function smtpd_recipient_restrictions()
{
if (!isset($GLOBALS["CLASS_USERS_MENUS"])) {
$users = new usersMenus();
$GLOBALS["CLASS_USERS_MENUS"] = $users;
} else {
$users = $GLOBALS["CLASS_USERS_MENUS"];
}
if (!isset($GLOBALS["CLASS_SOCKET"])) {
$GLOBALS["CLASS_SOCKET"] = new sockets();
$sock = $GLOBALS["CLASS_SOCKET"];
} else {
$sock = $GLOBALS["CLASS_SOCKET"];
}
$newHash = array();
include_once dirname(__FILE__) . "/ressources/class.postfix.check_recipient_access.inc";
$EnableCluebringer = $sock->GET_INFO("EnableCluebringer");
$EnablePostfixAntispamPack = $sock->GET_INFO("EnablePostfixAntispamPack");
$EnableArticaPolicyFilter = $sock->GET_INFO("EnableArticaPolicyFilter");
$EnablePolicydWeight = intval($sock->GET_INFO('EnablePolicydWeight'));
$EnableArticaPolicyFilter = 0;
if ($GLOBALS["DEBUG"]) {
echo "EnableCluebringer={$EnableCluebringer}\n";
}
$EnableAmavisInMasterCF = $sock->GET_INFO('EnableAmavisInMasterCF');
$EnableAmavisDaemon = $sock->GET_INFO('EnableAmavisDaemon');
$TrustMyNetwork = $sock->GET_INFO("TrustMyNetwork");
$ValvuladEnabled = intval($sock->GET_INFO("ValvuladEnabled"));
$POLICYD_WEIGHT_PORT = 12525;
$main = new maincf_multi("master");
if (!is_numeric($TrustMyNetwork)) {
$TrustMyNetwork = 1;
}
exec("{$GLOBALS["postconf"]} -h smtpd_recipient_restrictions", $datas);
$tbl = explode(",", implode(" ", $datas));
$permit_mynetworks_remove = false;
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 51);
if (is_array($tbl)) {
while (list($num, $ligne) = each($tbl)) {
if (trim($ligne) == null) {
continue;
}
if (preg_match("#_rhsbl_#", $ligne)) {
continue;
}
$newHash[trim($ligne)] = trim($ligne);
}
}
unset($newHash["permit_dnswl_client list.dnswl.org"]);
unset($newHash["check_client_access hash:/etc/postfix/amavis_internal"]);
unset($newHash["check_recipient_access hash:/etc/postfix/relay_domains_restricted"]);
unset($newHash["permit"]);
unset($newHash["check_sender_access hash:/etc/postfix/disallow_my_domain"]);
unset($newHash["check_sender_access hash:/etc/postfix/unrestricted_senders"]);
unset($newHash["check_recipient_access hash:/etc/postfix/amavis_bypass_rcpt"]);
unset($newHash["reject_unauth_destination"]);
unset($newHash["permit_mynetworks"]);
unset($newHash["check_client_access pcre:/etc/postfix/fqrdns.pcre"]);
unset($newHash["check_policy_service inet:127.0.0.1:54423"]);
unset($newHash["check_policy_service inet:127.0.0.1:13331"]);
unset($newHash["check_policy_service inet:127.0.0.1:7777"]);
unset($newHash["check_policy_service inet:127.0.0.1:3579"]);
unset($newHash["check_client_access hash:/etc/postfix/wbl_connections"]);
unset($newHash["check_recipient_access hash:/etc/postfix/wbl_connections"]);
unset($newHash["check_client_access cidr:/etc/postfix/check_client_access.cidr"]);
unset($newHash["check_client_access hash:/etc/postfix/check_client_access"]);
unset($newHash["check_policy_service inet:127.0.0.1:{$POLICYD_WEIGHT_PORT}"]);
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 52);
if (is_array($newHash)) {
while (list($num, $ligne) = each($newHash)) {
if (preg_match("#hash:(.+)\$#", $ligne, $re)) {
$path = trim($re[1]);
if (!is_file($path)) {
echo "Starting......: " . date("H:i:s") . " smtpd_recipient_restrictions: bungled \"{$ligne}\"\n";
continue;
}
}
$smtpd_recipient_restrictions[] = $num;
}
}
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 53);
postconf("smtpd_restriction_classes", "artica_restrict_relay_domains");
postconf("artica_restrict_relay_domains", "reject_unverified_recipient");
