SPEC: policyd.spec, Policyd is an anti-spam plugin for Postfix
Mikolaj Kucharski
build w kompuart.pl
Sob, 22 Paź 2005, 15:12:20 CEST
Witam,
Jestem w fazie testow (od ok. tygodnia) policyd. Bardzo fajna sprawa,
wiec chcialbym aby pojawil sie ten pakiet w PLD. Jesli opiekujesz sie
serverem poczty chodzacym na Postfixie namawiam do sprobowania PolicyD.
Jezeli ktos mialby jakies pytania co do Postfix'a lub PolicyD, postaram
sie pomoc, wiec smialo pisac.
Prosze o komentarze co do spec'a, jakby ktos chcial wprowadzic jakies
znaczace zmiany, prosze mi dac znac na priv'a.
ps. Mozna sie gdzies zapisac, by sledzis zmiany w cvs'ie pojedynczych
spec'ow?
--
best regards
q#
-------------- następna część ---------
######################################################################
# POLICY DAEMON CONFIGURATION #
######################################################################
# DATABASE CONFIG #
######################################################################
#
# ip address or hostname to connect to:
#
# if you want to connect to a host/ip, enter it here.
# if you want to via a unix socket, set MYSQLHOST=""
#
MYSQLHOST="127.0.0.1"
#
# database name:
#
# name of database to connect to
#
MYSQLDBASE="policyd_database"
#
# database username:
#
# username to connect to database as
#
MYSQLUSER="policyd_username"
#
# database password:
#
# password to for username
#
MYSQLPASS="secret_password"
#
# failsafe/failover mode: default: on
#
# if the database or queries fail, continue accepting mail
#
# 1=on 0=off
FAILSAFE=1
#
# database keep alive: default: off
#
# if you recieve very little mail, your connection you the
# mysql database will time out. enabling this option pings
# the database to ensure the database connection is alive.
# if it is not, it reconnects to the database. this option
# is not needed on mail servers that recieve more than one
# mail every 60 to 120 seconds. disabling this increases
# performance a little.
#
# 1=on 0=off
DATABASE_KEEPALIVE=0
######################################################################
# DAEMON CONFIG #
######################################################################
#
# debugging information: default: 3
#
# only use debugging when there are problems
#
# 0 -> off (recommended)
# 1 -> standard debugging
# 2 -> 1+mysql queries+results
# 3 -> 1+2+network debugging
# 0=off
DEBUG=0
#
# daemon/background mode: default: on
#
# detach policyd from terminal
#
# 1=on 0=off
DAEMON=1
#
# bind to ip address:
#
# ip address which the policy daemon will listen on
#
BINDHOST=127.0.0.1
#
# port to bind to:
#
# port which the policy daemon will listen on
#
BINDPORT=10031
#
# path to pidfile:
#
# where policyd will write its current pid to
#
PIDFILE=/var/run/policyd.pid
#
# syslog facility
#
# what syslog facility to log to
#
SYSLOG_FACILITY="LOG_MAIL | LOG_INFO"
