function smtpd_recipient_restrictions() { if (!isset($GLOBALS["CLASS_USERS_MENUS"])) { $users = new usersMenus(); $GLOBALS["CLASS_USERS_MENUS"] = $users; } else { $users = $GLOBALS["CLASS_USERS_MENUS"]; } if (!isset($GLOBALS["CLASS_SOCKET"])) { $GLOBALS["CLASS_SOCKET"] = new sockets(); $sock = $GLOBALS["CLASS_SOCKET"]; } else { $sock = $GLOBALS["CLASS_SOCKET"]; } $newHash = array(); include_once dirname(__FILE__) . "/ressources/class.postfix.check_recipient_access.inc"; $EnableCluebringer = $sock->GET_INFO("EnableCluebringer"); $EnablePostfixAntispamPack = $sock->GET_INFO("EnablePostfixAntispamPack"); $EnableArticaPolicyFilter = $sock->GET_INFO("EnableArticaPolicyFilter"); $EnablePolicydWeight = intval($sock->GET_INFO('EnablePolicydWeight')); $EnableArticaPolicyFilter = 0; if ($GLOBALS["DEBUG"]) { echo "EnableCluebringer={$EnableCluebringer}\n"; } $EnableAmavisInMasterCF = $sock->GET_INFO('EnableAmavisInMasterCF'); $EnableAmavisDaemon = $sock->GET_INFO('EnableAmavisDaemon'); $TrustMyNetwork = $sock->GET_INFO("TrustMyNetwork"); $ValvuladEnabled = intval($sock->GET_INFO("ValvuladEnabled")); $POLICYD_WEIGHT_PORT = 12525; $main = new maincf_multi("master"); if (!is_numeric($TrustMyNetwork)) { $TrustMyNetwork = 1; } exec("{$GLOBALS["postconf"]} -h smtpd_recipient_restrictions", $datas); $tbl = explode(",", implode(" ", $datas)); $permit_mynetworks_remove = false; smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 51); if (is_array($tbl)) { while (list($num, $ligne) = each($tbl)) { if (trim($ligne) == null) { continue; } if (preg_match("#_rhsbl_#", $ligne)) { continue; } $newHash[trim($ligne)] = trim($ligne); } } unset($newHash["permit_dnswl_client list.dnswl.org"]); unset($newHash["check_client_access hash:/etc/postfix/amavis_internal"]); unset($newHash["check_recipient_access hash:/etc/postfix/relay_domains_restricted"]); unset($newHash["permit"]); unset($newHash["check_sender_access hash:/etc/postfix/disallow_my_domain"]); unset($newHash["check_sender_access hash:/etc/postfix/unrestricted_senders"]); unset($newHash["check_recipient_access hash:/etc/postfix/amavis_bypass_rcpt"]); unset($newHash["reject_unauth_destination"]); unset($newHash["permit_mynetworks"]); unset($newHash["check_client_access pcre:/etc/postfix/fqrdns.pcre"]); unset($newHash["check_policy_service inet:127.0.0.1:54423"]); unset($newHash["check_policy_service inet:127.0.0.1:13331"]); unset($newHash["check_policy_service inet:127.0.0.1:7777"]); unset($newHash["check_policy_service inet:127.0.0.1:3579"]); unset($newHash["check_client_access hash:/etc/postfix/wbl_connections"]); unset($newHash["check_recipient_access hash:/etc/postfix/wbl_connections"]); unset($newHash["check_client_access cidr:/etc/postfix/check_client_access.cidr"]); unset($newHash["check_client_access hash:/etc/postfix/check_client_access"]); unset($newHash["check_policy_service inet:127.0.0.1:{$POLICYD_WEIGHT_PORT}"]); smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 52); if (is_array($newHash)) { while (list($num, $ligne) = each($newHash)) { if (preg_match("#hash:(.