$MynetworksInISPMode = $sock->GET_INFO("MynetworksInISPMode");
if (!is_numeric($MynetworksInISPMode)) {
$MynetworksInISPMode = 0;
}
if ($TrustMyNetwork == 0 && $MynetworksInISPMode == 1) {
$TrustMyNetwork = 1;
}
if ($TrustMyNetwork == 1) {
$smtpd_recipient_restrictions[] = "permit_mynetworks";
} else {
echo "Starting......: " . date("H:i:s") . " **** TrustMyNetwork is disabled, outgoing messages should be not allowed... **** \n";
}
$smtpd_recipient_restrictions[] = "permit_mynetworks";
$smtpd_recipient_restrictions[] = "permit_sasl_authenticated";
echo "Starting......: " . date("H:i:s") . " Postfix class check_recipient_access_ou()...\n";
smtpd_client_restrictions_progress("{organizations}", 54);
$check_recipient_access_ou = new check_recipient_access_ou();
$check_recipient_access_ou->build();
$smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/check_recipient_access_ou";
$smtpd_recipient_restrictions[] = "check_client_access cidr:/etc/postfix/check_client_access.cidr";
$smtpd_recipient_restrictions[] = "check_client_access hash:/etc/postfix/check_client_access";
$smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/relay_domains_restricted";
$smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/amavis_bypass_rcpt";
$smtpd_recipient_restrictions[] = "permit_auth_destination";
if ($ValvuladEnabled == 1) {
$smtpd_recipient_restrictions[] = "check_policy_service inet:127.0.0.1:3579";
}
if ($EnablePolicydWeight == 1) {
$smtpd_recipient_restrictions[] = "check_client_access hash:/etc/postfix/wbl_connections";
$smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/wbl_connections";
$smtpd_recipient_restrictions[] = "check_policy_service inet:127.0.0.1:{$POLICYD_WEIGHT_PORT}";
}
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 54);
$smtpd_recipient_restrictions[] = "permit_dnswl_client list.dnswl.org";
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 55);
amavis_bypass_byrecipients();
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 56);
restrict_relay_domains();
postconf("auth_relay", null);
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 57);
if (!isset($GLOBALS["CLASS_SOCKET"])) {
$GLOBALS["CLASS_SOCKET"] = new sockets();
$sock = $GLOBALS["CLASS_SOCKET"];
} else {
$sock = $GLOBALS["CLASS_SOCKET"];
}
$reject_forged_mails = $sock->GET_INFO("reject_forged_mails");
if ($reject_forged_mails == 1) {
if (smtpd_recipient_restrictions_reject_forged_mails()) {
echo "Starting......: " . date("H:i:s") . " Reject Forged mails enabled\n";
$smtpd_recipient_restrictions[] = "check_sender_access hash:/etc/postfix/disallow_my_domain";
}
} else {
echo "Starting......: " . date("H:i:s") . " Reject Forged mails disabled\n";
}
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 58);
$main_rhsbl = $main->main_rhsbl();
if (count($main_rhsbl) > 0) {
while (list($domain, $ID) = each($main_rhsbl)) {
if (trim($domain) == null) {
continue;
}
$smtpd_recipient_restrictions[] = "reject_rhsbl_client {$domain}";
$smtpd_recipient_restrictions[] = "reject_rhsbl_sender {$domain}";
}
}
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 59);
$smtpd_recipient_restrictions[] = "reject_unauth_destination";
$smtpd_recipient_restrictions[] = "permit";
if ($GLOBALS["EnableBlockUsersTroughInternet"] == 1) {
echo "Starting......: " . date("H:i:s") . " Restricted users are enabled\n";
if (RestrictedForInternet()) {
postconf("auth_relay", "check_recipient_access hash:/etc/postfix/local_domains, reject");
array_unshift($smtpd_recipient_restrictions, "check_sender_access hash:/etc/postfix/unrestricted_senders");
