: +# Logging with syslog(3) uses a sendto ("/dev/log"). For this to work in +# the jail, ${POSTFIX_DIR}/dev/log must be a hard link to /dev/log. This +# fails if /usr/spool/postfix is on another filesystem, and consequently, +# running chrooted will not be possible, unless you like to run your mail +# system without logging (not). +# +# For this trick to work, the following should be run at every reboot, +# preferably from /etc/rc, after syslog has been started (and given time +# to create /dev/log): +# POSTFIX_DIR=/usr/spool/postfix +# rm ${POSTFIX_DIR}/dev/log +# ln /dev/log ${POSTFIX_DIR}/dev/log + +set -e + +umask 022 + +POSTFIX_DIR=${POSTFIX_DIR-/usr/spool/postfix} + +cd ${POSTFIX_DIR} + +# If this fails, running chrooted will be useless. +mkdir dev +ln /dev/log dev + +mkdir etc etc/zoneinfo +cp /etc/zoneinfo/localtime etc/zoneinfo +cp /etc/resolv.conf etc diff --git a/examples/chroot-setup/OPENSTEP4 b/examples/chroot-setup/OPENSTEP4 new file mode 100644 index 0000000..a2f163e --- /dev/null +++ b/examples/chroot-setup/OPENSTEP4 @@ -0,0 +1,31 @@ +# Setup chroot jail for NeXT, NEXTSTEP3. +# Some remarks to the NEXTSTEP3 jail apply: +# syslog: +# Logging with syslog(3) uses a sendto ("/dev/log"). For this to work in +# the jail, ${POSTFIX_DIR}/dev/log must be a hard link to /dev/log. This +# fails if /usr/spool/postfix is on another filesystem, and consequently, +# running chrooted will not be possible, unless you like to run your mail +# system without logging (not). +# +# For this trick to work, the following should be run at every reboot, +# preferably from /etc/rc, after syslog has been started (and given time +# to create /dev/log): +# POSTFIX_DIR=/usr/spool/postfix +# rm ${POSTFIX_DIR}/dev/log +# ln /dev/log ${POSTFIX_DIR}/dev/log + +set -e + +umask 022 + +POSTFIX_DIR=${POSTFIX_DIR-/usr/spool/postfix} + +cd ${POSTFIX_DIR} + +# If this fails, running chrooted will be useless. +mkdir dev +ln /dev/log dev + +mkdir etc etc/zoneinfo +cp /etc/zoneinfo/localtime etc/zoneinfo +cp /etc/resolv.conf etc diff --git a/examples/chroot-setup/OSF1 b/examples/chroot-setup/OSF1 new file mode 100644 index 0000000..dd6ae64 --- /dev/null +++ b/examples/chroot-setup/OSF1 @@ -0,0 +1,21 @@ +******************************************************************* +# setup chroot jail for OSF1 +# prabhat@wonder +set -e +umask 022 + +#Default POSTFIX_DIR = /var/spool/postfix +#Else set POSTFIX_DIR in environment + +POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix} + +cd ${POSTFIX_DIR} +mkdir etc +cp /etc/svc.conf /etc/services /etc/resolv.conf etc +# +# The following line added to make the timestamps in syslog to be correct. +# /PetBi@UNIT.LiU.SE +# +cp -r /etc/zoneinfo etc + +#******************************************************************* diff --git a/examples/chroot-setup/Solaris10 b/examples/chroot-setup/Solaris10 new file mode 100644 index 0000000..8647d9a --- /dev/null +++ b/examples/chroot-setup/Solaris10 @@ -0,0 +1,112 @@ +#!