From ecbb0d71084001e303b0ac48e0cf20f6a090c40d Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Wed, 16 Mar 2016 18:52:00 +0100 Subject: [PATCH] Apply SPF policy checks to incoming email --- setup/mail-postfix.sh | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh index a3b87a98..b3555509 100755 --- a/setup/mail-postfix.sh +++ b/setup/mail-postfix.sh @@ -41,6 +41,8 @@ source /etc/mailinabox.conf # load global vars # always will. # * `ca-certificates`: A trust store used to squelch postfix warnings about # untrusted opportunistically-encrypted connections. +# * `postfix-policyd-spf-python`: A SPF policy checker for postfix, checks DNS +# spf records from the sender to check if they are allowed to send email for the domain. # # postgrey is going to come in via the Mail-in-a-Box PPA, which publishes # a modified version of postgrey that lets senders whitelisted by dnswl.org @@ -50,7 +52,7 @@ source /etc/mailinabox.conf # load global vars # > anti-spam solutions) must register with dnswl.org and purchase a subscription. echo "Installing Postfix (SMTP server)..." -apt_install postfix postfix-pcre postgrey ca-certificates +apt_install postfix postfix-pcre postgrey ca-certificates postfix-policyd-spf-python # ### Basic Settings @@ -184,7 +186,8 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 # * `permit_mynetworks`: Mail that originates locally can skip further checks. # * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org # * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after. -# * `check_policy_service`: Apply greylisting using postgrey. +# * `check_policy_service inet:127.0.0.1:10023`: Apply greylisting using postgrey. +# * `check_policy_service unix:private/policy-spf`: Apply SPF record verification using policy-spf. # # Notes: #NODOC # permit_dnswl_client can pass through mail from whitelisted IP addresses, which would be good to put before greylisting #NODOC @@ -193,7 +196,7 @@ tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025 # "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC tools/editconf.py /etc/postfix/main.cf \ smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \ - smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023" + smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023","check_policy_service unix:private/policy-spf" # Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that # Postgrey listens on the same interface (and not IPv6, for instance). @@ -210,6 +213,19 @@ tools/editconf.py /etc/default/postgrey \ tools/editconf.py /etc/postfix/main.cf \ message_size_limit=134217728 +# Configure the SPF policy checking for incoming email +# +# Policy SPF will check the if the sender has configured an SPF record on the domain. +# This record contains the address of the smtp server(s) that is allowd to send email +# on behalf of this domain. If that doesn't match with the server sending us email, +# the message will be rejected +tools/editconf.py /etc/postfix/main.cf \ + policy-spf_time_limit=3600s \ + +tools/editconf.py /etc/postfix/master.cf \ + "policy-spf unix - n n - - spawn + user=nobody argv=/usr/bin/policyd-spf" + # Allow the two SMTP ports in the firewall. ufw_allow smtp