Home

Last updated:

Howto setup Postfix and policyd-weight

1. Read the changelog
1.1. Download policyd-weight

Depending on the bugfixes (see changelog) download the appropriate release:

# wget http://www.policyd-weight.org/policyd-weight

or if "devel" sounds more exciting:

# wget http://www.policyd-weight.org/policyd-weight-devel

Move policyd-weight to the proper location for your operating system (example shows *BSD):

# mv policyd-weight /usr/local/bin/policyd-weight
# chmod 0555 /usr/local/bin/policyd-weight

Check the default settings

# /usr/local/bin/policyd-weight defaults

If these settings seem appropriate you don't need a configuration file at all. In case you like to change some settings, create a file (i.e. /usr/local/etc/policyd-weight.conf) and add only the variables that differ from the defaults. For example if you want only DNSBL checks and a different port use:

# ----------------------------------------------------------------
#  minimal configuration for policyd-weight
# ----------------------------------------------------------------
$dnsbl_checks_only = 1;
$TCP_PORT          = 12336;

There is another option, which is not recommended:

# /usr/local/bin/policyd-weight defaults > /usr/local/etc/policyd-weight.conf
# chmod 0644 /usr/local/etc/policyd-weight.conf

This will write the default configuration to a file. However, this is not good practice, because it will make maintaining the configuration file difficult and changed defaults will not picked up automatically.

1.2 Install required modules

Following modules are required:

The preferred way to install those modules is via your OS' package-manager (apt*, pkg*, etc)

A not so recommended method is:

# perl -MCPAN -e shell
cpan> install <Module>
2.1 Add a system account for policyd-weight

Use the appropriate commands for your operating system to add a new user and a new group named polw. This unprivileged user does not need a valid shell.

2.2 Create an init script

Either create an rc-init script or manage otherwise that policyd-weight gets started at boot-time. The command to start policyd-weight in daemon mode is:

# /path/to/policyd-weight start

You need to be root to do that.

3. Edit Postfix main.cf

This example shows a minimal setup. Do NOT copy & paste, instead adjust your main.cf to meet the minimal requirements. Please keep old authentication restrictions (such as SASL) and so forth:

01:  smtpd_helo_required = yes                          # required
02:  smtpd_delay_reject = yes                           # suggested
03:
04:  smtpd_recipient_restrictions =
05:      permit_mynetworks,                             # required
06:      ... other authed permits ...
07:      ... (permit_sasl_authenticated) ...
08:      reject_unauth_destination,                     # required
09:      ... whitelists (role accounts, clients) ...
10:      reject_non_fqdn_recipient,                     # suggested
11:      reject_invalid_helo_hostname,                  # suggested
12:      check_policy_service inet:127.0.0.1:12525      # required

Lines 6: makes sure to only allow valid DNS Names (in terms of [RFC 2821] Sect. 2.3.5, [RFC 1123] Sect. 5.2.5 and [RFC 1035] Sect. 2.3.1) in the HELO command. reject_invalid_hostname (or reject_invalid_helo_hostname as of Postfix 2.3.x) makes sure that no bogus characters are used. It's a safety and RFC setting.

Line 20: calls the policy daemon on host 127.0.0.1 (localhost) at port 12525.
For whitelisting hosts read the FAQ.

To prevent that a proper MTA can use your own domain as sender please read and unterstand Ralf Hildebrandts recipe

If you don't understand some settings or don't know their meaning please read Postfix SMTP relay and access control first, respectively the postconf.5 manpage.

4. Score tuning and other configurations

To tune scores or turn on/off some features such as X-headers, read and edit /usr/local/etc/policyd-weight.conf
The configuration file is Perl syntax. If you make Perl syntax errors there, policyd-weight won't work.
It is not required to restart or reload postfix. Changes made to the configuration are picked up by each new policyd-weight instance. To have changes take effect immediately you can a) kill each policyd-weight instance, or b) restart Postfix if running in master.cf mode.

On some systems it may be neccessary to increase the system value for SOMAXCONN, 1024 is a good value (in most cases you will see the default of 128, which is to low for a busy server):

Top | Home