From 5dadc4ee7391a813bb99eb2ca0c42c8220d62ad3 Mon Sep 17 00:00:00 2001
From: Deon George <deon@leenooks.net>
Date: Sun, 4 Jun 2023 23:00:01 +1000
Subject: [PATCH] Added spamhaus configuration and other postfix tuning

---
 .gitlab-docker-manifest.yml  |   2 +-
 defaults/60-spamhaus.cf      |  10 +
 defaults/dnsbl-reply-map     |   7 +
 defaults/header_checks       | 554 +++++++++++++++++++++++++++++++++++
 defaults/helo_access         |   0
 defaults/recipient_canonical |   0
 defaults/sender_access       |   0
 defaults/sender_canonical    |   0
 include/01-custom.cf         |  26 ++
 include/20-sasl.cf           |   2 +-
 include/50-milters.cf        |   2 +-
 init                         |  19 ++
 12 files changed, 619 insertions(+), 3 deletions(-)
 create mode 100644 defaults/60-spamhaus.cf
 create mode 100644 defaults/dnsbl-reply-map
 create mode 100644 defaults/header_checks
 create mode 100644 defaults/helo_access
 create mode 100644 defaults/recipient_canonical
 create mode 100644 defaults/sender_access
 create mode 100644 defaults/sender_canonical

diff --git a/.gitlab-docker-manifest.yml b/.gitlab-docker-manifest.yml
index 8b38379..1eddfc3 100644
--- a/.gitlab-docker-manifest.yml
+++ b/.gitlab-docker-manifest.yml
@@ -1,7 +1,7 @@
 x86_64:build-manifest:
   stage: build-manifest
   script:
-  - docker manifest create ${CI_REGISTRY_IMAGE}:${VERSION} ${CI_REGISTRY_IMAGE}:${VERSION}-x86_64 #${CI_REGISTRY_IMAGE}:${VERSION}-arm64 ${CI_REGISTRY_IMAGE}:${VERSION}armv7l
+  - docker manifest create ${CI_REGISTRY_IMAGE}:${VERSION} ${CI_REGISTRY_IMAGE}:${VERSION}-x86_64 #${CI_REGISTRY_IMAGE}:${VERSION}-arm64 ${CI_REGISTRY_IMAGE}:${VERSION}-armv7l
   - docker manifest push --purge ${CI_REGISTRY_IMAGE}:${VERSION}
   tags:
   - docker
diff --git a/defaults/60-spamhaus.cf b/defaults/60-spamhaus.cf
new file mode 100644
index 0000000..897ac87
--- /dev/null
+++ b/defaults/60-spamhaus.cf
@@ -0,0 +1,10 @@
+#smtpd_recipient_restrictions =
+#  reject_rhsbl_sender         @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#  reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#  reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#  reject_rhsbl_sender         @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#  reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#  reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#  reject_rbl_client           @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255]
+
+rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map
diff --git a/defaults/dnsbl-reply-map b/defaults/dnsbl-reply-map
new file mode 100644
index 0000000..46a77f8
--- /dev/null
+++ b/defaults/dnsbl-reply-map
@@ -0,0 +1,7 @@
+@SPAMHAUS_DQS_KEY@.sbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.xbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using xbl.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.pbl.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using pbl.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.sbl-xbl.dq.spamhaus.net=127.0.0.[2..255]  $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using sbl-xbl.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zen.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99]       $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using dbl.spamhaus.org${rbl_reason?; $rbl_reason}
+@SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24]      $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using zrd.spamhaus.org${rbl_reason?; $rbl_reason}
diff --git a/defaults/header_checks b/defaults/header_checks
new file mode 100644
index 0000000..b0038b9
--- /dev/null
+++ b/defaults/header_checks
@@ -0,0 +1,554 @@
+# HEADER_CHECKS(5)                                              HEADER_CHECKS(5)
+# 
+# NAME
+#        header_checks - Postfix built-in content inspection
+# 
+# SYNOPSIS
+#        header_checks = pcre:/etc/postfix/header_checks
+#        mime_header_checks = pcre:/etc/postfix/mime_header_checks
+#        nested_header_checks = pcre:/etc/postfix/nested_header_checks
+#        body_checks = pcre:/etc/postfix/body_checks
+# 
+#        milter_header_checks = pcre:/etc/postfix/milter_header_checks
+# 
+#        smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
+#        smtp_mime_header_checks = pcre:/etc/postfix/smtp_mime_header_checks
+#        smtp_nested_header_checks = pcre:/etc/postfix/smtp_nested_header_checks
+#        smtp_body_checks = pcre:/etc/postfix/smtp_body_checks
+# 
+#        postmap -q "string" pcre:/etc/postfix/filename
+#        postmap -q - pcre:/etc/postfix/filename <inputfile
+# 
+# DESCRIPTION
+#        This  document  describes access control on the content of
+#        message headers and message body lines; it is  implemented
+#        by  the  Postfix  cleanup(8) server before mail is queued.
