Lnxgeek.org Wiki - Freedom of choice, I choose Freedom

User Tools

Site Tools

You are here: start » howtos » dshield_postfix_map_script
howtos:dshield_postfix_map_script

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
howtos:dshield_postfix_map_script [29/07/2006 01:43] domingohowtos:dshield_postfix_map_script [02/12/2018 21:34] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== Postfix map script for Dshield IP list ======
  
 +This is a little script I made for the fun of it. I don't know if it is usefull - it depends on who is behind the attaching IP ranges in the Dshield list. I intended it to be used as a RBL/Blackhole list so when someone from the list tries to deliver mail to you they will be denied access. I assume that the IP ranges are bad guys either trying to spam you or attack you.
 +
 +You can read more about what Dshield is all about here http://www.dshield.org
 +
 +Normally I use the Dshield IP list in my firewall rulebase, I think it was more intended for that but hopefully it just might also be usefull with Postfix. Give it a shot.
 +
 +===== Postfix configuration =====
 +
 +To make the script work you have to add the following to your main.cf file:
 +
 +<code>
 +smtpd_client_restrictions =
 +        check_client_access hash:/etc/postfix/whitelisted_ips
 +        check_client_access hash:/etc/postfix/dshield_block_networks      <- put it in here
 +        reject_rbl_client relays.ordb.org
 +        reject_rbl_client sbl.spamhaus.org
 +        reject_rbl_client xbl.spamhaus.org
 +        ...
 +        ...
 +        ...
 +        ...
 +</code>
 +
 +===== The script =====
 +Call it what you like and have it run as a cronjob once a day, that should be sufficient as the list is only updated every 2-3 days.
 +
 +Check the paths in the script and align them to your environment. I'm using a smtp code 450 so if someone unintentionally is on the list they might be able to deliver mail later on after an update of the list. Also remember to make the script executable.
 +
 +<file>
 +#!/bin/bash
 +#Made by Thomas D Dahlmann (domingo@domingo.dk) 28/7-2006
 +#Tiny script that downloads the latest dshield textfile and converts it to a Postfix mapfile.
 +#The idea is that this mapfile is used in the smtpd_client_restriction as a check_client_access line.
 +#Run it as a cron job once a day.
 +
 +DOWNLOAD_DIRECTORY="/etc/postfix"
 +DSHIELD_URL="http://feeds.dshield.org/block.txt"
 +OUT_FILE="dshield_list"
 +OUT_FILE_FULL_PATH=$DOWNLOAD_DIRECTORY/$OUT_FILE
 +POSTFIX_MAP_FILE="dshield_block_networks"
 +POSTFIX_MAP_FILE_FULL_PATH=$DOWNLOAD_DIRECTORY/$POSTFIX_MAP_FILE
 +DSHIELD_DOWNLOAD_FILENAME="dshield_block.txt"
 +DSHIELD_FILENAME_FULL_PATH=$DOWNLOAD_DIRECTORY/$DSHIELD_DOWNLOAD_FILENAME
 +
 +wget -O $DSHIELD_FILENAME_FULL_PATH $DSHIELD_URL >/dev/null 2>&1
 +
 +cat $DSHIELD_FILENAME_FULL_PATH |egrep -v "#|Start"|egrep [1234567890]|awk '{print $1}'|sed 's/$/\/24/' > $OUT_FILE_FULL_PATH
 +
 +cp /dev/null $POSTFIX_MAP_FILE_FULL_PATH
 +
 +for i in $( cat $OUT_FILE_FULL_PATH ); do
 +        echo "$i        450 Try again Hacker-wanna-be-Jack" >> $POSTFIX_MAP_FILE_FULL_PATH
 +done
 +
 +postmap $POSTFIX_MAP_FILE_FULL_PATH
 +</file>
howtos/dshield_postfix_map_script.txt · Last modified: 02/12/2018 21:34 by 127.0.0.1