smtpd/smtpfwdd examples.

5 files changed, 259 insertions, 0 deletions

diff --git a/share/smtpd/Makefile b/share/smtpd/Makefile
new file mode 100644
index 00000000000..9464f4c036b
--- /dev/null
+++ b/share/smtpd/Makefile
@@ -0,0 +1,13 @@
+#
+#	$Id: Makefile,v 1.1 1998/02/07 21:05:50 beck Exp $
+#
+FILES=	example.* 
+NOOBJ=	noobj
+
+all clean cleandir depend lint tags:
+
+install:
+	install -d ${DESTDIR}${BINDIR}/smtpd
+	install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/smtpd
+
+.include <bsd.prog.mk>
diff --git a/share/smtpd/README b/share/smtpd/README
new file mode 100644
index 00000000000..fc357d5b925
--- /dev/null
+++ b/share/smtpd/README
@@ -0,0 +1,74 @@
+
+		OpenBSD smtpd/smtpfwdd README
+
+WHAT IS IT?:
+
+	smtpd and smtpfwdd are an implementation of a store and forward
+smtp proxy. Smtpd is a daemon witch runs in a chrooted environment and
+talks smtp in order to recieve mail. It spools received mail to it's 
+chroot. Smtpfwdd is a daemon which periodically scans the smtpd chroot
+directory and invokes sendmail to deliver the mail, either locally or
+by forwarding it to its eventual destination. 
+
+INSTALLATION:
+
+	To use the smtpd and smtpfwdd distributed with OpenBSD you will
+need to perform a couple of steps. 
+
+1) edit /etc/rc.conf
+   change smtpfwdd_flags from NO to "". 
+   change sendmail_flags to "-q30m".
+
+sendmail_flags="-q30m"       # for 'normal' use: sendmail_flags="-bd -q30m"
+smtpfwdd_flags=""       # for 'normal' use: smtpfwdd_flags="", no -bd above.
+
+
+2) edit /etc/inetd.conf
+   uncomment the line :	
+
+smtp		stream	tcp	nowait	root	/usr/libexec/smtpd	smtpd
+
+3) make the chroot needed by smtpd to run in:
+  
+   mkdir /var/spool/smtpd
+   chmod 700 /var/spool/smtpd
+   chown uucp.daemon /var/spool/smtpd
+   mkdir /var/spool/smtpd/etc
+   chmod 755 /var/spool/smtpd/etc
+   cp /etc/resolv.conf /var/spool/smtpd/etc/resolv.conf
+   chmod 644 /var/spool/smtpd/etc/resolv.conf
+   cp /etc/localtime /var/spool/smtpd/etc/localtime
+   chmod 644 /var/spool/smtpd/etc/localtime
+   touch /var/spool/smtpd/etc/smtpd_check_rules
+   chmod 644 /var/spool/smtpd/etc/smtpd_check_rules
+
+4) edit /var/spool/smtpd/etc/smtpd_check_rules appropriately for your
+   domain. A good starting point is the example.norelay in this directory, 
+   although you will need to edit this file to use it.
+   
+5) Now reboot, and you should be set up running smtpd. 
+
+NOTES:
+
+	If you intend to run smtpd on a dual homed bastion host type
+firewall system as a store and forward smtp proxy, you will need to
+play some minor DNS games. This is necessary to ensure that while
+externally your mail is MXed to your firewall host, internally, your
+mail is MX'ed to your real internal mailhost. Briefly, this is done as
+follows:
+
+	1) Your internal DNS knows about everything in your domain,
+(including extrenally visible hosts) and MX'es mail to the internal
+mailhost. It uses your external DNS as a forwarder. (Note this means
+that the external DNS must be accessible by the internal DNS
+
+	2) Your external DNS knows about only your externally visible
+hosts, and MX's mail to your firewall bastion host.
+
+	3) Your firewall bastion host uses the internal DNS in it's
+etc resolv.conf.
+
+	You should refer to either the O'reilly "DNS and BIND" book by
+Paul Ablitz and Cricket Liu, or "Building Internet Firewalls" by Brent
+Chapman and Elizabeth Zwickery for details on this type of split DNS
+setup.
diff --git a/share/smtpd/example.antispam b/share/smtpd/example.antispam
new file mode 100644
index 00000000000..607d0cd0335
--- /dev/null
+++ b/share/smtpd/example.antispam
@@ -0,0 +1,90 @@
+# example antispam file. Modify to suit your needs.