/bin/sh +# From original Solaris 8 version by Matthew X. Economou +# Solaris 10 version updated by JD Bronson. Caution: this copies +# too many files. There is no need to copy libc.so and other files +# that are already linked in before a Postfix daemon chroots itself. + +COMMAND_DIRECTORY="/usr/sbin" +DAEMON_DIRECTORY="/usr/libexec/postfix" +QUEUE_DIRECTORY="/var/spool/postfix" + +## Copy any shared libraries, device entries, or configuration files +## needed by Postfix into the jail. +binlist=" +$DAEMON_DIRECTORY/virtual +$DAEMON_DIRECTORY/trivial-rewrite +$DAEMON_DIRECTORY/spawn +$DAEMON_DIRECTORY/smtpd +$DAEMON_DIRECTORY/smtp +$DAEMON_DIRECTORY/showq +$DAEMON_DIRECTORY/qmqpd +$DAEMON_DIRECTORY/qmgr +$DAEMON_DIRECTORY/proxymap +$DAEMON_DIRECTORY/pipe +$DAEMON_DIRECTORY/pickup +$DAEMON_DIRECTORY/nqmgr +$DAEMON_DIRECTORY/master +$DAEMON_DIRECTORY/local +$DAEMON_DIRECTORY/lmtp +$DAEMON_DIRECTORY/flush +$DAEMON_DIRECTORY/error +$DAEMON_DIRECTORY/cleanup +$DAEMON_DIRECTORY/bounce +/usr/lib/sendmail +$COMMAND_DIRECTORY/postsuper +$COMMAND_DIRECTORY/postqueue +$COMMAND_DIRECTORY/postmap +$COMMAND_DIRECTORY/postlog +$COMMAND_DIRECTORY/postlock +$COMMAND_DIRECTORY/postkick +$COMMAND_DIRECTORY/postfix +$COMMAND_DIRECTORY/postdrop +$COMMAND_DIRECTORY/postconf +$COMMAND_DIRECTORY/postcat +$COMMAND_DIRECTORY/postalias +" +ldd $binlist | awk '/[=]>/ { print $3 }' | sort -u | while read i +do + mkdir -p $QUEUE_DIRECTORY`dirname $i` + ## Sun's version of tar sucks. We'll have to remove the leading + ## slashes from file names ourself, otherwise the copy doesn't + ## work. + (cd / && tar cphf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -) +done + +## More stuff for the jail, mostly discovered by inspection +## (e.g. strings, lsof). +more=" +/dev/zero +/dev/null +/dev/udp6 +/dev/tcp6 +/dev/udp +/dev/tcp +/dev/poll +/dev/rawip +/dev/ticlts +/dev/ticotsord +/dev/ticots +/devices/pseudo/mm@0:zero +/devices/pseudo/mm@0:null +/devices/pseudo/udp6@0:udp6 +/devices/pseudo/tcp6@0:tcp6 +/devices/pseudo/udp@0:udp +/devices/pseudo/tcp@0:tcp +/devices/pseudo/poll@0:poll +/devices/pseudo/icmp@0:icmp +/devices/pseudo/tl@0:ticlts +/devices/pseudo/tl@0:ticotsord +/devices/pseudo/tl@0:ticots +/etc/hosts +/etc/nsswitch.conf +/etc/netconfig +/etc/passwd +/etc/resolv.conf +/etc/default/init +/etc/default/nss +/etc/inet/services +/etc/inet/hosts +/etc/services +/lib/ld.so +/lib/ld.so.1 +/usr/lib/nss_dns.so.1 +/usr/lib/sparcv9/straddr.so +/usr/lib/straddr.so +/usr/lib/straddr.so.2 +/lib/libintl.so +/lib/libintl.so.1 +/lib/libw.so +/lib/libw.so.1 +/lib/nss_nis.so.1 +/lib/nss_nisplus.so.1 +/lib/nss_dns.so.1 +/lib/nss_files.so.1 +/usr/share/lib/zoneinfo +/var/ld/ld.config +" +for i in $more; do + mkdir -p $QUEUE_DIRECTORY`dirname $i` + (cd / && tar cpf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -) +done + +exit 0 diff --git a/examples/chroot-setup/Solaris2 b/examples/chroot-setup/Solaris2 new file mode 100644 index 0000000..024492c --- /dev/null +++ b/examples/chroot-setup/Solaris2 @@ -0,0 +1,75 @@ +#!/bin/sh + +umask 022 +PATH=/usr/bin:/sbin:/usr/sbin + +# Create chroot'd area under Solaris 2.5.1 for postfix. +# +# Dug Song <dugsong@UMICH.EDU> + +if [ $# -ne 1 ]; then + echo "Usage: `basename $0` <directory>, e.g.: /var/spool/postfix" ; exit 1 +fi + +CHROOT=$1 + +# If CHROOT does not exist but parent does, create CHROOT +if [ ! -d ${CHROOT} ]; then + # lack of -p below is intentional + mkdir ${CHROOT} +fi +if [ ! -d ${CHROOT} -o "${CHROOT}" = "/" -o "${CHROOT}" = "/usr" ]; then + echo "$0: bad chroot directory ${CHROOT}" + exit 2 +fi +for dir in etc/default etc/inet dev usr/lib usr/share/lib/zoneinfo ; do + if [ ! -d ${CHROOT}/${dir} ]; then mkdir -p ${CHROOT}/${dir} ; fi +done +#chmod -R 755 ${CHROOT} + +# AFS support. +if [ "`echo $CHROOT | cut -c1-4`" = "/afs" ]; then + echo '\tCreating memory resident /dev...' + mount -F tmpfs -o size=10 swap ${CHROOT}/dev +fi + +# Setup /etc files. +cp /etc/nsswitch.conf ${CHROOT}/etc +cp /etc/netconfig /etc/resolv.conf ${CHROOT}/etc +cp /etc/default/init ${CHROOT}/etc/default +cp /etc/inet/services ${CHROOT}/etc/inet/services +ln -s /etc/inet/services ${CHROOT}/etc/services +find ${CHROOT}/etc -type f -exec chmod 444 {} \; + +# Most of the following are needed for basic operation, except +# for libnsl.so, nss_nis.so, libsocket.so, and straddr.so which are +# needed to resolve NIS names. +cp /usr/lib/ld.so /usr/lib/ld.so.1 ${CHROOT}/usr/lib +for lib in libc libdl libintl libmp libnsl libsocket libw \ + nss_nis nss_nisplus nss_dns nss_files; do + cp /usr/lib/${lib}.so.1 ${CHROOT}/usr/lib + rm -f ${CHROOT}/usr/lib/${lib}.so + ln -s ./${lib}.so.1 ${CHROOT}/usr/lib/${lib}.so +done +cp /usr/lib/straddr.so.2 ${CHROOT}/usr/lib +rm -f ${CHROOT}/usr/lib/straddr.so +ln -s ./straddr.so.2 ${CHROOT}/usr/lib/straddr.so +chmod 555 ${CHROOT}/usr/lib/* + +# Copy timezone database. +(cd ${CHROOT}/usr/share/lib/zoneinfo + (cd /usr/share/lib/zoneinfo; find . -print | cpio -o) | cpio -imdu + find . -print | xargs chmod 555 +) + +# Make device nodes. We need ticotsord, ticlts and udp to resolve NIS names. +for device in zero tcp udp ticotsord ticlts; do + line=`ls -lL /dev/${device} | sed -e 's/,//'` + major=`echo $line | awk '{print $5}'` + minor=`echo $line | awk '{print $6}'` + rm -f ${CHROOT}/dev/${device} + mknod ${CHROOT}/dev/${device} c ${major} ${minor} +done +chmod 666 ${CHROOT}/dev/* + +exit 0 diff --git a/examples/chroot-setup/Solaris8 b/examples/chroot-setup/Solaris8 new file mode 100644 index 0000000..973e731 --- /dev/null +++ b/examples/chroot-setup/Solaris8 @@ -0,0 +1,106 @@ +#!/bin/sh + +# Solaris 8 version by Matthew X. Economou. Caution: this copies +# too many files. There is no need to copy libc.so and other files +# that are already linked in before a Postfix daemon chroots itself. + +COMMAND_DIRECTORY="/usr/sbin" +DAEMON_DIRECTORY="/usr/libexec/postfix" +QUEUE_DIRECTORY="/var/spool/postfix" + +## Copy any shared libraries, device entries, or configuration files +## needed by Postfix into the jail. +binlist=" +$DAEMON_DIRECTORY/virtual +$DAEMON_DIRECTORY/trivial-rewrite +$DAEMON_DIRECTORY/spawn +$DAEMON_DIRECTORY/smtpd +$DAEMON_DIRECTORY/smtp +$DAEMON_DIRECTORY/showq +$DAEMON_DIRECTORY/qmqpd +$DAEMON_DIRECTORY/qmgr +$DAEMON_DIRECTORY/proxymap +$DAEMON_DIRECTORY/pipe +$DAEMON_DIRECTORY/pickup +$DAEMON_DIRECTORY/nqmgr +$DAEMON_DIRECTORY/master +$DAEMON_DIRECTORY/local +$DAEMON_DIRECTORY/lmtp +$DAEMON_DIRECTORY/flush +$DAEMON_DIRECTORY/error +$DAEMON_DIRECTORY/cleanup +$DAEMON_DIRECTORY/bounce +/usr/lib/sendmail +$COMMAND_DIRECTORY/postsuper +$COMMAND_DIRECTORY/postqueue +$COMMAND_DIRECTORY/postmap +$COMMAND_DIRECTORY/postlog +$COMMAND_DIRECTORY/postlock +$COMMAND_DIRECTORY/postkick +$COMMAND_DIRECTORY/postfix +$COMMAND_DIRECTORY/postdrop +$COMMAND_DIRECTORY/postconf +$COMMAND_DIRECTORY/postcat +$COMMAND_DIRECTORY/postalias +" +ldd $binlist | awk '/[=]>/ { print $3 }' | sort -u | while read i +do + mkdir -p $QUEUE_DIRECTORY`dirname $i` + ## Sun's version of tar sucks. We'll have to remove the leading + ## slashes from file names ourself, otherwise the copy doesn't + ## work. + (cd / && tar cphf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -) +done + +## More stuff for the jail, mostly discovered by inspection +## (e.g. strings, lsof). +more=" +/dev/zero +/dev/null +/dev/udp6 +/dev/tcp6 +/dev/udp +/dev/tcp +/dev/poll +/dev/rawip +/dev/ticlts +/dev/ticotsord +/dev/ticots +/devices/pseudo/mm@0:zero +/devices/pseudo/mm@0:null +/devices/pseudo/udp6@0:udp6 +/devices/pseudo/tcp6@0:tcp6 +/devices/pseudo/udp@0:udp +/devices/pseudo/tcp@0:tcp +/devices/pseudo/poll@0:poll +/devices/pseudo/icmp@0:icmp +/devices/pseudo/tl@0:ticlts +/devices/pseudo/tl@0:ticotsord +/devices/pseudo/tl@0:ticots +/etc/nsswitch.conf +/etc/netconfig +/etc/default/init +/etc/inet/services +/etc/resolv.conf +/etc/services +/usr/lib/ld.so +/usr/lib/ld.so.1 +/usr/lib/sparcv9/straddr.so +/usr/lib/straddr.so +/usr/lib/libintl.so +/usr/lib/libintl.so.1 +/usr/lib/libw.so +/usr/lib/libw.so.1 +/usr/lib/nss_nis.so.1 +/usr/lib/nss_nisplus.so.1 +/usr/lib/nss_dns.so.1 +/usr/lib/nss_files.so.1 +/usr/share/lib/zoneinfo +/var/ld/ld.config +" +for i in $more; do + mkdir -p $QUEUE_DIRECTORY`dirname $i` + (cd / && tar cpf - `echo $i | sed -e 's/^\///'`) | (cd $QUEUE_DIRECTORY && tar xpf -) +done + +exit 0 diff --git a/examples/qmail-local/qmail-local.txt b/examples/qmail-local/qmail-local.txt new file mode 100644 index 0000000..bf62319 --- /dev/null +++ b/examples/qmail-local/qmail-local.txt @@ -0,0 +1,16 @@ +From: Ron Bickers <rbickers@logicetc.com> + +For the archives (or for comment): + +I now have mailbox_command = /usr/local/libexec/postqmail-local and +postqmail-local looks like this (minus some mailer wrapping): + + #!/bin/sh + export PATH=$PATH:/usr/local/bin:/var/qmail/bin + tail +2 | seekablepipe qmail-local -- \ + "$USER" "$HOME" "$LOCAL" "${EXTENSION:+-}" "$EXTENSION" + "$DOMAIN""$SENDER" ./Maildir/ + e=$? + (($e == 111)) && exit 75 + (($e == 100)) && exit 77 + exit $e diff --git a/examples/smtpd-policy/README.SPF b/examples/smtpd-policy/README.SPF new file mode 100644 index 0000000..2590a1d --- /dev/null +++ b/examples/smtpd-policy/README.SPF @@ -0,0 +1,6 @@ +See http://www.openspf.org/Software for the current version of the +SPF policy daemon for Postfix. + +SPF support is also available via MILTER plugins, such as sid-milter +at http://sourceforge.net/projects/sid-milter/ which implements both +SenderID and SPF. diff --git a/examples/smtpd-policy/greylist.pl b/examples/smtpd-policy/greylist.pl new file mode 100755 index 0000000..dbaa5cb --- /dev/null +++ b/examples/smtpd-policy/greylist.pl @@ -0,0 +1,283 @@ +#!/usr/bin/perl + +use DB_File; +use Fcntl; +use Sys::Syslog qw(:DEFAULT setlogsock); + +# +# Usage: greylist.pl [-v] +# +# Demo delegated Postfix SMTPD policy server. This server implements +# greylisting. State is kept in a Berkeley DB database. Logging is +# sent to syslogd. +# +# How it works: each time a Postfix SMTP server process is started +# it connects to the policy service socket, and Postfix runs one +# instance of this PERL script. By default, a Postfix SMTP server +# process terminates after 100 seconds of idle time, or after serving +# 100 clients. Thus, the cost of starting this PERL script is smoothed +# out over time. +# +# To run this from /etc/postfix/master.cf: +# +# policy unix - n n - - spawn +# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl +# +# To use this from Postfix SMTPD, use in /etc/postfix/main.cf: +# +# smtpd_recipient_restrictions = +# ... +# reject_unauth_destination +# check_policy_service unix:private/policy +# ... +# +# NOTE: specify check_policy_service AFTER reject_unauth_destination +# or else your system can become an open relay. +# +# To test this script by hand, execute: +# +# % perl greylist.pl +# +# Each query is a bunch of attributes. Order does not matter, and +# the demo script uses only a few of all the attributes shown below: +# +# request=smtpd_access_policy +# protocol_state=RCPT +# protocol_name=SMTP +# helo_name=some.domain.tld +# queue_id=8045F2AB23 +# sender=foo@bar.tld +# recipient=bar@foo.tld +# client_address=1.2.3.4 +# client_name=another.domain.tld +# instance=123.456.7 +# sasl_method=plain +# sasl_username=you +# sasl_sender= +# size=12345 +# [empty line] +# +# The policy server script will answer in the same style, with an +# attribute list followed by a empty line: +# +# action=dunno +# [empty line] +# + +# +# greylist status database and greylist time interval. DO NOT create the +# greylist status database in a world-writable directory such as /tmp +# or /var/tmp. DO NOT create the greylist database in a file system +# that can run out of space. +# +# In case of database corruption, this script saves the database as +# $database_name.time(), so that the mail system does not get stuck. +# +$database_name="/var/mta/greylist.db"; +$greylist_delay=60; + +# +# Auto-whitelist threshold. Specify 0 to disable, or the number of +# successful "come backs" after which a client is no longer subject +# to greylisting. +# +$auto_whitelist_threshold = 10; + +# +# Syslogging options for verbose mode and for fatal errors. +# NOTE: comment out the $syslog_socktype line if syslogging does not +# work on your system. +# +$syslog_socktype = 'unix'; # inet, unix, stream, console +$syslog_facility="mail"; +$syslog_options="pid"; +$syslog_priority="info"; + +# +# Demo SMTPD access policy routine. The result is an action just like +# it would be specified on the right-hand side of a Postfix access +# table. Request attributes are available via the %attr hash. +# +sub smtpd_access_policy { + my($key, $time_stamp, $now, $count); + + # Open the database on the fly. + open_database() unless $database_obj; + + # Search the auto-whitelist. + if ($auto_whitelist_threshold > 0) { + $count = read_database($attr{"client_address"}); + if ($count > $auto_whitelist_threshold) { + return "dunno"; + } + } + + # Lookup the time stamp for this client/sender/recipient. + $key = + lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"}; + $time_stamp = read_database($key); + $now = time(); + + # If this is a new request add this client/sender/recipient to the database. + if ($time_stamp == 0) { + $time_stamp = $now; + update_database($key, $time_stamp); + } + + # The result can be any action that is allowed in a Postfix access(5) map. + # + # To label mail, return ``PREPEND'' headername: headertext + # + # In case of success, return ``DUNNO'' instead of ``OK'' so that the + # check_policy_service restriction can be followed by other restrictions. + # + # In case of failure, specify ``DEFER_IF_PERMIT optional text...'' + # so that mail can still be blocked by other access restrictions. + # + syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose; + if ($now - $time_stamp > $greylist_delay) { + # Update the auto-whitelist. + if ($auto_whitelist_threshold > 0) { + update_database($attr{"client_address"}, $count + 1); + } + return "dunno"; + } else { + return "defer_if_permit Service is unavailable"; + } +} + +# +# You should not have to make changes below this point. +# +sub LOCK_SH { 1 }; # Shared lock (used for reading). +sub LOCK_EX { 2 }; # Exclusive lock (used for writing). +sub LOCK_NB { 4 }; # Don't block (for testing). +sub LOCK_UN { 8 }; # Release lock. + +# +# Log an error and abort. +# +sub fatal_exit { + my($first) = shift(@_); + syslog "err", "fatal: $first", @_; + exit 1; +} + +# +# Open hash database. +# +sub