+)\$#", $ligne, $re)) { $path = trim($re[1]); if (!is_file($path)) { echo "Starting......: " . date("H:i:s") . " smtpd_recipient_restrictions: bungled \"{$ligne}\"\n"; continue; } } $smtpd_recipient_restrictions[] = $num; } } smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 53); postconf("smtpd_restriction_classes", "artica_restrict_relay_domains"); postconf("artica_restrict_relay_domains", "reject_unverified_recipient"); $MynetworksInISPMode = $sock->GET_INFO("MynetworksInISPMode"); if (!is_numeric($MynetworksInISPMode)) { $MynetworksInISPMode = 0; } if ($TrustMyNetwork == 0 && $MynetworksInISPMode == 1) { $TrustMyNetwork = 1; } if ($TrustMyNetwork == 1) { $smtpd_recipient_restrictions[] = "permit_mynetworks"; } else { echo "Starting......: " . date("H:i:s") . " **** TrustMyNetwork is disabled, outgoing messages should be not allowed... **** \n"; } $smtpd_recipient_restrictions[] = "permit_mynetworks"; $smtpd_recipient_restrictions[] = "permit_sasl_authenticated"; echo "Starting......: " . date("H:i:s") . " Postfix class check_recipient_access_ou()...\n"; smtpd_client_restrictions_progress("{organizations}", 54); $check_recipient_access_ou = new check_recipient_access_ou(); $check_recipient_access_ou->build(); $smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/check_recipient_access_ou"; $smtpd_recipient_restrictions[] = "check_client_access cidr:/etc/postfix/check_client_access.cidr"; $smtpd_recipient_restrictions[] = "check_client_access hash:/etc/postfix/check_client_access"; $smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/relay_domains_restricted"; $smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/amavis_bypass_rcpt"; $smtpd_recipient_restrictions[] = "permit_auth_destination"; if ($ValvuladEnabled == 1) { $smtpd_recipient_restrictions[] = "check_policy_service inet:127.0.0.1:3579"; } if ($EnablePolicydWeight == 1) { $smtpd_recipient_restrictions[] = "check_client_access hash:/etc/postfix/wbl_connections"; $smtpd_recipient_restrictions[] = "check_recipient_access hash:/etc/postfix/wbl_connections"; $smtpd_recipient_restrictions[] = "check_policy_service inet:127.0.0.1:{$POLICYD_WEIGHT_PORT}"; } smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 54); $smtpd_recipient_restrictions[] = "permit_dnswl_client list.dnswl.org"; smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 55); amavis_bypass_byrecipients(); smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 56); restrict_relay_domains(); postconf("auth_relay", null); smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 57); if (!isset($GLOBALS["CLASS_SOCKET"])) { $GLOBALS["CLASS_SOCKET"] = new sockets(); $sock = $GLOBALS["CLASS_SOCKET"]; } else { $sock = $GLOBALS["CLASS_SOCKET"]; } $reject_forged_mails = $sock->GET_INFO("reject_forged_mails"); if ($reject_forged_mails == 1) { if (smtpd_recipient_restrictions_reject_forged_mails()) { echo "Starting......: " . date("H:i:s") . " Reject Forged mails enabled\n"; $smtpd_recipient_restrictions[] = "check_sender_access hash:/etc/postfix/disallow_my_domain"; } } else { echo "Starting......: " . date("H:i:s") . " Reject Forged mails disabled\n"; } smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 58); $main_rhsbl = $main->main_rhsbl(); if (count($main_rhsbl) > 0) { while (list($domain, $ID) = each($main_rhsbl)) { if (trim($domain) == null) { continue; } $smtpd_recipient_restrictions[] = "reject_rhsbl_client {$domain}"; $smtpd_recipient_restrictions[] = "reject_rhsbl_sender {$domain}"; } } smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 59); $smtpd_recipient_restrictions[] = "reject_unauth_destination"; $smtpd_recipient_restrictions[] = "permit"; if ($GLOBALS["EnableBlockUsersTroughInternet"] == 1) { echo "Starting......: " . date("H:i:s") . " Restricted users are enabled\n"; if (RestrictedForInternet()) { postconf("auth_relay", "check_recipient_access hash:/etc/postfix/local_domains, reject"); array_unshift($smtpd_recipient_restrictions, "check_sender_access