+#        See access(5) for access control  on  remote  SMTP  client
+#        information.
+# 
+#        Each  message  header  or  message  body  line is compared
+#        against a list of patterns.  When a  match  is  found  the
+#        corresponding action is executed, and the matching process
+#        is repeated for the next message header  or  message  body
+#        line.
+# 
+#        Note: message headers are examined one logical header at a
+#        time, even when a message  header  spans  multiple  lines.
+#        Body lines are always examined one line at a time.
+# 
+#        For  examples, see the EXAMPLES section at the end of this
+#        manual page.
+# 
+#        Postfix header or body_checks are designed to stop a flood
+#        of  mail from worms or viruses; they do not decode attach-
+#        ments, and they do not unzip archives. See  the  documents
+#        referenced  below  in the README FILES section if you need
+#        more sophisticated content analysis.
+# 
+# FILTERS WHILE RECEIVING MAIL
+#        Postfix implements the  following  four  built-in  content
+#        inspection classes while receiving mail:
+# 
+#        header_checks (default: empty)
+#               These   are  applied  to  initial  message  headers
+#               (except for the headers  that  are  processed  with
+#               mime_header_checks).
+# 
+#        mime_header_checks (default: $header_checks)
+#               These  are  applied to MIME related message headers
+#               only.
+# 
+#               This feature is available in Postfix 2.0 and later.
+# 
+#        nested_header_checks (default: $header_checks)
+#               These  are  applied  to message headers of attached
+#               email messages (except for  the  headers  that  are
+#               processed with mime_header_checks).
+# 
+#               This feature is available in Postfix 2.0 and later.
+# 
+#        body_checks
+#               These are applied to all other  content,  including
+#               multi-part message boundaries.
+# 
+#               With Postfix versions before 2.0, all content after
+#               the initial message headers is treated as body con-
+#               tent.
+# 
+# FILTERS AFTER RECEIVING MAIL
+#        Postfix  supports a subset of the built-in content inspec-
+#        tion classes after the message is received:
+# 
+#        milter_header_checks (default: empty)
+#               These are applied to headers that  are  added  with
+#               Milter applications.
+# 
+#               This feature is available in Postfix 2.7 and later.
+# 
+# FILTERS WHILE DELIVERING MAIL
+#        Postfix supports all four content inspection classes while
+#        delivering mail via SMTP.
+# 
+#        smtp_header_checks (default: empty)
+# 
+#        smtp_mime_header_checks (default: empty)
+# 
+#        smtp_nested_header_checks (default: empty)
+# 
+#        smtp_body_checks (default: empty)
+#               These  features  are  available  in Postfix 2.5 and
+#               later.
+# 
+# COMPATIBILITY
+#        With Postfix version 2.2 and earlier specify "postmap -fq"
+#        to query a table that contains case sensitive patterns. By
+#        default, regexp: and pcre: patterns are case  insensitive.
+# 
+# TABLE FORMAT
+#        This  document  assumes  that header and body_checks rules
+#        are specified in the form of  Postfix  regular  expression
+#        lookup  tables.  Usually  the best performance is obtained
+#        with pcre (Perl Compatible Regular Expression) tables. The
+#        regexp  (POSIX  regular  expressions)  tables  are usually
+#        slower, but more widely available.  Use the command "post-
+#        conf  -m" to find out what lookup table types your Postfix
+#        system supports.
+# 
+#        The general format of Postfix regular expression tables is
+#        given  below.   For  a  discussion  of specific pattern or
+#        flags  syntax,  see  pcre_table(5)   or   regexp_table(5),
+#        respectively.