+#
+# This file goes in /var/spool/smtpd/etc/smtpd_check_rules
+# once you have modified it appropriately for your site.
+#
+# This example does two things: 1, it prevents unauthorized relaying, 
+# 2), it blocks incoming SPAM from the major SPAM domains. To keep
+# an eye on the current worst offenders, check out http://spam.abuse.net/
+#
+# If you really dislike SPAM, you can try compiling with NOTO_DELAY
+# set to some (relatively small) value, and changing the "noto" rules
+# in this file to "noto_delay" rules. 
+# 
+# This file assumes that our domains are "mydomain.com" and "otherdomain.com".
+# assumes our dns servers are "dns1.mydomain.com", etc. etc. 
+# you will need to edit this file for your own use. 
+
+# First, allow us to relay outgoing mail from our hosts.
+allow:*mydomain.com *otherdomain.com:ALL:ALL
+
+# don't allow people to use %hack to relay off of me.
+noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+
+# First, the exceptions.
+# "I'll have your spam dear, I love it!"
+#
+# The people below have requested that all mail be let through to them
+# with no filtering for SPAM, and we accomodate them here.
+#
+allow:ALL:ALL:ALL@hormel.mydomain.com spamboy@otherdomain.com
+
+
+# Block any connections from host in the MAPS rbl at rbl.maps.vix.com
+# Beware that this can throw the baby out with the bathwater.
+# this one line will mimic the usual sendmail behaviour when using the MAPS RBL
+noto:RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused from host %I in MAPS RBL, see http%C//maps.vix.com/rbl/
+
+# Block any connections from a host or connecting address who uses a
+# nameserver for which the address is in the MAPS rbl at rbl.maps.vix.com.
+# Note that this can *really* throw the baby out with the bathwater, 
+# be sure you understand the implications before using the two below.
+#noto:NS=RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused due to nameserver for %H(%I) in MAPS RBL, see http%C//maps.vix.com/rbl/
+#noto:ALL:NS=RBL.rbl.maps.vix.com:ALL:550 Mail refused due to nameserver for %F in MAPS RBL, see http%C//maps.vix.com/rbl/
+
+
+# block anyone who uses a major SPAM provider as a nameserver or MX. either
+# on a connection from one of their hosts, a connection from a host they act
+# as a nameserver for, or a connection with a FROM: address that uses 
+# a nameserver or MX from a them. As an example, we use the old cyberpromo
+# netblocks below. You should not use a rule such as below unless you are
+# sure the netblock *currently* belongs to a spamhaus.   
+#cyberpromo.com
+#noto:205.199.212.0/24 205.199.2.0/24 207.124.161.0/24 204.137.221.0/24:ALL:ALL
+#noto:ALL:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL
+#noto:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL:ALL
+
+
+
+# dump things with a bogus rhs to a FROM: addresses. usually spammers
+# This drops any message where the FROM: address is given as 
+# anything@bogus, where "bogus" is
+# 1) not resolvable as a hostname.
+# 2) not resolvable as an NS or MX record
+# In other words, this basically tosses anything that gives a FROM address
+# in the smtp dialogue that you would probably have no hope of replying
+# to via smtp. 
+
+# You can may wish to use a 450 (which invites the sender to retry)
+# rather than a 550 that won't in order not to lose real mail that has
+# no resolution due to temporary DNS problems. However be warned that
+# if you do lots of SPAM may get retried a lot. I've had varying
+# success with using 450 depending on how busy the site is.
+noto:ALL:NS=UNKNOWN:ALL:550 Your FROM address (%F) doesn't seem to resolve to a host, domain, or MX record. Please mail to %T from a valid e-mail address.
+
+# dump bozos with all digit addresses. almost always spammers.
+noto:ALL:/^[0-9]+@.*$/:ALL
+
+##############################################
+# otherwise, allow untrusted connections with mail to anywhere we MX
+# this should do it nicely:
+allow:ALL:ALL:NS=dns*.mydomain.com
+# An alternative is to allow by domain, below. 
