| Last updated: |
Depending on the bugfixes (see changelog) download the appropriate release:
# wget http://www.policyd-weight.org/policyd-weight
or if "devel" sounds more exciting:
# wget http://www.policyd-weight.org/policyd-weight-devel
Move policyd-weight to the proper location for your operating system (example shows *BSD):
# mv policyd-weight /usr/local/bin/policyd-weight # chmod 0555 /usr/local/bin/policyd-weight
Check the default settings
# /usr/local/bin/policyd-weight defaults
If these settings seem appropriate you don't need a configuration
file at all. In case you like to change some settings, create a file (i.e. /usr/local/etc/policyd-weight.conf)
and add only the variables that differ
from the defaults. For example if you want only DNSBL checks and a different
port use:
# ---------------------------------------------------------------- # minimal configuration for policyd-weight # ---------------------------------------------------------------- $dnsbl_checks_only = 1; $TCP_PORT = 12336;
There is another option, which is not recommended:
# /usr/local/bin/policyd-weight defaults > /usr/local/etc/policyd-weight.conf # chmod 0644 /usr/local/etc/policyd-weight.conf
This will write the default configuration to a file. However, this is not good practice, because it will make maintaining the configuration file difficult and changed defaults will not picked up automatically.
Following modules are required:
The preferred way to install those modules is via your OS' package-manager (apt*, pkg*, etc)
A not so recommended method is:
# perl -MCPAN -e shell cpan> install <Module>
Use the appropriate commands for your operating system to add a new user and a
new group named polw. This unprivileged user does not need a valid
shell.
Either create an rc-init script or manage otherwise that policyd-weight gets started at boot-time. The command to start policyd-weight in daemon mode is:
# /path/to/policyd-weight start
You need to be root to do that.
This example shows a minimal setup. Do NOT copy & paste, instead adjust your main.cf to meet the minimal requirements. Please keep old authentication restrictions (such as SASL) and so forth:
01: smtpd_helo_required = yes # required 02: smtpd_delay_reject = yes # suggested 03: 04: smtpd_recipient_restrictions = 05: permit_mynetworks, # required 06: ... other authed permits ... 07: ... (permit_sasl_authenticated) ... 08: reject_unauth_destination, # required 09: ... whitelists (role accounts, clients) ... 10: reject_non_fqdn_recipient, # suggested 11: reject_invalid_helo_hostname, # suggested 12: check_policy_service inet:127.0.0.1:12525 # required
Lines 6: makes sure to only allow valid DNS Names (in terms
of [RFC 2821] Sect. 2.3.5, [RFC
1123] Sect. 5.2.5 and [RFC 1035] Sect.
2.3.1) in the HELO command. reject_invalid_hostname (or
reject_invalid_helo_hostname as of Postfix 2.3.x) makes sure that no bogus characters
are used. It's a safety and RFC setting.
Line 20: calls the policy daemon on host 127.0.0.1 (localhost) at port 12525.
For whitelisting hosts read the FAQ.
To prevent that a proper MTA can use your own domain as sender please read and unterstand
Ralf Hildebrandts recipe
If you don't understand some settings or don't know their meaning please
read Postfix SMTP relay
and access control first, respectively the postconf.5 manpage.
To tune scores or turn on/off some features such as X-headers, read and edit
/usr/local/etc/policyd-weight.conf
The configuration file is Perl syntax. If you make Perl syntax errors there, policyd-weight
won't work.
It is not required to restart or reload postfix. Changes made to the configuration
are picked up by each new policyd-weight instance. To have
changes take effect immediately you can a) kill each policyd-weight instance,
or b) restart Postfix if running in master.cf mode.
On some systems it may be neccessary to increase the system value for SOMAXCONN, 1024 is a good value (in most cases you will see the default of 128, which is to low for a busy server):