+# 
+#        /pattern/flags action
+#               When  /pattern/  matches  the input string, execute
+#               the corresponding action. See below for a  list  of
+#               possible actions.
+# 
+#        !/pattern/flags action
+#               When  /pattern/  does  not  match the input string,
+#               execute the corresponding action.
+# 
+#        if /pattern/flags
+# 
+#        endif  If the input string matches /pattern/,  then  match
+#               that  input  string against the patterns between if
+#               and endif.  The if..endif can nest.
+# 
+#               Note: do not prepend whitespace to patterns  inside
+#               if..endif.
+# 
+#        if !/pattern/flags
+# 
+#        endif  If  the input string does not match /pattern/, then
+#               match  that  input  string  against  the   patterns
+#               between if and endif. The if..endif can nest.
+# 
+#        blank lines and comments
+#               Empty  lines and whitespace-only lines are ignored,
+#               as are lines whose first  non-whitespace  character
+#               is a `#'.
+# 
+#        multi-line text
+#               A  pattern/action  line  starts with non-whitespace
+#               text. A line that starts with whitespace  continues
+#               a logical line.
+# 
+# TABLE SEARCH ORDER
+#        For  each  line of message input, the patterns are applied
+#        in the order as specified in the table. When a pattern  is
+#        found  that  matches  the  input  line,  the corresponding
+#        action is  executed  and  then  the  next  input  line  is
+#        inspected.
+# 
+# TEXT SUBSTITUTION
+#        Substitution  of  substrings  from  the matched expression
+#        into the action string is possible using the  conventional
+#        Perl  syntax  ($1,  $2,  etc.).   The macros in the result
+#        string may need to be written as  ${n}  or  $(n)  if  they
+#        aren't followed by whitespace.
+# 
+#        Note:  since negated patterns (those preceded by !) return
+#        a result when the expression does not match, substitutions
+#        are not available for negated patterns.
+# 
+# ACTIONS
+#        Action names are case insensitive. They are shown in upper
+#        case for consistency with other Postfix documentation.
+# 
+#        BCC user@domain
+#               Add the specified address as a BCC  recipient,  and
+#               inspect  the next input line. The address must have
+#               a local part and domain part.  The  number  of  BCC
+#               addresses  that can be added is limited only by the
+#               amount of available storage space.
+# 
+#               Note 1: the BCC address is added as if it was spec-
+#               ified  with  NOTIFY=NONE.  The  sender  will not be
+#               notified when the BCC address is undeliverable,  as
+#               long  as  all  down-stream  software implements RFC
+#               3461.
+# 
+#               Note 2: this ignores duplicate addresses (with  the
+#               same delivery status notification options).
+# 
+#               This feature is available in Postfix 3.0 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        DISCARD optional text...
+#               Claim  successful delivery and silently discard the
+#               message.  Do not inspect the remainder of the input
+#               message.   Log the optional text if specified, oth-
+#               erwise log a generic message.
+# 
+#               Note:  this  action  disables  further  header   or
+#               body_checks  inspection  of the current message and
+#               affects all recipients.  To discard only one recip-
+#               ient without discarding the entire message, use the
+#               transport(5) table to direct mail to the discard(8)
+#               service.
+# 
+#               This feature is available in Postfix 2.0 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        DUNNO  Pretend  that the input line did not match any pat-
+#               tern, and inspect the next input line. This  action
+#               can be used to shorten the table search.
+# 
+#               For  backwards  compatibility reasons, Postfix also
+#               accepts OK but it is (and always has been)  treated
+#               as DUNNO.
+# 
+#               This feature is available in Postfix 2.1 and later.
+# 
+#        FILTER transport:destination
+#               Override the content_filter parameter setting,  and
+#               inspect  the next input line.  After the message is
+#               queued, send the entire message through the  speci-
+#               fied  external  content  filter. The transport name
+#               specifies the first field of a mail delivery  agent
+#               definition in master.cf; the syntax of the next-hop
+#               destination is described in the manual page of  the
+#               corresponding  delivery  agent.   More  information
+#               about external content filters is  in  the  Postfix
+#               FILTER_README file.
+# 
+#               Note  1: do not use $number regular expression sub-
+#               stitutions for transport or destination unless  you
+#               know that the information has a trusted origin.