__ADD_smtpd_restriction_classes("auth_relay");
} else {
__REMOVE_smtpd_restriction_classes("auth_relay");
}
} else {
__REMOVE_smtpd_restriction_classes("auth_relay");
}
if (is_file("/opt/iRedAPD/iredapd.py")) {
//array_unshift($smtpd_recipient_restrictions,"check_policy_service inet:127.0.0.1:7777");
}
//CLEAN engine ---------------------------------------------------------------------------------------
while (list($num, $ligne) = each($smtpd_recipient_restrictions)) {
$smtpd_recipient_restrictions_cleaned[trim($ligne)] = trim($ligne);
}
unset($smtpd_recipient_restrictions);
while (list($num, $ligne) = each($smtpd_recipient_restrictions_cleaned)) {
echo "Starting......: " . date("H:i:s") . " smtpd_recipient_restrictions Final: " . trim($ligne) . "\n";
$smtpd_recipient_restrictions[] = trim($ligne);
}
//CLEAN engine ---------------------------------------------------------------------------------------
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 59);
if (is_array($smtpd_recipient_restrictions)) {
$newval = implode(",", $smtpd_recipient_restrictions);
}
if ($GLOBALS["DEBUG"]) {
echo "smtpd_recipient_restrictions = {$newval}\n";
}
postconf("smtpd_recipient_restrictions", $newval);
smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 60);
}
function smtpd_client_restrictions()
{
if (!isset($GLOBALS["CLASS_SOCKET"])) {
$GLOBALS["CLASS_SOCKET"] = new sockets();
$sock = $GLOBALS["CLASS_SOCKET"];
} else {
$sock = $GLOBALS["CLASS_SOCKET"];
}
exec("{$GLOBALS["postconf"]} -h smtpd_client_restrictions", $datas);
$tbl = explode(",", implode(" ", $datas));
echo "Old values = {$datas}\n";
$EnablePostfixAntispamPack = $sock->GET_INFO("EnablePostfixAntispamPack");
$EnableArticaPolicyFilter = $sock->GET_INFO("EnableArticaPolicyFilter");
$EnableArticaPolicyFilter = 0;
$EnableAmavisInMasterCF = $sock->GET_INFO('EnableAmavisInMasterCF');
$EnableAmavisDaemon = $sock->GET_INFO('EnableAmavisDaemon');
$amavis_internal = null;
$newHash = array();
smtpd_client_restrictions_progress("{cleaning_data}", 10);
if (is_array($tbl)) {
while (list($num, $ligne) = each($tbl)) {
$ligne = trim($ligne);
if (trim($ligne) == null) {
continue;
}
if ($ligne == "Array") {
continue;
}
$newHash[$ligne] = $ligne;
}
}
$hashToDelete[] = "check_client_access hash:/etc/postfix/check_client_access";
$hashToDelete[] = "check_client_access \"hash:/etc/postfix/postfix_allowed_connections\"";
$hashToDelete[] = "check_client_access hash:/etc/postfix/postfix_allowed_connections";
$hashToDelete[] = "check_client_access pcre:/etc/postfix/fqrdns.pcre";
$hashToDelete[] = "check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre";
$hashToDelete[] = "reject_unknown_reverse_client_hostname";
$hashToDelete[] = "reject_unknown_client_hostname";
$hashToDelete[] = "reject_non_fqdn_hostname";
$hashToDelete[] = "reject_unknown_sender_domain";
$hashToDelete[] = "reject_non_fqdn_sender";
$hashToDelete[] = "reject_unauth_pipelining";
$hashToDelete[] = "reject_invalid_hostname";
$hashToDelete[] = "reject_unknown_client_hostname";
$hashToDelete[] = "reject_unknown_reverse_client_hostname";
$hashToDelete[] = "reject_invalid_hostname";
$hashToDelete[] = "reject_rbl_client zen.spamhaus.org";
$hashToDelete[] = "reject_rbl_client sbl.spamhaus.org";
$hashToDelete[] = "reject_rbl_client cbl.abuseat.org";
$hashToDelete[] = "reject_unauth_pipelining";
$hashToDelete[] = "reject_unauth_pipelining";
$hashToDelete[] = "reject_rbl_client=zen.spamhaus.org";
