这几天,莫名其妙收了一沓子垃圾邮件,以及有几个邮件用的是我自己的域名发给我的。
检查各种日志后,排除了被入侵或者拿到密码的可能性。(讲道理,虽然我自认为我vps还是很安全的,没开任何没用端口,ssh什么的还是秘钥认证+非默认端口号。。。当然,还请各位大哥手下留情。。。)
于是,怀疑是有人冒充我的smtp服务器。于是,赶紧给postfix加了spf的过滤。
过程如下:
首先上https://launchpad.net/postfix-policyd-spf-perl看了下这东西的最新版本号是2.010
然后下载过来
wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz
然后解压
tar xzvf postfix-policyd-spf-perl-2.010.tar.gz
然后copy到postfix的目录底下
cp postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/libexec/postfix/policyd-spf-perl
接下来配置postfix的master.cf添加
policy unix - n n - 0 spawn
user=nobody argv=/usr/bin/perl /usr/libexec/postfix/policyd-spf-perl
最后,在postfix的main.cf里smtpd_recipient_restrictions =后面添加
,check_policy_service unix:private/policy-spf
systemctl restart postfix
重启一发postfix
然后,拿swaks给自己域发了一封伪造邮件,看maillog,发现
Mar 25 10:31:16 mail postfix/spawn[29477]: warning: command /usr/bin/perl exit status 2
Mar 25 10:31:16 mail postfix/smtpd[29471]: warning: premature end-of-input on private/policy-spf while reading input attribute name
Mar 25 10:31:17 mail postfix/spawn[29477]: warning: command /usr/bin/perl exit status 2
Mar 25 10:31:17 mail postfix/smtpd[29471]: warning: premature end-of-input on private/policy-spf while reading input attribute name
Mar 25 10:31:17 mail postfix/smtpd[29471]: warning: problem talking to server private/policy-spf: Connection reset by peer
什么鬼!!!
于是,cd到/usr/libexec/postfix/
看了下/usr/libexec/postfix/policyd-spf-perl权限,没错啊,有x啊。。。然后,./policyd-spf-perl出错了!
Can't locate Sys/Syslog.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ./policyd-spf-perl line 31. BEGIN failed--compilation aborted at ./policyd-spf-perl line 31.
啊。。。突然想起来我不用perl的。。。于是肯定少东西,然后
然后,再
systemctl restart postfix
之后,好啦!
拿所里的dsp.ac.cn邮箱发了一封,然后结果是
Mar 25 10:39:40 mail postfix/policy-spf[29517]: Policy action=PREPEND Received-SPF: none (dsp.ac.cn: No applicable sender policy available) receiver=mail; identity=mailfrom; envelope-from="
[email protected]"; helo=cstnet.cn; client-ip=159.226.251.xxx
Received-SPF: none像话么!中科院研究所的邮箱不带spf记录什么鬼。。。
然后,继续拿swaks给自己发伪造邮件,结果是
Mar 25 10:41:16 mail postfix/policy-spf[29517]: Policy action=PREPEND Received-SPF: softfail (xxx.com: Sender is not authorized by default to use '
[email protected]' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail; identity=mailfrom; envelope-from="
[email protected]"; helo=vbox.localdomain; client-ip=111.204.175.xxx
这就对了嘛~Received-SPF: softfail了~
默认是如果发现spf不对,不拒绝,只是在header里加个Received-SPF: softfail什么的,为了不漏某些邮件系统配的莫名其妙的人发来的邮件,我打算none收,softfail就拒绝掉,于是
/etc/postfix/header_checks里添加
/Received-SPF: softfail/ REJECT
然后main.cf里添加
header_checks = pcre:/etc/postfix/header_checks
之后再重启postfix,测试,一切正常
讲道理,当年我自己的邮件系统当初可是spf+dkim的。。。后来重装的时候,dkim懒了没配,至少我还带spf好不好。。。为啥好多人dns里不写spf。。。