######################################################################
# SECURITY #
######################################################################
#
# chroot:
#
# directory to change to before binding
#
CHROOT=/usr/share/empty
#
# uid:
#
# userid for the policy daemon to run as
#
UID=121
#
# gid:
#
# groupid for the policy daemon to run as
#
GID=121
#####################################################################
# WHITELISTING (functional) #
#####################################################################
#
# whitelisting: default: on
#
# this enables whitelisting of ip/netblocks. this is needed
# if you want to allow any of the whitelisting features.
#
# 1=on 0=off
WHITELISTING=1
#
# whitelist null sender: default: off
#
# null senders are normally used for bounce messages. many
# viruses use null senders so its wise to leave this disabled.
#
# 1=on 0=off
WHITELISTNULL=0
#
# whitelist sender address/domain
#
# this allows you to do whitelisting based on envelope sender
# address or envelope sender domain. a number of people have
# been asking for this. please AVOID using this as spammers
# forge senders and domains a lot.
#
# 1=on 0=off
WHITELISTSENDER=0
#
# whitelist client dns name
#
# this allows you whitelist clients that have proper resolving
# records. for example, i could whitelist 'bulk.scd.yahoo.com'.
# so any connections from n6a.bulk.scd.yahoo.com or
# n6b.bulk.scd.yahoo.com would be whitelisted. this type of
# whitelisting gives far greater power when it comes to
# whitelisting ISPs or big companies which you know do not
# house spammers. please note. this table must NOT have more
# than 10 000 -> 15 000 entries.
#
# 1=on 0=off
WHITELISTDNSNAME=0
#
# automatic whitelisting default: off
#
# this allows whitelisting of remote networks who have sent
# more than AUTO_WHITELIST_NUMBER of authenticated triplets.
#
# 1=on 0=off
AUTO_WHITE_LISTING=0
#
# auto whitelist number: default: 500
#
# how many succesfull triplets does it require before a
# network is automatically whitelisted
#
AUTO_WHITELIST_NUMBER=500
#
# whitelist netblock/24: default: 1
#
# when hosts get autowhitelisted, should the host be whitelisted
# or should the entire netblock (class C).
#
# 1=class 0=host
AUTO_WHITELIST_NETBLOCK=0
#
# whitelist expiry default: 7 days
#
# this allows you to specify for what peroid of time any
# host will be whitelisted for when auto whitelisted.
# a setting of 0 sets a permanent whitelist
#
AUTO_WHITELIST_EXPIRE=7d
#####################################################################
# BLACKLISTING (functional) #
#####################################################################
#
# blacklisting: default: off
#
# this enables blacklisting of ip/netblocks. this is needed
# if you want to allow any of the blacklisting features and
# the the spamtrapping module.
#
# 1=on 0=off
BLACKLISTING=1
#
# blacklist temp rejection: default: 4xx
#
# this allows you to either temp reject (4xx) blacklisted
# hosts or if you're sure that blacklisted hosts are safe
# to reject, you can hard reject (5xx) blacklisted hosts.
#
# 1=4xx 0=5xx
BLACKLIST_TEMP_REJECT=0
#
# blacklist netblock/24: default: class
#
# when hosts get blacklisted, should the host be blacklisted
# or should the entire netblock (class C). this applies to
# both when a host gets blacklisted via the spamtrap module
# or via the blacklist helo module.
#
# 1=class 0=host
BLACKLIST_NETBLOCK=0
#
# blacklist rejection default: "Abuse. Go Away"
#
# what error message blacklisted hosts will recieve.
#
BLACKLIST_REJECTION="Abuse. Go away."
#
# automatic blacklisting default: off
#
# this allows blacklisting of remote networks who have sent
# more than AUTO_BLACKLIST_NUMBER of unauthenticated triplets.
#
# 1=on 0=off
AUTO_BLACK_LISTING=0
#
# auto blacklist number: default: 500
#
# how many succesfull untriplets does it require before a
# network is automatically blacklisted
#
AUTO_BLACKLIST_NUMBER=500
#
# blacklist expiry default: 7 days
#
# this allows you to specify for what peroid of time any
# host will be blacklisted for when auto blacklisted.
# a setting of 0 sets a permanent blacklist
#
AUTO_BLACKLIST_EXPIRE=7d
#####################################################################
# BLACKLISTING HELO (functional) #
#####################################################################
#
# blacklisting helo: default: off
#
# this enables blacklisting of ip/netblocks. this is needed
# if you want to allow any of the blacklisting features and
# the the spamtrapping module.
#
# 1=on 0=off
BLACKLIST_HELO=1
#
# blacklist helo auto expire: default: permanent
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# using your HELO to identify itself. (a setting of 0
