.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "HAPOLICY 1" .TH HAPOLICY 1 "2023-01-23" "perl v5.36.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" hapolicy \- policy delegation high availability script .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBhapolicy\fR [\s-1OPTIONS\s0] \-\-service=SERVICE1 [\-\-service=SERVICE2 ...] .PP .Vb 2 \& Services: \& \-s, \-\-service =
:[:::] \& \& Options: \& \-d, \-\-default returns if no service was available (default: \*(Aqdunno\*(Aq) \& \-l, \-\-logging log requests \& \-v, \-\-verbose increase logging verbosity \& \-L, \-\-stdout log to stdout, for debugging, do NOT use with postfix .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" .SS "\s-1INTRODUCTION\s0" .IX Subsection "INTRODUCTION" \&\fBhapolicy\fR enables high availability, weighted loadbalancing and a fallback action for postfix policy delegation services. Invoked via postfix spawn it acts as a wrapper that queries other policy servers via tcp connection. The order of the service queries can be influenced by assigning a specific priority and weight to each service. A service is considered 'failing', if the connection is refused or the specified service timeout is reached. If all of the configured policy services were failing, \fBhapolicy\fR returns a default action (e.g. dunno) to postfix. .PP With version 1.00 \fBhapolicy\fR has less than 200 lines of perl code using only standard perl modules. It does not require any disk access nor configuration files and runs under an unpriviledged user account. This should allow fast and reliable operation. .SS "\s-1CONFIGURATION\s0" .IX Subsection "CONFIGURATION" A service has the following attributes .PP .Vb 7 \& "servicename" => { \& ip => \*(Aq127.0.0.1\*(Aq, # ip address \& port => \*(Aq10040\*(Aq, # tcp port \& prio => \*(Aq10\*(Aq, # optional, lower wins \& weight => \*(Aq1\*(Aq, # optional, for items with same prio (weighted round\-robin), higher is better \& timeout => \*(Aq30\*(Aq, # optional, query timeout in seconds \& }, .Ve .PP You may define multiple services at the command line. Which means that .PP .Vb 1 \& hapolicy \-s "grey1=10.0.0.1:10031:10" \-s "grey2=10.0.0.2:10031:20" .Ve .PP will always try first service \fIgrey1\fR at ip 10.0.0.1 port 10031 and if that service is not available or does not answer within the default of 30 seconds the next service \fIgrey2\fR at ip 10.0.0.2 port 10031 will be queried. .PP If you want to load balance connections you may define .PP .Vb 1 \& hapolicy \-s "polw1=10.0.0.1:12525:10:2" \-s "polw2=10.0.0.2:12525:10:1" .Ve .PP which queries service \fIpolw1\fR at ip 10.0.0.1 twice as much as service \fIpolw2\fR at ip 10.0.0.2. Note that this setup also ensures high availability for both services. If \fIpolw1\fR is not available or does not answer within the default of 30 seconds \fIpolw2\fR will be queried and vice versa. There is no reason to define a service twice. .SS "\s-1INTEGRATION\s0" .IX Subsection "INTEGRATION" Enter the following at the bottom of your postfix master.cf (usually located at /etc/postfix): .PP .Vb 3 \& # service description, note the leading blanks at the second line \& 127.0.0.1:10060 inet n n n \- 0 spawn \& user=nobody argv=/usr/local/bin/hapolicy \-l \-s GREY1=10.0.0.1:10031:10 \-s GREY2=10.0.0.2:10031:10 .Ve .PP save the file and open postfix main.cf. Modify it as follows: .PP .Vb 1 \& 127.0.0.1:10060_time_limit = 3600 \& \& smtpd_recipient_restrictions = \& permit_mynetworks, \& ... other authed permits ... \& reject_unauth_destination, \& ... other restrictions ... \& check_policy_service inet:127.0.0.1:10060 # <\- hapolicy query .Ve .PP Now issue 'postfix reload' at the command line. Of course you can have more enhanced setups using postfix restriction classes. Please see \*(L"\s-1LINKS\*(R"\s0 for further options. .SH "LINKS" .IX Header "LINKS" [1] Postfix \s-1SMTP\s0 Access Policy Delegation .PP [2] Postfix Per\-Client/User/etc. Access Control .SH "LICENSE" .IX Header "LICENSE" hapolicy is free software and released under \s-1BSD\s0 license, which basically means that you can do what you want as long as you keep the copyright notice: .PP Copyright (c) 2008, Jan Peter Kessler All rights reserved. .PP Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: .PP .Vb 9 \& * Redistributions of source code must retain the above copyright \& notice, this list of conditions and the following disclaimer. \& * Redistributions in binary form must reproduce the above copyright \& notice, this list of conditions and the following disclaimer in \& the documentation and/or other materials provided with the \& distribution. \& * Neither the name of the authors nor the names of his contributors \& may be used to endorse or promote products derived from this \& software without specific prior written permission. .Ve .PP \&\s-1THIS SOFTWARE IS PROVIDED BY ME\s0 ``\s-1AS IS\s0'' \s-1AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES\s0 (\s-1INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES\s0; \s-1LOSS OF USE, DATA, OR PROFITS\s0; \s-1OR BUSINESS INTERRUPTION\s0) \s-1HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\s0 (\s-1INCLUDING NEGLIGENCE OR OTHERWISE\s0) \&\s-1ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\s0 .SH "AUTHOR" .IX Header "AUTHOR" Jan\ Peter\ Kessler\ . Let me know, if you have any suggestions.