$hashToDelete[] = "reject_rbl_client=sbl.spamhaus.org";
$hashToDelete[] = "reject_rbl_client=sbl.spamhaus.org";
$hashToDelete[] = "permit_sasl_authenticated";
$hashToDelete[] = "check_client_access hash:/etc/postfix/amavis_internal";
while (list($num, $ligne) = each($hashToDelete)) {
if (isset($newHash[$ligne])) {
unset($newHash[$ligne]);
}
}
if ($GLOBALS["VERBOSE"]) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: origin:" . @implode(",", $newHash) . "\n";
}
$main = new maincf_multi("master", "master");
$check_client_access = $main->check_client_access();
if (strpos($check_client_access, ",") > 0) {
$check_client_accessEX = explode(",", $check_client_access);
$check_client_access = null;
while (list($num, $ligne) = each($check_client_accessEX)) {
$ligne = trim($ligne);
if ($ligne == null) {
continue;
}
$newHash[$ligne] = $ligne;
}
}
if ($check_client_access != null) {
$newHash[$check_client_access] = $check_client_access;
}
$smtpd_client_restrictions = array();
if (count($newHash) > 0) {
while (list($num, $ligne) = each($newHash)) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: Checks \"{$ligne}\"\n";
if (preg_match("#(hash|cidr):(.+)\$#", $ligne, $re)) {
$path = trim($re[2]);
if (!is_file($path)) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: bungled \"{$ligne}\"\n";
continue;
}
$smtpd_client_restrictions[] = $ligne;
continue;
}
if (preg_match("#reject_rbl_client=(.+?)\$#", $ligne, $re)) {
$rbl = trim($re[1]);
echo "Starting......: " . date("H:i:s") . " reject_rbl_client: bungled \"{$ligne}\" fix it\n";
$num = "reject_rbl_client {$rbl}";
continue;
}
$smtpd_client_restrictions[] = $ligne;
}
}
if (!is_file("/etc/artica-postfix/settings/Daemons/reject_unknown_client_hostname")) {
@file_put_contents("/etc/artica-postfix/settings/Daemons/reject_unknown_client_hostname", 1);
}
if (!is_file("/etc/artica-postfix/settings/Daemons/reject_unknown_reverse_client_hostname")) {
@file_put_contents("/etc/artica-postfix/settings/Daemons/reject_unknown_reverse_client_hostname", 1);
}
$reject_unknown_client_hostname = $sock->GET_INFO('reject_unknown_client_hostname');
$reject_unknown_reverse_client_hostname = $sock->GET_INFO('reject_unknown_reverse_client_hostname');
$reject_invalid_hostname = $sock->GET_INFO('reject_invalid_hostname');
if ($reject_unknown_client_hostname == 1) {
$smtpd_client_restrictions[] = "reject_unknown_client_hostname";
}
if ($reject_unknown_reverse_client_hostname == 1) {
$smtpd_client_restrictions[] = "reject_unknown_reverse_client_hostname";
}
if ($reject_invalid_hostname == 1) {
$smtpd_client_restrictions[] = "reject_invalid_hostname";
}
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_invalid_hostname...............: {$reject_invalid_hostname}\n";
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_unknown_reverse_client_hostname: {$reject_unknown_reverse_client_hostname}\n";
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_unknown_client_hostname........: {$reject_unknown_client_hostname}\n";
smtpd_client_restrictions_progress("{construct_settings}", 15);
$main_dnsbl = $main->main_dnsbl();
if ($EnablePostfixAntispamPack == 1) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions:Anti-spam Pack is enabled\n";
if (!is_file("/etc/postfix/postfix_allowed_connections")) {
@file_put_contents("/etc/postfix/postfix_allowed_connections", "#");
}
$smtpd_client_restrictions[] = "check_client_access \"hash:/etc/postfix/postfix_allowed_connections\"";
$smtpd_client_restrictions[] = "reject_non_fqdn_hostname";
