SPAM: SPF DomainKeys with Postfix
Last Updated on Wednesday, 03 February 2010 14:57 Wednesday, 03 February 2010 14:55
 |
 |
 |
Implement SPF and DomainKeys with Postfix against SPAM |
To fight SPAM mail there are several way. It is a system to protect the envelope sender address; you will do this creating a special DNS record that tell if the server mail XXX.XXX.XXX.XXX that send an email is authorized to send email for the domain you have configured that special record. Later the receiving mail server will check that DNS record to see if the envelope sender address is authorized to send email from that server. * This solution involve mainly work at the RECEIVING MAIL SERVER and AT DNS RECORDS It is a a mechanism for verifying both the domain of each email sender and the integrity of the messages sent. As SPF you have to create a special DNS record that contain a public key build for this purpose and the you must configure your MTA to take messages and sign its, with the private key, with a special header that can be verified by the receiving mail server. * This solution involve mainly work at the SENDER MAIL SERVER, RECEIVING MAIL SERVER and AT DNS RECORDS For Example Register a Dynamic address on freedns.afraid.org Each mechanism can be combined with one of four qualifiers: I've set up records, how do I test? USEFUL to check incoming mail USEFUL to sign outgoing mail If you need to send mail using different gateway don't set the relayhost in main.cf instead use the /etc/postfix/transport map specifying default routing information for the internal domain, and enable transport table lookups. #Important: do not specify a relayhost in main.cf, or else mail for internal destinations will still be given to the relayhost. Specify dbm instead of hash if your system uses dbm files instead of db. To find out what map types Postfix supports, use the command postconf -m. Now you can test if everything is ok using one of the test site. May you need to raise the postfix debug level and specify some peers to monitor: SPF, DOMAINKEYS, SPAM and POSTFIX
Hal
Table of Contents
1) INTRO
2) PROTECT OUT MAILs
3) TEST and Put in Production
4) REFERENCE
1) INTRO
This document show you how to implement SPF and DomainKeys
SPF involve changes in only DNS records meanwhile
DomainKeys needs some MTA customization
In this document I show how you can implement with postfix 1.1 Briefly
1.1.1 What is SPF - Sender Policy Framework?
1.1.2 What is DomainKeys?
1.1.3 FIRST OF ALL FIND A DYNAMIC DNS THAT OFFERS TXT MODIFY OPTION
2) PROTECT OUT MAILs
2.1 SPF WAY
Go here and follow the wizard http://spf.pobox.com/wizard.html
Now go on freedns.afraid.org and add a TXT record with what shown on SPF wizard page:
"v=spf1 a a:bigamd mx=mydomain.mooo.com ~all"
For purpose test is useful a SOFTFAIL just to to if everything is properly configured.2.1.1 Qualifiers
* + for a PASS result, this can be omitted, +mx is the same as mx.
* ? for a NEUTRAL result interpreted like NONE (no policy).
* ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.
* - for FAIL, the mail should be rejected (see below).
2.1.2 Test Record
There are two types of SPF testers available. There are those that you send email to, which are good for testing how actually email will respond from the computer you are sitting at. There are also those that let fill in the appropriate information and can simulate an SPF check from anyone and from anywhere.
Email based SPF testers
You can also send mail to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
and see what happens. If you send mail from an unlisted server it will be rejected. Please don't make up bogus addresses if that would cause random third parties to get mysterious bounce messages.
Port25.com also provides an tool to test whether SPF is working. Send an email to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
and you will receive a reply containing the results of the SPF check.
The ESPC also provides an SPF verification tool - THE BEST ONE FOR ME
If some test fails is possible that your ISP doesn't deliver properly its at the recipients; for this look at postfix's transport configuration BELOW
Form based SPF testers
2.2 DOMAINKEYS WAY
2.2.1 RUN IN FILTER
Edit the file /usr/bin/dkfilter.in changing the include on the first line in /usr/lib
If You have Mail::DomainKeys CPAN module installed you must run dkfilter without perl prepend its.
Run it with
$PATH/dkfilter.in 127.0.0.1:10025 127.0.0.1:10026
Modify /etc/postfix/master.cf
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks
Execute postfix reload for Postfix to respond to changes in /etc/postfix/master.cf.
2.2.2 RUN OUT FILTER
Setting Up the outbound filter
cd /usr/lib/Mail/DomainKeys/
openssl genrsa -out dkfilter_private.key 1024
openssl rsa -in dkfilter_private.key -pubout -out dkfilter_public.key
At this point insert in your DNS, if you can a TXT entry like this:
selector1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y
Edit the file /usr/bin/dkfilter.out changing the include on the first line in /usr/lib
$PATH/ddkfilter.out --keyfile=/usr/lib/Mail/DomainKeys/dkfilter_private.key --selector=selector1 --domain=mooo.com --method=nofws 127.0.0.1:10027 127.0.0.1:10028
Edit POSTFIX master.cf
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
# specify the location of the DomainKeys signing filter
#
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
## If you submit email directly from your server with sendmail or mailx or other you need to add this line too:
pickup fifo n - n 60 1 pickup
-o content_filter=dksign:127.0.0.1:10027
Execute postfix reload for Postfix to respond to changes in /etc/postfix/master.cf. 2.3 POSTFIX CUSTOM CONFIG
/etc/postfix/transport:
my.domain :
.my.domain :
* smtp:gateway.my.domain
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
Execute the command postmap /etc/postfix/transport whenever you edit the transport table.
Execute the command postfix reload to make the changes effective.
If you have a dynamic IP is possible that the spam site mark your IP like a spammer so could be better to use the Smtp server of your provider. The use of transport allow us to change the relay servers for our necessity 3) TEST and Put in Production
3.1 Postfix Debug
debug_peer_level = 10
debug_peer_list = 127.0.0.1 10.50.30.1
And reload Postfix config3.2 Create init.d scripts
Use the scripts to configure automatic start/stops
4) REFERENCE
4.1 AUTHORS
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
4.2 LINKS