open_database { + my($database_fd); + + # Use tied database to make complex manipulations easier to express. + $database_obj = tie(%db_hash, 'DB_File', $database_name, + O_CREAT|O_RDWR, 0644, $DB_BTREE) || + fatal_exit "Cannot open database %s: $!", $database_name; + $database_fd = $database_obj->fd; + open DATABASE_HANDLE, "+<&=$database_fd" || + fatal_exit "Cannot fdopen database %s: $!", $database_name; + syslog $syslog_priority, "open %s", $database_name if $verbose; +} + +# +# Read database. Use a shared lock to avoid reading the database +# while it is being changed. XXX There should be a way to synchronize +# our cache from the on-file database before looking up the key. +# +sub read_database { + my($key) = @_; + my($value); + + flock DATABASE_HANDLE, LOCK_SH || + fatal_exit "Can't get shared lock on %s: $!", $database_name; + # XXX Synchronize our cache from the on-disk copy before lookup. + $value = $db_hash{$key}; + syslog $syslog_priority, "lookup %s: %s", $key, $value if $verbose; + flock DATABASE_HANDLE, LOCK_UN || + fatal_exit "Can't unlock %s: $!", $database_name; + return $value; +} + +# +# Update database. Use an exclusive lock to avoid collisions with +# other updaters, and to avoid surprises in database readers. XXX +# There should be a way to synchronize our cache from the on-file +# database before updating the database. +# +sub update_database { + my($key, $value) = @_; + + syslog $syslog_priority, "store %s: %s", $key, $value if $verbose; + flock DATABASE_HANDLE, LOCK_EX || + fatal_exit "Can't exclusively lock %s: $!", $database_name; + # XXX Synchronize our cache from the on-disk copy before update. + $db_hash{$key} = $value; + $database_obj->sync() && + fatal_exit "Can't update %s: $!", $database_name; + flock DATABASE_HANDLE, LOCK_UN || + fatal_exit "Can't unlock %s: $!", $database_name; +} + +# +# Signal 11 means that we have some kind of database corruption (yes +# Berkeley DB should handle this better). Move the corrupted database +# out of the way, and start with a new database. +# +sub sigsegv_handler { + my $backup = $database_name . "." . time(); + + rename $database_name, $backup || + fatal_exit "Can't save %s as %s: $!", $database_name, $backup; + fatal_exit "Caught signal 11; the corrupted database is saved as $backup"; +} + +$SIG{'SEGV'} = 'sigsegv_handler'; + +# +# This process runs as a daemon, so it can't log to a terminal. Use +# syslog so that people can actually see our messages. +# +setlogsock $syslog_socktype; +openlog $0, $syslog_options, $syslog_facility; + +# +# We don't need getopt() for now. +# +while ($option = shift(@ARGV)) { + if ($option eq "-v") { + $verbose = 1; + } else { + syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]", + $option, $0; + exit 1; + } +} + +# +# Unbuffer standard output. +# +select((select(STDOUT), $| = 1)[0]); + +# +# Receive a bunch of attributes, evaluate the policy, send the result. +# +while (<STDIN>) { + if (/([^=]+)=(.*)\n/) { + $attr{substr($1, 0, 512)} = substr($2, 0, 512); + } elsif ($_ eq "\n") { + if ($verbose) { + for (keys %attr) { + syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_}; + } + } + fatal_exit "unrecognized request type: '%s'", $attr{request} + unless $attr{"request"} eq "smtpd_access_policy"; + $action = smtpd_access_policy(); + syslog $syslog_priority, "Action: %s", $action if $verbose; + print STDOUT "action=$action\n\n"; + %attr = (); + } else { + chop; + syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_; + } +} |