$smtpd_client_restrictions[] = "reject_invalid_hostname";
$main_dnsbl["zen.spamhaus.org"] = true;
$main_dnsbl["sbl.spamhaus.org"] = true;
$main_dnsbl["cbl.abuseat.org"] = true;
}
if (!is_file("/etc/artica-postfix/settings/Daemons/EnableGenericrDNSClients")) {
@file_put_contents("/etc/artica-postfix/settings/Daemons/EnableGenericrDNSClients", 1);
}
$EnableGenericrDNSClients = $sock->GET_INFO("EnableGenericrDNSClients");
if ($EnableGenericrDNSClients == 1) {
$users = new usersMenus();
if (!$users->POSTFIX_PCRE_COMPLIANCE) {
$EnableGenericrDNSClients = 0;
}
}
if ($EnableGenericrDNSClients == 1) {
echo "Starting......: " . date("H:i:s") . " Reject Public ISP reverse DNS patterns enabled\n";
$smtpd_client_restrictions[] = "check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre";
shell_exec("/bin/cp /usr/share/artica-postfix/bin/install/postfix/fqrdns.pcre /etc/postfix/fqrdns.pcre");
} else {
echo "Starting......: " . date("H:i:s") . " Reject Public ISP reverse DNS patterns disabled\n";
}
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions:" . count($main_dnsbl) . " DNSBL Services\n";
smtpd_client_restrictions_progress("{construct_settings}", 20);
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: " . count($smtpd_client_restrictions) . " rule(s)\n";
if ($EnableAmavisInMasterCF == 1) {
if ($EnableAmavisDaemon == 1) {
$count = amavis_internal();
if ($count > 0) {
echo "Starting......: " . date("H:i:s") . " {$count} addresses bypassing amavisd new\n";
$amavis_internal = "check_client_access hash:/etc/postfix/amavis_internal,";
}
}
}
smtpd_client_restrictions_progress("{construct_settings}", 25);
if (is_array($smtpd_client_restrictions)) {
//CLEAN engine ---------------------------------------------------------------------------------------
while (list($num, $ligne) = each($smtpd_client_restrictions)) {
$ligne = trim($ligne);
if ($ligne == null) {
continue;
}
echo "Starting......: " . date("H:i:s") . " Clean \"{$ligne}\"\n";
$array_cleaned[trim($ligne)] = trim($ligne);
}
if (isset($array_cleaned["permit_mynetworks"])) {
unset($array_cleaned["permit_mynetworks"]);
}
if (isset($array_cleaned["permit_sasl_authenticated"])) {
unset($array_cleaned["permit_sasl_authenticated"]);
}
unset($smtpd_client_restrictions);
$smtpd_client_restrictions = array();
smtpd_client_restrictions_progress("{construct_settings}", 25);
if (is_array($array_cleaned)) {
while (list($num, $ligne) = each($array_cleaned)) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions : {$ligne}\n";
$smtpd_client_restrictions[] = trim($ligne);
}
}
//CLEAN engine ---------------------------------------------------------------------------------------
} else {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: Not an array\n";
}
$newval = null;
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: arrayof (" . count($smtpd_client_restrictions) . ")\n";
if (count($smtpd_client_restrictions) > 1) {
$newval = implode(",", $smtpd_client_restrictions);
$newval = "{$amavis_internal}permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,{$newval}";
} else {
if ($amavis_internal != null) {
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: adding amavis internal\n";
$newval = "check_client_access hash:/etc/postfix/amavis_internal";
}
}
smtpd_client_restrictions_progress("{construct_settings}", 30);
echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: {$newval}\n";
smtpd_client_restrictions_progress("{apply_settings}", 80);
postconf("smtpd_client_restrictions", $newval);
return true;
}