+# 
+#               Note  2:  this  action  overrides  the main.cf con-
+#               tent_filter setting, and affects all recipients  of
+#               the  message.  In  the  case  that  multiple FILTER
+#               actions fire, only the last one is executed.
+# 
+#               Note 3: the purpose of the  FILTER  command  is  to
+#               override  message routing.  To override the recipi-
+#               ent's transport but not the  next-hop  destination,
+#               specify  an  empty  filter destination (Postfix 2.7
+#               and later), or specify a transport:destination that
+#               delivers   through  a  different  Postfix  instance
+#               (Postfix 2.6 and earlier). Other options are  using
+#               the  recipient-dependent transport_maps or the sen-
+#               der-dependent   sender_dependent_default_transport-
+#               _maps features.
+# 
+#               This feature is available in Postfix 2.0 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        HOLD optional text...
+#               Arrange  for  the  message to be placed on the hold
+#               queue, and inspect the next input line.   The  mes-
+#               sage  remains  on hold until someone either deletes
+#               it or releases it for delivery.  Log  the  optional
+#               text if specified, otherwise log a generic message.
+# 
+#               Mail that is placed on hold can  be  examined  with
+#               the  postcat(1)  command,  and  can be destroyed or
+#               released with the postsuper(1) command.
+# 
+#               Note: use "postsuper -r" to release mail  that  was
+#               kept  on  hold for a significant fraction of $maxi-
+#               mal_queue_lifetime  or  $bounce_queue_lifetime,  or
+#               longer.  Use "postsuper -H" only for mail that will
+#               not expire within a few delivery attempts.
+# 
+#               Note: this action affects  all  recipients  of  the
+#               message.
+# 
+#               This feature is available in Postfix 2.0 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        IGNORE Delete the current line from the input, and inspect
+#               the next input line. See STRIP for  an  alternative
+#               that logs the action.
+# 
+#        INFO optional text...
+#               Log an "info:" record with the optional text... (or
+#               log a generic text), and  inspect  the  next  input
+#               line.  This action is useful for routine logging or
+#               for debugging.
+# 
+#               This feature is available in Postfix 2.8 and later.
+# 
+#        PASS optional text...
+#               Log  a "pass:" record with the optional text... (or
+#               log a generic text), and turn off header, body, and
+#               Milter  inspection  for  the remainder of this mes-
+#               sage.
+# 
+#               Note: this feature relies on trust  in  information
+#               that is easy to forge.
+# 
+#               This feature is available in Postfix 3.2 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        PREPEND text...
+#               Prepend  one  line  with  the  specified  text, and
+#               inspect the next input line.
+# 
+#               Notes:
+# 
+#               o      The prepended text is output on  a  separate
+#                      line,  immediately  before  the  input  that
+#                      triggered the PREPEND action.
+# 
+#               o      The prepended text is not considered part of
+#                      the  input  stream:  it  is  not  subject to
+#                      header/body checks or address rewriting, and
+#                      it does not affect the way that Postfix adds
+#                      missing message headers.
+# 
+#               o      When prepending text before a message header
+#                      line,  the  prepended text must begin with a
+#                      valid message header label.
+# 
+#               o      This  action  cannot  be  used  to   prepend
+#                      multi-line text.
+# 
+#               This feature is available in Postfix 2.1 and later.
+# 
+#               This   feature   is   not   supported   with   mil-
+#               ter_header_checks.
+# 
+#        REDIRECT user@domain
+#               Write  a  message  redirection request to the queue
+#               file, and inspect the next input  line.  After  the
+#               message is queued, it will be sent to the specified
+#               address instead of the intended recipient(s).
+# 
+#               Note: this action overrides the FILTER action,  and
+#               affects  all recipients of the message. If multiple
+#               REDIRECT actions fire, only the last  one  is  exe-
+#               cuted.
+# 
+#               This feature is available in Postfix 2.1 and later.
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        REPLACE text...
+#               Replace  the  current line with the specified text,
+#               and inspect the next input line.
+# 
+#               This feature is available in Postfix 2.2 and later.
+#               The  description below applies to Postfix 2.2.2 and
+#               later.
+# 
+#               Notes:
+# 
+#               o      When replacing a message  header  line,  the
+#                      replacement  text  must  begin  with a valid
+#                      header label.
