1. Read the changelog
1.1. Download policyd-weight
Depending on the bugfixes (see changelog) download the appropriate release:
or if quot;devel" sounds more exciting:
Move policyd-weight to the proper location for your operating system (example shows *BSD
):
# mv policyd-weight /usr/local/libexec/postfix/policyd-weight
# chmod 0555 /usr/local/libexec/postfix/policyd-weight
Check the default settings
# /usr/local/libexec/postfix/policyd-weight defaults
If these settings seem appropriate you don't need a configuration file at all. In case you like to change some settings, create a file (i.e. /usr/local/etc/policyd-weight.conf) and add only the variables that differ from the defaults. For example if you want only DNSBL checks and a different port use:
# —————————————————————-
# minimal configuration for policyd-weight
# —————————————————————-
$dnsbl_checks_only = 1;
$TCP_PORT = 12336;
There is another option, which is not recommended:
# /usr/local/libexec/postfix/policyd-weight defaults > /usr/local/etc/policyd-weight.conf
# chmod 0644 /usr/local/etc/policyd-weight.conf
This will write the default configuration to a file. However, this is not good practice, because it will make maintaining the configuration file difficult and changed defaults will not picked up automatically.
2.1 Add a system account for policyd-weight
Use the appropriate commands for your operating system to add a new user and a new group named polw. This unprivileged user does not need a valid shell.
2.2 Create an init script
Either create an rc-init script or manage otherwise that policyd-weight gets started at boot-time. The command to start policyd-weight in daemon mode is:
# /path/to/policyd-weight start
You need to be root to do that.
3. Edit Postfix main.cf
This example shows a minimal setup. Do NOT copy & paste, instead adjust your main.cf to meet the minimal requirements. Please keep old authentication restrictions (such as SASL) and so forth:
02: smtpd_delay_reject = yes # suggested
03:
04: smtpd_helo_restrictions =
05: permit_mynetworks, # suggested
06: reject_invalid_hostname # suggested
07:
08: smtpd_client_restrictions = permit_mynetworks # suggested
09:
10: smtpd_sender_restrictions = permit_mynetworks # suggested
11:
12: smtpd_recipient_restrictions =
13: permit_mynetworks, # required
14: … other authed permits …
15: … (permit_sasl_authenticated) …
16: reject_unauth_destination, # required
17: reject_unauth_pipelining, # suggested
18: … whitelists (role accounts, clients) …
19: reject_non_fqdn_recipient, # suggested
20: check_policy_service inet:127.0.0.1:12525 # required
Lines 6: makes sure to only allow valid DNS Names (in terms of [RFC 2821] Sect. 2.3.5, [RFC 1123] Sect. 5.2.5 and [RFC 1035] Sect. 2.3.1) in the HELO command. reject_invalid_hostname (or reject_invalid_helo_hostname as of Postfix 2.3.x) makes sure that no bogus characters are used. It's a safety and RFC setting.
Line 20: calls the policy daemon on host 127.0.0.1 (localhost) at port 12525.
For whitelisting hosts read the FAQ.
To prevent that a proper MTA can use your own domain as sender please read and unterstand Ralf Hildebrandts receipe
If you don't understand some settings or don't know their meaning please read Postfix SMTP relay and access control first, respectively the postconf.5 manpage.
4. Score tuning and other configurations
To tune scores or turn on/off some features such as X-headers, read and edit /usr/local/etc/policyd-weight.conf
The configuration file is Perl syntax. If you make Perl syntax errors there, policyd-weight won't work.
It is not required to restart or reload postfix. Changes made to the configuration are picked up by each new policyd-weight instance. To have changes take effect immediately you can a) kill each policyd-weight instance, or b) restart Postfix if running in master.cf mode.