为Postfix添加SPF过滤

这几天,莫名其妙收了一沓子垃圾邮件,以及有几个邮件用的是我自己的域名发给我的。

检查各种日志后,排除了被入侵或者拿到密码的可能性。(讲道理,虽然我自认为我vps还是很安全的,没开任何没用端口,ssh什么的还是秘钥认证+非默认端口号。。。当然,还请各位大哥手下留情。。。)

于是,怀疑是有人冒充我的smtp服务器。于是,赶紧给postfix加了spf的过滤。

过程如下:

首先上https://launchpad.net/postfix-policyd-spf-perl看了下这东西的最新版本号是2.010

然后下载过来

wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz

然后解压

tar xzvf postfix-policyd-spf-perl-2.010.tar.gz

然后copy到postfix的目录底下

cp postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/libexec/postfix/policyd-spf-perl

接下来配置postfix的master.cf添加

policy unix - n n - 0 spawn
user=nobody argv=/usr/bin/perl /usr/libexec/postfix/policyd-spf-perl

最后,在postfix的main.cf里smtpd_recipient_restrictions =后面添加

,check_policy_service unix:private/policy-spf
systemctl restart postfix

重启一发postfix

然后,拿swaks给自己域发了一封伪造邮件,看maillog,发现

Mar 25 10:31:16 mail postfix/spawn[29477]: warning: command /usr/bin/perl exit status 2
Mar 25 10:31:16 mail postfix/smtpd[29471]: warning: premature end-of-input on private/policy-spf while reading input attribute name
Mar 25 10:31:17 mail postfix/spawn[29477]: warning: command /usr/bin/perl exit status 2
Mar 25 10:31:17 mail postfix/smtpd[29471]: warning: premature end-of-input on private/policy-spf while reading input attribute name
Mar 25 10:31:17 mail postfix/smtpd[29471]: warning: problem talking to server private/policy-spf: Connection reset by peer

什么鬼!!!

于是,cd到/usr/libexec/postfix/

看了下/usr/libexec/postfix/policyd-spf-perl权限,没错啊,有x啊。。。然后,./policyd-spf-perl出错了!

Can't locate Sys/Syslog.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ./policyd-spf-perl line 31. BEGIN failed--compilation aborted at ./policyd-spf-perl line 31.

啊。。。突然想起来我不用perl的。。。于是肯定少东西,然后

yum install perl-core

然后,再

systemctl restart postfix

之后,好啦!

拿所里的dsp.ac.cn邮箱发了一封,然后结果是

Mar 25 10:39:40 mail postfix/policy-spf[29517]: Policy action=PREPEND Received-SPF: none (dsp.ac.cn: No applicable sender policy available) receiver=mail; identity=mailfrom; envelope-from="[email protected]"; helo=cstnet.cn; client-ip=159.226.251.xxx

Received-SPF: none像话么!中科院研究所的邮箱不带spf记录什么鬼。。。

然后,继续拿swaks给自己发伪造邮件,结果是

Mar 25 10:41:16 mail postfix/policy-spf[29517]: Policy action=PREPEND Received-SPF: softfail (xxx.com: Sender is not authorized by default to use '[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail; identity=mailfrom; envelope-from="[email protected]"; helo=vbox.localdomain; client-ip=111.204.175.xxx

这就对了嘛~Received-SPF: softfail了~

默认是如果发现spf不对,不拒绝,只是在header里加个Received-SPF: softfail什么的,为了不漏某些邮件系统配的莫名其妙的人发来的邮件,我打算none收,softfail就拒绝掉,于是

/etc/postfix/header_checks里添加

/Received-SPF: softfail/ REJECT

然后main.cf里添加

header_checks = pcre:/etc/postfix/header_checks

之后再重启postfix,测试,一切正常

讲道理,当年我自己的邮件系统当初可是spf+dkim的。。。后来重装的时候,dkim懒了没配,至少我还带spf好不好。。。为啥好多人dns里不写spf。。。

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

隐藏
变装