安德森技術備忘板

防治垃圾信: 在 Sendmail、Postfix 加入 SPF 過濾功能

DNS Server 的操作

vi /var/named/chroot/var/named/your.domain.zone.file

@    IN TXT    "v=spf1 ip4:your_public_ip_of_mail_server -all"

#亦可使用 SPF Setup Wizard 產生上列雙引號內的字串

/etc/init.d/named restart

Mail Server 的操作: 於 Sendmail 使用 SPF

yum install perl-Sendmail-Milter (from rpmforge repos)

wget http://www.openspf.org/blobs/sendmail-spf-milter-1.42.1.tar.gz (download page)

tar zxf sendmail-spf-milter-*.tar.gz

cd sendmail-spf-milter-*

cp sendmail-spf-milter /usr/local/sbin

cd /etc/mail

vi sendmail.mc

#找到 define(`confAUTH_OPTIONS', `A')dnl
#在它底下新增三行:
define(`confMILTER_LOG_LEVEL', `9')dnl
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl
INPUT_MAIL_FILTER(`spf-milter', `S=local:/var/spf-milter/spf-milter.sock, F=T, T
=C:4m;S:4m;R:8m;E:10m')dnl

m4 sendmail.mc > sendmail.cf

vi /etc/init.d/MailScanner

#找到 $SENDMAIL -bd -OPrivacyOptions=noetrn
#在它上一行新增:
/usr/bin/perl /usr/local/sbin/sendmail-spf-milter mail

#找到 kill `head -1 /var/run/sm-client.pid` 2>/dev/null
#在它下一行新增:
[ -r /var/spf-milter/spf-milter.pid ] && kill `head -1 /var/spf-milter/spf-milter.pid` 2>/dev/null

/etc/init.d/MailScanner restart

拒收 SPF: softfail

vi /etc/procmailrc

:0
* ^Received-SPF: softfail
/dev/null

Mail Server 的操作: 於 Postfix 使用 SPF

yum install perl-Mail-SPF (from rpmforge repos)

or

perl -MCPAN -e shell ( or cpan )

cpan> install Mail::SPF

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz (Download Page)

tar zxf postfix-policyd-spf-perl-*.tar.gz

cd postfix-policyd-spf-perl-*

cp postfix-policyd-spf-perl /usr/libexec/postfix/policyd-spf-perl

vi /etc/postfix/master.cf

#加入以下內容 (第二行 user 前面一定要有空格)
spfpolicy unix - n n - - spawn
    user=nobody argv=/usr/bin/perl /usr/libexec/postfix/policyd-spf-perl

vi /etc/postfix/main.cf

#加入以下內容
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination,
    check_policy_service unix:private/spfpolicy

/etc/init.d/postfix restart

拒收 SPF: softfail

vi main.cf

mailbox_command = /usr/bin/procmail

vi /etc/procmailrc

:0
* ^Received-SPF: softfail
/dev/null

Ref: http://www.howtoforge.com/postfix_spf

測試

從 ip4:xx.xx.xx.xx (DNS v=spf1 設定) 之外的 IP, 以 telnet 連入 mail server 進行測試

telnet your.mail.server 25

ehlo whatever.com

mail from: your_account@your.mail.server

550 5.7.1 your_account@your.mail.server... Please see http://www.openspf.org/why.html?sender=your_account@your.mail.server&ip=xx.xx.xx.xx&receiver=your.mail.server

ps. 若 DNS 的 TXT 設定為 "v=spf1 ... ~all", 則 Mail Server 會接受 mail from: xxx@your.mail.server 指令, 但該封 e-mail 的 header 會註記 "softfail"

Links

• openspf.org - SPF Record Syntax
• Microsoft TechNet - Test-Senderld (RTM) (SPF Status 中文說明)
• 有為青年生活札記 - [FreeBSD] 反垃圾郵件, 在 Postfix 加上 SPF 過濾功能吧!
• Jamyy's Weblog - MailScanner 郵件備份方案 (安裝 SpamAssassin Plugins 增強垃圾郵件篩檢能力)

--- 補充: 更多的 SPF Milter 可參考 city-fan.org mail software repository (ref: http://www.libspf2.org/download.html -- Distribution packages), Fedora 9 - x86_64 - Sendmail 使用 smf-spf 效能不錯 :)