hash:/etc/postfix/unrestricted_senders"); __ADD_smtpd_restriction_classes("auth_relay"); } else { __REMOVE_smtpd_restriction_classes("auth_relay"); } } else { __REMOVE_smtpd_restriction_classes("auth_relay"); } if (is_file("/opt/iRedAPD/iredapd.py")) { //array_unshift($smtpd_recipient_restrictions,"check_policy_service inet:127.0.0.1:7777"); } //CLEAN engine --------------------------------------------------------------------------------------- while (list($num, $ligne) = each($smtpd_recipient_restrictions)) { $smtpd_recipient_restrictions_cleaned[trim($ligne)] = trim($ligne); } unset($smtpd_recipient_restrictions); while (list($num, $ligne) = each($smtpd_recipient_restrictions_cleaned)) { echo "Starting......: " . date("H:i:s") . " smtpd_recipient_restrictions Final: " . trim($ligne) . "\n"; $smtpd_recipient_restrictions[] = trim($ligne); } //CLEAN engine --------------------------------------------------------------------------------------- smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 59); if (is_array($smtpd_recipient_restrictions)) { $newval = implode(",", $smtpd_recipient_restrictions); } if ($GLOBALS["DEBUG"]) { echo "smtpd_recipient_restrictions = {$newval}\n"; } postconf("smtpd_recipient_restrictions", $newval); smtpd_client_restrictions_progress("{smtpd_recipient_restrictions}", 60); }
function smtpd_client_restrictions() { if (!isset($GLOBALS["CLASS_SOCKET"])) { $GLOBALS["CLASS_SOCKET"] = new sockets(); $sock = $GLOBALS["CLASS_SOCKET"]; } else { $sock = $GLOBALS["CLASS_SOCKET"]; } exec("{$GLOBALS["postconf"]} -h smtpd_client_restrictions", $datas); $tbl = explode(",", implode(" ", $datas)); echo "Old values = {$datas}\n"; $EnablePostfixAntispamPack = $sock->GET_INFO("EnablePostfixAntispamPack"); $EnableArticaPolicyFilter = $sock->GET_INFO("EnableArticaPolicyFilter"); $EnableArticaPolicyFilter = 0; $EnableAmavisInMasterCF = $sock->GET_INFO('EnableAmavisInMasterCF'); $EnableAmavisDaemon = $sock->GET_INFO('EnableAmavisDaemon'); $amavis_internal = null; $newHash = array(); smtpd_client_restrictions_progress("{cleaning_data}", 10); if (is_array($tbl)) { while (list($num, $ligne) = each($tbl)) { $ligne = trim($ligne); if (trim($ligne) == null) { continue; } if ($ligne == "Array") { continue; } $newHash[$ligne] = $ligne; } } $hashToDelete[] = "check_client_access hash:/etc/postfix/check_client_access"; $hashToDelete[] = "check_client_access \"hash:/etc/postfix/postfix_allowed_connections\""; $hashToDelete[] = "check_client_access hash:/etc/postfix/postfix_allowed_connections"; $hashToDelete[] = "check_client_access pcre:/etc/postfix/fqrdns.pcre"; $hashToDelete[] = "check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre"; $hashToDelete[] = "reject_unknown_reverse_client_hostname"; $hashToDelete[] = "reject_unknown_client_hostname"; $hashToDelete[] = "reject_non_fqdn_hostname"; $hashToDelete[] = "reject_unknown_sender_domain"; $hashToDelete[] = "reject_non_fqdn_sender"; $hashToDelete[] = "reject_unauth_pipelining"; $hashToDelete[] = "reject_invalid_hostname"; $hashToDelete[] = "reject_unknown_client_hostname"; $hashToDelete[] = "reject_unknown_reverse_client_hostname"; $hashToDelete[] = "reject_invalid_hostname"; $hashToDelete[] = "reject_rbl_client zen.spamhaus.org"; $hashToDelete[] = "reject_rbl_client sbl.spamhaus.org"; $hashToDelete[] = "reject_rbl_client cbl.abuseat.org"; $hashToDelete[] = "reject_unauth_pipelining"; $hashToDelete[] = "reject_unauth_pipelining"; $hashToDelete[] = "reject_rbl_client=zen.spamhaus.org"; $hashToDelete[] = "reject_rbl_client=sbl.spamhaus.org"; $hashToDelete[] = "reject_rbl_client=sbl.spamhaus.org"; $hashToDelete[] = "permit_sasl_authenticated"; $hashToDelete[] = "check_client_access