+# 
+#               o      The replaced text remains part of the  input
+#                      stream.  Unlike  the result from the PREPEND
+#                      action, a replaced  message  header  may  be
+#                      subject  to address rewriting and may affect
+#                      the way that Postfix  adds  missing  message
+#                      headers.
+# 
+#        REJECT optional text...
+#               Reject  the  entire  message.  Do  not  inspect the
+#               remainder  of  the  input  message.    Reply   with
+#               optional  text...  when the optional text is speci-
+#               fied, otherwise reply with a generic error message.
+# 
+#               Note:   this  action  disables  further  header  or
+#               body_checks inspection of the current  message  and
+#               affects all recipients.
+# 
+#               Postfix version 2.3 and later support enhanced sta-
+#               tus codes.  When no code is specified at the begin-
+#               ning of optional text..., Postfix inserts a default
+#               enhanced status code of "5.7.1".
+# 
+#               This feature is not supported with smtp header/body
+#               checks.
+# 
+#        STRIP optional text...
+#               Log a "strip:" record with the optional text... (or
+#               log a generic text), delete the input line from the
+#               input,  and inspect the next input line. See IGNORE
+#               for a silent alternative.
+# 
+#               This feature is available in Postfix 3.2 and later.
+# 
+#        WARN optional text...
+#               Log  a  "warning:" record with the optional text...
+#               (or log a generic text), and inspect the next input
+#               line.  This  action is useful for debugging and for
+#               testing a  pattern  before  applying  more  drastic
+#               actions.
+# 
+# BUGS
+#        Empty lines never match, because some map types mis-behave
+#        when given a zero-length search string.   This  limitation
+#        may  be  removed for regular expression tables in a future
+#        release.
+# 
+#        Many people overlook the main limitations  of  header  and
+#        body_checks rules.
+# 
+#        o      These  rules  operate on one logical message header
+#               or one body line at a time. A decision made for one
+#               line is not carried over to the next line.
+# 
+#        o      If  text  in the message body is encoded (RFC 2045)
+#               then the rules need to be specified for the encoded
+#               form.
+# 
+#        o      Likewise,  when  message  headers  are encoded (RFC
+#               2047) then the rules need to be specified  for  the
+#               encoded form.
+# 
+#        Message  headers added by the cleanup(8) daemon itself are
+#        excluded from inspection. Examples of such message headers
+#        are From:, To:, Message-ID:, Date:.
+# 
+#        Message  headers  deleted by the cleanup(8) daemon will be
+#        examined before they are deleted. Examples are: Bcc:, Con-
+#        tent-Length:, Return-Path:.
+# 
+# CONFIGURATION PARAMETERS
+#        body_checks
+#               Lookup tables with content filter rules for message
+#               body lines.  These filters see one physical line at
+#               a  time,  in  chunks  of at most $line_length_limit
+#               bytes.
+# 
+#        body_checks_size_limit
+#               The amount of  content  per  message  body  segment
+#               (attachment) that is subjected to $body_checks fil-
+#               tering.
+# 
+#        header_checks
+# 
+#        mime_header_checks (default: $header_checks)
+# 
+#        nested_header_checks (default: $header_checks)
+#               Lookup tables with content filter rules for message
+#               header  lines:  respectively,  these are applied to
+#               the initial message  headers  (not  including  MIME
+#               headers),  to the MIME headers anywhere in the mes-
+#               sage, and to the initial headers of  attached  mes-
+#               sages.
+# 
+#               Note:  these filters see one logical message header
+#               at a time, even when a message header spans  multi-
+#               ple  lines.  Message  headers  that are longer than
+#               $header_size_limit characters are truncated.
+# 
+#        disable_mime_input_processing
+#               While receiving mail, give no special treatment  to
+#               MIME  related  message  headers; all text after the
+#               initial message headers is considered to be part of
+#               the  message body. This means that header_checks is
+#               applied to all the  initial  message  headers,  and
+#               that body_checks is applied to the remainder of the
+#               message.
+# 
+#               Note: when used in this  manner,  body_checks  will
+#               process  a  multi-line message header one line at a
+#               time.
+# 
+# EXAMPLES
+#        Header pattern to block attachments  with  bad  file  name
+#        extensions.   For  convenience, the PCRE /x flag is speci-
+#        fied, so that there is no need  to  collapse  the  pattern
+#        into   a   single  line  of  text.   The  purpose  of  the
+#        [[:xdigit:]] sub-expressions is to recognize Windows CLSID
+#        strings.
