Hello, Tired of my domain being spoofed by spammers, zombies and so on, I worked a bit to try to reduce this problem. IMHO the proper answer is, among other, SPF. To read more, you can visit Meng Wong site http://spf.pobox.com In this site you can find a wizard that helps you to create a TXT record you should put in your domain DNS server. SPF record is a plain DNS TXT record, with an easy special format. So, I created an SPF record for my site in my DNS server, (after changing this server because my registar didn't allow to set TXT records in its DNS server). Once done that, any mail server wich receives a mail FROM anyone@my_domain can check whether this mail is actually from my domain or it is lying. And now we arrive to the subject of the mail. The mail server (MTA) have to implement the SPF controls to take any advantage of this. The SPF developer (Meng Weng Wong) has made a Perl Module to make this functionality easy. Wietse Venema, the creator of postfix, recommends to implement this fuctionality by mean of policy access daemons, better to patch the postfix code itself. Meng also wrote the policy daemon for postfix. I packaged the needed perl modules and the policy daemon in several rpms. The SPF policy daemon is working great in my server without problems and stopping many spoofed mails :-). The postfix plugin package is named 'postfix-policyd-SPF'. It needs to install at least the package 'perl-Mail-SPF-Query' I also built. Some other perl modules may be needed, I built the ones that are not in SuSE distribution or outdated. I did it for SuSE 8.2, 9.0 and 9.2. I have not any 9.1 development system available, sorry. Once instaled, to make the SPF policy working, you only need to include three lines in the postfix configuration files and reload, as explained below in the file README_SPF.SUSE I wrote for the package. You can download them from: ftp://ftp.gwdg.de/pub/linux/misc/suser-gbv/rpms apt users can get it from suser-gbv component. Remember I build the packages with the aim of help, I'm not from SuSE, no guaranties :-). And this is the readme file ----- This documentation assumes you have read Postfix's README_FILES/SMTPD_POLICY_README file To run this from postfix, add the line from /etc/postfix/master.cf: policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/smtpd-policy-spf.pl in file '/etc/postfix/master.cf' and you also have to add the 'check_policy_service unix:private/policy' restriction in file '/etc/postfix/main.cf'. Tipically you should add it to 'smtpd_recipient_restrictions' list as is in the following lines smtpd_recipient_restrictions = ... reject_unknown_sender_domain reject_unauth_destination check_policy_service unix:private/policy ... NOTE: specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. Once you've modified the files, you can reload the new configuration with rcpostfix reload if you already had your postfix running. ----- Guillermo. -- Guillermo Ballester Valor (gbv) Ogijares, Granada SPAIN http://www.oxixares.com/~gbv/ Linux user #117181. See http://counter.li.org/ Public GPG KEY http://www.oxixares.com/~gbv/pubgpg.html
As today I relased a new SPF policy deamon, with the only changes in docs. It is convenient to note some things with the aim that other policies were compatible with this one when running simultaneously. It is recommended to change the name of socket file from 'policy' to 'policy-spf' . So the master.cf and main.cf file have to include lines as follows
To run this from postfix, add the line from /etc/postfix/master.cf:
policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/smtpd-policy-spf.pl
policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/smtpd-policy-spf.pl
smtpd_recipient_restrictions = ... reject_unknown_sender_domain reject_unauth_destination check_policy_service unix:private/policy ...
smtpd_recipient_restrictions = ... reject_unknown_sender_domain reject_unauth_destination check_policy_service unix:private/policy-spf ... NOTE that the only change is the name of socket. Anyway, if you already have installed the policy server, you don't need to change. You also can install and run the new greylist policy package plugin in addition to this one. Guillermo -- Guillermo Ballester Valor gbv@oxixares.com Ogijares, Granada SPAIN Linux user #117181. See http://counter.li.org/ Public GPG KEY http://www.oxixares.com/~gbv/pubgpg.html
participants (1)
-
Guillermo Ballester Valor