# sets a permanent blacklist)
#
BLACKLIST_HELO_AUTO_EXPIRE=7d
#####################################################################
# BLACKLIST SENDER (functional) #
#####################################################################
#
# blacklist sender: default: off
#
# this allows you to use policyd to block domains and/or
# email addresses.
# 1=on 0=off
BLACKLISTSENDER=1
#####################################################################
# HELO_CHECK (functional) #
#####################################################################
#
# helo unique checking default: off
#
# (legit) hosts that connect to your mail servers 99% of
# the time use static HELO information. spammers randomize
# their helo. enabling this will cut down the amount of
# spam entering your network.
# 1=on 0=off
HELO_CHECK=1
#
# helo max number count:
#
# this allows you to specify how many unique/different
# helo names a connecting host/ip is allowed to send.
# spammers randomize their helo information in big
# numbers. legit MTAs with floating ips also do this,
# but the number of them are fairly small.
#
#
HELO_MAX_COUNT=10
#
# helo blacklist auto expire:
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# randomizing their helo information. (a setting of 0
# sets a permanent blacklist)
#
HELO_BLACKLIST_AUTO_EXPIRE=14d
#
# helo auto expire:
#
# this allows you to specify for what period of time any
# HELO identity will remain in the database for before it
# gets expired. (a setting of 0 ensures that all HELO
# information stays stored and is never expired).
#
HELO_AUTO_EXPIRE=7d
#####################################################################
# SPAMTRAP (functional) #
#####################################################################
#
# enable spamtrap default: off
#
# the idea of this module is to allow you to capture
# hosts that mail to your spamtraps without having to
# resort to parsing the mails to identify senders. you
# now have the ability to blacklist the host/netblock
# for a period of time (definable in SPAMTRAP_AUTO_EXPIRE).
#
# 1=on 0=off
SPAMTRAPPING=1
#
# spamtrap rejection: default: "Abuse. Go Away."
#
# what error message the connecting host will recieve
# when a message is directly sent to your spamtraps
#
SPAMTRAP_REJECTION="Abuse. Go away."
#
# spamtrap auto expire: default: 7 days
#
# this allows you to specify for what period of time any
# host will be blacklisted for when it has been caught
# mailing to your spamtrap addresses. (a setting of 0
# sets a permanent blacklist)
#
SPAMTRAP_AUTO_EXPIRE=7d
#####################################################################
# GREYLISTING (functional) #
#####################################################################
#
# enable greylisting default: on
#
# whether greylisting should be enabled or disabled.
#
# 1=on 0=off
GREYLISTING=1
#
# greylist rejection: default: "Please try later"
#
# what error message the connecting host will recieve
# when a new triplet has been created.
#
GREYLIST_REJECTION="Please try later."
