Replace Postgrey with postscreen.

See http://www.postfix.org/POSTSCREEN_README.html and
    http://rob0.nodns4.us/postscreen.html

It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well.  Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting.  So these processes need to be
both chrooted, or both not.

1 files changed, 17 insertions, 3 deletions

diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 476178a..181066a 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -123,11 +123,25 @@ unknown_virtual_mailbox_reject_code = 554
 unverified_recipient_reject_code    = 554
 unverified_sender_reject_code       = 554
 
+postscreen_blacklist_action = drop
+postscreen_dnsbl_threshold  = 3
+postscreen_dnsbl_action     = enforce
+postscreen_dnsbl_sites      =
+    zen.spamhaus.org*3
+    swl.spamhaus.org*-4
+    b.barracudacentral.org*2
+    bl.spameatingmonkey.net*2
+    bl.spamcop.net
+    dnsbl.sorbs.net
+    list.dnswl.org=127.[0..255].[0..255].0*-2
+    list.dnswl.org=127.[0..255].[0..255].1*-3
+    list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
+
+postscreen_greet_action          = enforce
+postscreen_whitelist_interfaces = !88.80.11.28 static:all
 
 smtpd_client_restrictions =
     permit_mynetworks
-    reject_rbl_client zen.spamhaus.org
-    reject_rbl_client bl.spamcop.net
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
@@ -144,7 +158,7 @@ smtpd_recipient_restrictions =
     permit_mynetworks
     reject_unauth_destination
     reject_unlisted_recipient
-    check_policy_service unix:private/postgrey
+    permit_dnswl_client list.dnswl.org
 
 smtpd_data_restrictions =
     reject_unauth_pipelining