+allow:ALL:ALL:*mydomain.com *otherdomain.com
+
+##############################################
+# don't relay mail to other places from other connections, so
+# we don't get used as a spam relay
+noto:ALL:ALL:ALL:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
diff --git a/share/smtpd/example.features b/share/smtpd/example.features
new file mode 100644
index 00000000000..a378c2973ea
--- /dev/null
+++ b/share/smtpd/example.features
@@ -0,0 +1,48 @@
+#
+# example smtpd rules file.
+# Also note, this isn't real. It's chosen for illustrative purposes.
+# not for practicality. 
+#
+# Rule syntax [allow|deny]:SourceList:FromList:ToList:[XXX message]
+#
+
+# allow the users on the freenet host to send mail from their username
+# (obtained by ident query to the box) and no other, except for
+# "root" and "uucp", which MTA's on the machine may run as.
+allow:root@freenet.my.domain uucp@freenet.my.domain:ALL:ALL
+allow:ALL@freenet.my.domain:USER@freenet.my.domain:ALL
+deny:freenet.my.domain:ALL:ALL
+
+# I'm in front of some other people's mail. Allow their mailhost
+# to send mail out coming from themselves, but not from other addresses. 
+allow:mailhost.other1.org:ALL@other1.org ALL@mailhost.other1.org:ALL
+deny:mailhost.other1.org:ALL:ALL
+allow:mailhost.other2.org:ALL@other2.org ALL@mailhost.other2.org:ALL
+deny:mailhost.other2.org:ALL:ALL
+# Allow everything else inbound to them
+allow:ALL:ALL:ALL@other2.org ALL@mailhost.other2.org 
+allow:ALL:ALL:ALL@other1.org ALL@mailhost.other1.org 
+
+
+# we had a problem with internal people subscribing to lists on 
+# xxx.com. As such we got a directive from on high that
+# we really don't need our people to send any mail to that site.
+deny:*.my.domain:ALL:ALL@xxx.com ALL@*.xxx.com 
+
+# don't allow my users to subscribe to majordomo mailinglists except from
+# certain machines, and then, only as themselves according to ident. 
+# except for "luser" who got caught trying to subscribe me to a bunch of
+# mailing lists about therapy for control freaks.
+allow:ALL@loginhost.my.domain ALL@otherhost.my.domain EXCEPT luser@*.my.domain:USER@my.domain:majordomo@ALL
+deny:*.my.domain:ALL:majordomo@ALL
+
+# allow sources in my domain to mail out with from addresses looking like they 
+# are from my domain's two allowed forms of email address. 
+allow:*.my.domain 192.168.20.* 192.168.30.*:ALL@my_domain ALL@mailhost.my.domain:ALL
+
+# relay incoming mail to my domain.
+allow:ALL:ALL:*my.domain
+
+# don't relay anything else out (bogus FROM:, external spammer using us as a
+# relay, etc).
+deny:ALL:ALL:ALL
diff --git a/share/smtpd/example.norelay b/share/smtpd/example.norelay
new file mode 100644
index 00000000000..e2a976e33d6
--- /dev/null
+++ b/share/smtpd/example.norelay
@@ -0,0 +1,34 @@
+# A simple anti-relay only example. Make sure you don't get used as a third
+# party relay to spam other unfortunate people and grind your server
+# to a halt dealing with the complaints. 
+
+# this file goes into /var/spool/smtpd/etc/smtpd_check_rules once you 
+# have made the appropriate modifications to it.
+
+# assumes we are "my.domain". - edit for your own use.
+
+# Don't allow people to %hack relay off of me.
+noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.
+
+# we can allow outbound mail from our own hosts by allowing
+# outbound from hosts that have dns.my.domain as one of
+# their nameservers. this might be useful if we sit in front of a 
+# lot of domains. but will be slower than below.
+#allow:NS=dns.my.domain:ALL:ALL
+# alternatively, if we don't want to bother with a name lookup,
+# we can simply allow all hosts ending in my.domain to relay through me.
+allow:*my.domain:ALL:ALL
+
+# Again, for inbound mail we can match on the nameserver
+# accepting mail for any address where the RHS uses us as a nameserver.
+#allow:ALL:ALL:NS=dns.my.domain
+# alternatively, allow anything ending in my.domain.
+allow:ALL:ALL:*my.domain
+
+#
+# punt anything else, we won't relay for people we don't know.
+#
+noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please
+use another SMTP host to mail from %F to %T