#
# greylist x-header: default: off
#
# you now have the functionality of tagging all mail
# that has passed greylisting.
#
# 1=on 0=off
GREYLIST_X_HEADER=0
#
# train database: default: off
#
# this is very usefull for people would want to build
# up a collection of triplets before they start accepting
# mail. training mode allows the collection of triplets
# to mature to a stage that when greylisting is actually
# enabled, they impact caused is far far less.
#
# 1=on 0=off
TRAINING_MODE=0
#
# training policy duration/timeout default: 0d
#
# when you have run TRAINING_MODE for your all your domains
# and are running greylisting across the board, adding new
# domains and subjecting them to greylisting without a
# training period can bring unnessasary hassles. this feature
# allows you to specify for how long 'new domains' are to be
# trained for before being subjected to greylisting.
#
# a value of 0 disables this feature.
#
TRAINING_POLICY_TIMEOUT=5d
#
#
# triplet timeout: default: 5 minutes
#
# when a triplet is created from the first mail delivery
# attempt, what period of time should go by before we
# allow the 'final delivery'. a study shows that there
# is no difference between 1 minute and 1 hour for spam
# at this point in time. a sane limit would be 5 minutes.
#
TRIPLET_TIME=15m
#
# opt in and opt out: default: off
#
# some people are fairly irate when it comes to mail and
# refuse wanting to have any type of delay. this feature
# enables each and every person the ability to not subject
# themselves to greylisting. this feature is also VERY
# usefull when you dont want to subject EVERY person to
# greylisting at once but instead allows you to enable
# it in batches/groups of users so you get a feel on the
# type of complaints or praise from your users.
#
# 1=on 0=off
OPTINOUT=0
#
# optinoutall: default: off
#
# this allows you to either opt everyone in, or opt every
# one out and only has any effect if OPTINOUT is enabled.
#
# 1=on 0=off
OPTINOUTALL=0
#
# triplet authenticated cleanup default: 30d
#
# if a triplet has been successfully updated (retried and
# delivered), this is what is considered an 'authenticated'
# triplet. this options allows some sanity so you do not
# keep these triplets forever. specify the amount of days
# that we keep authenticated triplets since it was last updated.
#
TRIPLET_AUTH_TIMEOUT=30d
#
# triplet unauthenticated cleanup default: 2d
#
# if a triplet has NOT been successfully updated (no retry
# attempt), this is what is considered as an 'unathenticated'
# triplet. this option allows some sanity so you do not
# keep these triplets forever. specify the amount of days
# that we keep unauthenticated triplets since being inserted
# into the database
#
TRIPLET_UNAUTH_TIMEOUT=2d
#####################################################################
# SENDER THROTTLE (functional) #
#####################################################################
#
# throttle senders default: off
#
# sender throttling allows per-user limits of all
# mail that passes the policy daemon. any envelope
# sender that is not found in the database will
# fall back to the config defaults listed below.
#
# 1=on 0=off
SENDERTHROTTLE=0
#
# throttle SASL users default=on
#
# throttling based upon envelope sender addresses does
# not work very well as it can ofcourse be easily forged.
# if your users are forced to authenticate via SASL, enable
# this option so that quotas stick like glue regardless of
# what they try.
#
# if this option is enabled, and a remote client connects
# WITHOUT sasl, it will then use the clients sending/FROM
# address.
# 1=on 0=off
SENDER_THROTTLE_SASL=1
#
# throttle IP addresses default=on
#
# throttling based upon the ip address of the sender
# will ensure that the host does not send more than
# their allowed quota. you may only enable
# SENDER_THROTTLE_SASL or SENDER_THROTTLE_HOST but
# *NOT* both.
# 1=on 0=off
SENDER_THROTTLE_HOST=0
#
# throttle rejection: default: "Quota Exceeded"
#
# what error message the connecting host will recieve
# when they have exceeded any of their quotas.
#
SENDER_QUOTA_REJECTION="Quota Exceeded."
#
# throttle max message size reject message default: Message size too big
#
#
#
SENDER_SIZE_REJECTION="Message size to big."
