Mailinglist Archive: opensuse (2912 mails)

< Previous Next >
SPF plugin for postfix
  • From: "Guillermo Ballester Valor" <gbv@xxxxxxxxxxxx>
  • Date: Fri, 25 Feb 2005 10:59:58 +0100 (CET)
  • Message-id: <40879.195.53.225.136.1109325598.squirrel@xxxxxxxxxxxxxxxx>
Hello,

Tired of my domain being spoofed by spammers, zombies and so on, I worked a
bit to try to reduce this problem.

IMHO the proper answer is, among other, SPF. To read more, you can visit
Meng Wong site

http://spf.pobox.com

In this site you can find a wizard that helps you to create a TXT record
you should put in your domain DNS server. SPF record is a plain DNS TXT
record, with an easy special format.

So, I created an SPF record for my site in my DNS server, (after changing
this server because my registar didn't allow to set TXT records in its DNS
server). Once done that, any mail server wich receives a mail FROM
anyone@my_domain can check whether this mail is actually from my domain or
it is lying.

And now we arrive to the subject of the mail. The mail server (MTA) have to
implement the SPF controls to take any advantage of this. The SPF developer
(Meng Weng Wong) has made a Perl Module to make this functionality
easy. Wietse Venema, the creator of postfix, recommends to implement this
fuctionality by mean of policy access daemons, better to patch the postfix
code itself. Meng also wrote the policy daemon for postfix.

I packaged the needed perl modules and the policy daemon in several rpms.
The SPF policy daemon is working great in my server without problems and
stopping many spoofed mails :-).

The postfix plugin package is named 'postfix-policyd-SPF'. It needs to
install at least the package 'perl-Mail-SPF-Query' I also built. Some
other perl modules may be needed, I built the ones that are not in SuSE
distribution or outdated. I did it for SuSE 8.2, 9.0 and 9.2. I have not
any 9.1 development system available, sorry.

Once instaled, to make the SPF policy working, you only need to include
three lines in the postfix configuration files and reload, as explained
below in the file README_SPF.SUSE I wrote for the package.

You can download them from:

ftp://ftp.gwdg.de/pub/linux/misc/suser-gbv/rpms

apt users can get it from suser-gbv component.

Remember I build the packages with the aim of help, I'm not from SuSE, no
guaranties :-).

And this is the readme file

-----
This documentation assumes you have read Postfix's
README_FILES/SMTPD_POLICY_README file

To run this from postfix, add the line from /etc/postfix/master.cf:

policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/smtpd-policy-spf.pl

in file '/etc/postfix/master.cf' and you also have to add the
'check_policy_service unix:private/policy' restriction in file
'/etc/postfix/main.cf'. Tipically you should add it to
'smtpd_recipient_restrictions' list as is in the following lines

smtpd_recipient_restrictions =
...
reject_unknown_sender_domain
reject_unauth_destination
check_policy_service unix:private/policy
...

NOTE: specify check_policy_service AFTER reject_unauth_destination
or else your system can become an open relay.

Once you've modified the files, you can reload the new configuration
with

rcpostfix reload

if you already had your postfix running.
-----

Guillermo.

--
Guillermo Ballester Valor (gbv)
Ogijares, Granada  SPAIN
http://www.oxixares.com/~gbv/
Linux user #117181. See http://counter.li.org/
Public GPG KEY http://www.oxixares.com/~gbv/pubgpg.html



< Previous Next >