hash:/etc/postfix/amavis_internal"; while (list($num, $ligne) = each($hashToDelete)) { if (isset($newHash[$ligne])) { unset($newHash[$ligne]); } } if ($GLOBALS["VERBOSE"]) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: origin:" . @implode(",", $newHash) . "\n"; } $main = new maincf_multi("master", "master"); $check_client_access = $main->check_client_access(); if (strpos($check_client_access, ",") > 0) { $check_client_accessEX = explode(",", $check_client_access); $check_client_access = null; while (list($num, $ligne) = each($check_client_accessEX)) { $ligne = trim($ligne); if ($ligne == null) { continue; } $newHash[$ligne] = $ligne; } } if ($check_client_access != null) { $newHash[$check_client_access] = $check_client_access; } $smtpd_client_restrictions = array(); if (count($newHash) > 0) { while (list($num, $ligne) = each($newHash)) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: Checks \"{$ligne}\"\n"; if (preg_match("#(hash|cidr):(.+)\$#", $ligne, $re)) { $path = trim($re[2]); if (!is_file($path)) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: bungled \"{$ligne}\"\n"; continue; } $smtpd_client_restrictions[] = $ligne; continue; } if (preg_match("#reject_rbl_client=(.+?)\$#", $ligne, $re)) { $rbl = trim($re[1]); echo "Starting......: " . date("H:i:s") . " reject_rbl_client: bungled \"{$ligne}\" fix it\n"; $num = "reject_rbl_client {$rbl}"; continue; } $smtpd_client_restrictions[] = $ligne; } } if (!is_file("/etc/artica-postfix/settings/Daemons/reject_unknown_client_hostname")) { @file_put_contents("/etc/artica-postfix/settings/Daemons/reject_unknown_client_hostname", 1); } if (!is_file("/etc/artica-postfix/settings/Daemons/reject_unknown_reverse_client_hostname")) { @file_put_contents("/etc/artica-postfix/settings/Daemons/reject_unknown_reverse_client_hostname", 1); } $reject_unknown_client_hostname = $sock->GET_INFO('reject_unknown_client_hostname'); $reject_unknown_reverse_client_hostname = $sock->GET_INFO('reject_unknown_reverse_client_hostname'); $reject_invalid_hostname = $sock->GET_INFO('reject_invalid_hostname'); if ($reject_unknown_client_hostname == 1) { $smtpd_client_restrictions[] = "reject_unknown_client_hostname"; } if ($reject_unknown_reverse_client_hostname == 1) { $smtpd_client_restrictions[] = "reject_unknown_reverse_client_hostname"; } if ($reject_invalid_hostname == 1) { $smtpd_client_restrictions[] = "reject_invalid_hostname"; } echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_invalid_hostname...............: {$reject_invalid_hostname}\n"; echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_unknown_reverse_client_hostname: {$reject_unknown_reverse_client_hostname}\n"; echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: reject_unknown_client_hostname........: {$reject_unknown_client_hostname}\n"; smtpd_client_restrictions_progress("{construct_settings}", 15); $main_dnsbl = $main->main_dnsbl(); if ($EnablePostfixAntispamPack == 1) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions:Anti-spam Pack is enabled\n"; if (!is_file("/etc/postfix/postfix_allowed_connections")) { @file_put_contents("/etc/postfix/postfix_allowed_connections", "#"); } $smtpd_client_restrictions[] = "check_client_access \"hash:/etc/postfix/postfix_allowed_connections\""; $smtpd_client_restrictions[] = "reject_non_fqdn_hostname"; $smtpd_client_restrictions[] = "reject_invalid_hostname"; $main_dnsbl["zen.spamhaus.org"] = true; $main_dnsbl["sbl.spamhaus.org"] = true; $main_dnsbl["cbl.abuseat.org"] = true; } if (!is_file("/etc/artica-postfix/settings/Daemons/EnableGenericrDNSClients")) { @file_put_contents("/etc/artica-postfix/settings/Daemons/EnableGenericrDNSClients", 1); } $EnableGenericrDNSClients = $sock->GET_INFO("EnableGenericrDNSClients"); if ($EnableGenericrDNSClients == 1) { $users = new usersMenus(); if (!