#
# maximum mail sent per time period default: 5000
#
# how many messages a user is allowed to send out
# before the time limit has expired.
#
SENDERMSGLIMIT=5000
#
# maximum mail quota/size per time peroid default: 250 meg
#
# how much mail will be allowed from a user (in megs)
# which will be accepted before the timelimit has expired.
#
SENDERQUOTALIMIT=250000000
#
# sender time limit: default: 24 hours
#
# after how long does all quota last before counters
# are reset back to to zero.
#
SENDERTIMELIMIT=24h
#
# sender message size: default: 10 meg
#
# this is the maximum sender mail size
#
SENDERMSGSIZE=10240000
#
# inactive sender database record cleanup default: 31 days
#
# this allows you to specify how long the throttling
# records of inactive senders kept in the database.
# this allows to keep the database small. a setting
# of 0 keeps all entries.
#
SENDER_INACTIVE_EXPIRE=31d
#####################################################################
# RECIPIENT THROTTLE (functional) #
#####################################################################
#
# throttle recipients default: off
#
# recipient throttling allows per-user limits of all
# mail that passes the policy daemon. any envelope
# recipient that is not found in the database will
# fall back to the config defaults listed below.
#
# 1=on 0=off
RECIPIENTTHROTTLE=0
#
# maximum mail sent per time period default: 5000
#
# how many messages a user is allowed to send out
# before the time limit has expired.
#
RECIPIENTMSGLIMIT=5000
#
# recipient time limit: default: 24 hours
#
# after how long does all quota last before counters
# are reset back to to zero.
#
RECIPIENTTIMELIMIT=24h
# throttle recipient rejection: default: "Quota Exceeded"
#
# what error message the connecting host will recieve
# when they have exceeded any of their quotas.
#
RECIPIENT_QUOTA_REJECTION="Quota Exceeded."
#
# inactive recipients database record cleanup default: 31 days
#
# this allows you to specify how long the throttling
# records of inactive recipients are kept in the database.
# this allows to keep the database small. a setting
# of 0 keeps all entries.
#
RECIPIENT_INACTIVE_EXPIRE=31d
#######
# EOF #
#######
-------------- następna część ---------
#!/bin/sh
if [ -r /etc/sysconfig/policyd ]; then
. /etc/sysconfig/policyd
else
# set default file
POLICYD_CONF="/etc/policyd/policyd.conf"
fi
if [ ! -r /var/run/policyd.lck -a -r "${POLICYD_CONF}" ]; then
touch /var/run/policyd.lck
/usr/lib/policyd/cleanup -c "${POLICYD_CONF}"
rm -f /var/run/policyd.lck
fi
-------------- następna część ---------
#!/bin/sh
#
# policyd This shell script takes care of starting and stopping
# policy daemon.
#
# chkconfig: 345 85 35
#
# description: Policyd is an anti-spam plugin for Postfix.
#
# pidfile: /var/run/policyd.pid
# config: /etc/policyd/policyd.conf
# Source function library
. /etc/rc.d/init.d/functions
# Get network config
. /etc/sysconfig/network
# Get service config
[ -r /etc/sysconfig/policyd ] && . /etc/sysconfig/policyd || \
POLICYD_CONF="/etc/policyd/policyd.conf"
# Check that networking is up.
if is_yes "${NETWORKING}"; then
if [ ! -f /var/lock/subsys/network -a "$1" != stop -a "$1" != status ]; then
msg_network_down PolicyD
exit 1
fi
else
exit 0
fi
RETVAL=0
# See how we were called.
case "$1" in
start)
# Check if the service is already running?
if [ ! -f /var/lock/subsys/policyd ]; then
msg_starting PolicyD
daemon $SERVICE_RUN_NICE_LEVEL /usr/lib/policyd/policyd -c "${POLICYD_CONF}"
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/policyd
else
msg_already_running PolicyD
fi
;;
stop)
# Stop daemon.
if [ -f /var/lock/subsys/policyd ]; then
msg_stopping PolicyD
killproc policyd
rm -f /var/lock/subsys/policyd
else
msg_not_running PolicyD
fi
;;
restart)
$0 stop
$0 start
exit $?
;;
reload|force-reload)
$0 stop
$0 start
exit $?
;;
status)
status policyd
exit $?
;;
cleanup)
if [ -r /var/run/policyd.lck ]; then
echo "PolicyD cleanup process already running." 1>&2
RETVAL=1
elif [ ! -r "${POLICYD_CONF}" ]; then
echo "PolicyD configuration file not found: ${POLICYD_CONF}" 1>&2
RETVAL=1
else
touch /var/run/policyd.lck
/usr/lib/policyd/cleanup -c "${POLICYD_CONF}"
RETVAL=$?