+# 
+#        /etc/postfix/main.cf:
+#            header_checks = pcre:/etc/postfix/header_checks.pcre
+# 
+#        /etc/postfix/header_checks.pcre:
+#            /^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
+#              ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
+#              hlp|ht[at]|
+#              inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
+#              \{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
+#              ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
+#              vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
+#                REJECT Attachment name "$2" may not end with ".$4"
+# 
+#        Body pattern to stop a specific HTML browser vulnerability
+#        exploit.
+# 
+#        /etc/postfix/main.cf:
+#            body_checks = regexp:/etc/postfix/body_checks
+# 
+#        /etc/postfix/body_checks:
+#            /^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
+#                REJECT IFRAME vulnerability exploit
+# 
+# SEE ALSO
+#        cleanup(8), canonicalize and enqueue Postfix message
+#        pcre_table(5), format of PCRE lookup tables
+#        regexp_table(5), format of POSIX regular expression tables
+#        postconf(1), Postfix configuration utility
+#        postmap(1), Postfix lookup table management
+#        postsuper(1), Postfix janitor
+#        postcat(1), show Postfix queue file contents
+#        RFC 2045, base64 and quoted-printable encoding rules
+#        RFC 2047, message header encoding for non-ASCII text
+# 
+# README FILES
+#        Use "postconf readme_directory" or  "postconf  html_direc-
+#        tory" to locate this information.
+#        DATABASE_README, Postfix lookup table overview
+#        CONTENT_INSPECTION_README, Postfix content inspection overview
+#        BUILTIN_FILTER_README, Postfix built-in content inspection
+#        BACKSCATTER_README, blocking returned forged mail
+# 
+# LICENSE
+#        The  Secure  Mailer  license must be distributed with this
+#        software.
+# 
+# AUTHOR(S)
+#        Wietse Venema
+#        IBM T.J. Watson Research
+#        P.O. Box 704
+#        Yorktown Heights, NY 10598, USA
+# 
+#        Wietse Venema
+#        Google, Inc.
+#        111 8th Avenue
+#        New York, NY 10011, USA
+# 
+#                                                               HEADER_CHECKS(5)
+/^Received:\ from\ localhost\ \(localhost\ \[127.0.0.1\]\)/ IGNORE
+/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[127.0.0.1/ IGNORE
+/^Received:\ from\ efa-1-1.dege.au\ \(localhost\ \[::1/ IGNORE
+/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[127.0.0.1/ IGNORE
+/^Received:\ from\ ov-3-1.graytech.net.au\ \(localhost\ \[::1/ IGNORE
diff --git a/defaults/helo_access b/defaults/helo_access
new file mode 100644
index 0000000..e69de29
diff --git a/defaults/recipient_canonical b/defaults/recipient_canonical
new file mode 100644
index 0000000..e69de29
diff --git a/defaults/sender_access b/defaults/sender_access
new file mode 100644
index 0000000..e69de29
diff --git a/defaults/sender_canonical b/defaults/sender_canonical
new file mode 100644
index 0000000..e69de29
diff --git a/include/01-custom.cf b/include/01-custom.cf
index 1808169..d24ed51 100644
--- a/include/01-custom.cf
+++ b/include/01-custom.cf
@@ -2,3 +2,29 @@ message_size_limit = 25600000
 queue_minfree = 51200000
 smtpd_helo_required = yes
 recipient_delimiter = +
+disable_vrfy_command = yes
+header_checks = regexp:/etc/postfix/custom/header_checks
+#inet_protocols = ipv4, ipv6
+local_recipient_maps =
+mailbox_size_limit = 133169152
+qmqpd_authorized_clients = 127.0.0.1 [::1]
+recipient_canonical_maps = lmdb:/etc/postfix/custom/recipient_canonical
+sender_canonical_maps = lmdb:/etc/postfix/custom/sender_canonical
+smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_tls_session_cache
+smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_rbl_client 7dizji4jgexx4lzr4bp5urjmgq.sbl.dq.spamhaus.net
+smtpd_data_restrictions = reject_unauth_pipelining
+smtpd_helo_restrictions = check_helo_access lmdb:/etc/postfix/custom/helo_access, reject_invalid_hostname
+smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access lmdb:/etc/postfix/custom/recipient_access,
+#reject_rhsbl_sender         @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.dbl.dq.spamhaus.net=127.0.1.[2..99],
+#reject_rhsbl_sender         @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#reject_rhsbl_helo           @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#reject_rhsbl_reverse_client @SPAMHAUS_DQS_KEY@.zrd.dq.spamhaus.net=127.0.2.[2..24],
+#reject_rbl_client           @SPAMHAUS_DQS_KEY@.zen.dq.spamhaus.net=127.0.0.[2..255],
+  reject_unverified_recipient
+rbl_reply_maps = lmdb:/etc/postfix/custom/dnsbl-reply-map
+smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access lmdb:/etc/postfix/custom/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
+smtpd_use_tls = yes
+unverified_recipient_reject_code = 450
+unverified_recipient_reject_reason = No user at this address
diff --git a/include/20-sasl.cf b/include/20-sasl.cf
index bc70e15..5d24d05 100644
--- a/include/20-sasl.cf
+++ b/include/20-sasl.cf
@@ -1,4 +1,4 @@
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = lmdb:/etc/postfix/custom/sasl_passwd
-smtp_sasl_security_options =
+smtp_sasl_security_options = noplaintext, noanonymous
 smtpd_sasl_auth_enable = yes
diff --git a/include/50-milters.cf b/include/50-milters.cf
index 5fcdc96..39312f1 100644
--- a/include/50-milters.cf
+++ b/include/50-milters.cf
@@ -1,6 +1,6 @@
 # Milter configuration - opendkim
 # If the OpenDKIM milter isn't available, accept the message anyway.
-milter_default_action = accept
+milter_default_action = tempfail
 # What milter communication protocol should be used to pass messages
 # to and from OpenDKIM?
 milter_protocol = 6
diff --git a/init b/init
index ed2dcbc..d777c5e 100755
--- a/init
+++ b/init
@@ -28,6 +28,18 @@ if [ -z "$@" ]; then
 	/usr/sbin/saslauthd -m /run/saslauthd -ca shadow
 	/usr/sbin/opendkim -u opendkim -P /run/opendkim/opendkim.pid
 
+	if [ -n "${SPAMHAUS_DQS_KEY}" ]; then
+		sed -i -e "s/@SPAMHAUS_DQS_KEY@/${SPAMHAUS_DQS_KEY}/g" ${DEFAULTS}/dnsbl-reply-map ${INCLUDE_DIR}/01-custom.cf
+		sed -i -e "s/^#reject/  reject/" ${INCLUDE_DIR}/01-custom.cf
+
+		if [ ! -f ${CUSTOM}/dnsbl-reply-map ]; then
+			cp ${DEFAULTS}/dnsbl-reply-map ${CUSTOM}/
+			postmap -o lmdb:${CUSTOM}/dnsbl-reply-map
+		fi
+
+		cp ${DEFAULTS}/60-spamhaus.cf ${INCLUDE_DIR}/
+	fi
+
 	# Setup our postfix environment
 	if [ -d ${INCLUDE_DIR} ]; then
 		if  ls -1 ${INCLUDE_DIR}/*.cf >/dev/null 2>&1; then
@@ -83,6 +95,13 @@ if [ -z "$@" ]; then
 		fi
 	fi
 
+	[ ! -f ${CUSTOM}/header_checks ] && cp ${DEFAULTS}/header_checks ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/header_checks
+	[ ! -f ${CUSTOM}/helo_access ] && cp ${DEFAULTS}/helo_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/helo_access
+	[ ! -f ${CUSTOM}/recipient_access ] && cp ${DEFAULTS}/recipient_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/recipient_access
+	[ ! -f ${CUSTOM}/recipient_canonical ] && cp ${DEFAULTS}/recipient_canonical ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/recipient_canonical
+	[ ! -f ${CUSTOM}/sender_access ] && cp ${DEFAULTS}/sender_access ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/sender_access
+	[ ! -f ${CUSTOM}/sender_canonical ] && cp ${DEFAULTS}/sender_canonical ${CUSTOM}/ && postmap -o lmdb:${CUSTOM}/sender_canonical
+
 	newaliases
 	postfix start