$users->POSTFIX_PCRE_COMPLIANCE) { $EnableGenericrDNSClients = 0; } } if ($EnableGenericrDNSClients == 1) { echo "Starting......: " . date("H:i:s") . " Reject Public ISP reverse DNS patterns enabled\n"; $smtpd_client_restrictions[] = "check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre"; shell_exec("/bin/cp /usr/share/artica-postfix/bin/install/postfix/fqrdns.pcre /etc/postfix/fqrdns.pcre"); } else { echo "Starting......: " . date("H:i:s") . " Reject Public ISP reverse DNS patterns disabled\n"; } echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions:" . count($main_dnsbl) . " DNSBL Services\n"; smtpd_client_restrictions_progress("{construct_settings}", 20); echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: " . count($smtpd_client_restrictions) . " rule(s)\n"; if ($EnableAmavisInMasterCF == 1) { if ($EnableAmavisDaemon == 1) { $count = amavis_internal(); if ($count > 0) { echo "Starting......: " . date("H:i:s") . " {$count} addresses bypassing amavisd new\n"; $amavis_internal = "check_client_access hash:/etc/postfix/amavis_internal,"; } } } smtpd_client_restrictions_progress("{construct_settings}", 25); if (is_array($smtpd_client_restrictions)) { //CLEAN engine --------------------------------------------------------------------------------------- while (list($num, $ligne) = each($smtpd_client_restrictions)) { $ligne = trim($ligne); if ($ligne == null) { continue; } echo "Starting......: " . date("H:i:s") . " Clean \"{$ligne}\"\n"; $array_cleaned[trim($ligne)] = trim($ligne); } if (isset($array_cleaned["permit_mynetworks"])) { unset($array_cleaned["permit_mynetworks"]); } if (isset($array_cleaned["permit_sasl_authenticated"])) { unset($array_cleaned["permit_sasl_authenticated"]); } unset($smtpd_client_restrictions); $smtpd_client_restrictions = array(); smtpd_client_restrictions_progress("{construct_settings}", 25); if (is_array($array_cleaned)) { while (list($num, $ligne) = each($array_cleaned)) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions : {$ligne}\n"; $smtpd_client_restrictions[] = trim($ligne); } } //CLEAN engine --------------------------------------------------------------------------------------- } else { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: Not an array\n"; } $newval = null; echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: arrayof (" . count($smtpd_client_restrictions) . ")\n"; if (count($smtpd_client_restrictions) > 1) { $newval = implode(",", $smtpd_client_restrictions); $newval = "{$amavis_internal}permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,{$newval}"; } else { if ($amavis_internal != null) { echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: adding amavis internal\n"; $newval = "check_client_access hash:/etc/postfix/amavis_internal"; } } smtpd_client_restrictions_progress("{construct_settings}", 30); echo "Starting......: " . date("H:i:s") . " smtpd_client_restrictions: {$newval}\n"; smtpd_client_restrictions_progress("{apply_settings}", 80); postconf("smtpd_client_restrictions", $newval); return true; }