rm -f /var/run/policyd.lck
fi
;;
*)
msg_usage "$0 {start|stop|restart|reload|force-reload|status}"
exit 3
esac
exit $RETVAL
-------------- następna część ---------
# Path to policyd.conf
POLICYD_CONF="/etc/policyd/policyd.conf"
# Nice level for at
SERVICE_RUN_NICE_LEVEL="+0"
-------------- następna część ---------
# $Id$
#
# TODO: mysql info
# mysql> GRANT ALL ON policyd.* TO policyd w localhost IDENTIFIED BY 'secret_password';
# mysql> GRANT USAGE ON *.* TO policyd w localhost IDENTIFIED BY 'secret_password';
# $ zcat /usr/share/doc/policyd-%{Version}/DATABASE.mysql.gz | mysql -p -u policyd
#
# TODO: postfix info
#smtpd_recipient_restrictions =
# permit_mynetworks
# permit_sasl_authenticated
# reject_unauth_destination
# reject_unlisted_recipient
# check_policy_service inet:127.0.0.1:10031
#
Summary: Policyd is an anti-spam plugin for Postfix
Name: policyd
Version: 1.67
Release: 0.0.18
License: GPL v2
Group: Networking
Source0: http://policyd.sourceforge.net/%{name}-v%{version}.tar.gz
# Source0-md5: 77c59852a7316d48a5f84bb6841fc23c
Source1: policyd-cron
Source2: policyd-sysconfig
Source3: policyd-conf
Source4: policyd-init
URL: http://policyd.sourceforge.net/
BuildRequires: mysql-devel
Requires: mysql-libs
Requires: zlib
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%description
Policyd is an anti-spam plugin for Postfix that does greylisting,
sender-(envelope, SASL or host/ip)-based throttling (on messages
and/or volume per defined time unit), recipient rate limiting,
spamtrap monitoring/blacklisting, HELO auto blacklisting and HELO
randomization preventation.
%prep
%setup -q -n %{name}-v%{version}
%build
%{__make} build
%install
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_libdir}/%{name},%{_sysconfdir}/{%{name},rc.d/init.d},/etc/sysconfig,/etc/cron.hourly}
install policyd cleanup $RPM_BUILD_ROOT%{_libdir}/%{name}
install policyd.conf $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name}.conf-dist
install %{SOURCE1} $RPM_BUILD_ROOT/etc/cron.hourly/%{name}
install %{SOURCE2} $RPM_BUILD_ROOT/etc/sysconfig/%{name}
install %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name}.conf
install %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/%{name}
%clean
rm -rf $RPM_BUILD_ROOT
%pre
%groupadd -g 121 -r policyd
%useradd -M -o -r -u 121 -d / -s /bin/false -g policyd -c "Postfix Policy Daemon" policyd
%post
/sbin/chkconfig --add policyd
if [ -f /var/lock/subsys/policyd ]; then
/etc/rc.d/init.d/policyd restart >&2 || :
else
echo "Run \"/etc/rc.d/init.d/policyd start\" to start policy daemon." >&2
fi
%preun
if [ "$1" = "0" ]; then
if [ -f /var/lock/subsys/policyd ]; then
/etc/rc.d/init.d/policyd stop >&2
fi
/sbin/chkconfig --del policyd
fi
%postun
if [ "$1" = "0" ]; then
%userremove policyd
%groupremove policyd
fi
%files
%defattr(644,root,root,755)
%attr(755,root,root) %{_libdir}/%{name}/*
%doc *.txt *.mysql doc/*.sql doc/*.txt
%dir %{_sysconfdir}/%{name}
%config(noreplace) %verify(not size mtime md5) /etc/sysconfig/%{name}
%config(noreplace) %verify(not size mtime md5) %attr(640,root,root) %{_sysconfdir}/%{name}/%{name}.conf
%config %verify(not size mtime md5) %{_sysconfdir}/%{name}/%{name}.conf-dist
%config %verify(not size mtime md5) %attr(755,root,root) /etc/cron.hourly/%{name}
%config %verify(not size mtime md5) %attr(755,root,root) %{_sysconfdir}/rc.d/init.d/%{name}
%define date %(echo `LC_ALL="C" date +"%a %b %d %Y"`)
%changelog
Więcej informacji o liście dyskusyjnej pld-devel-pl