Apr 072014
 

Following on from postfix blocking spam before it enters the server i setup a whitelist and SPF filtering.

The whitelist will allow me to manually allow any mail servers to bypass the spf filtering and RBL(Real-time Blacklists) lists.

What does SPF filtering do? Suppose a spammer forges a Hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: , but you don’t have to take his word for it. You can ask Hotmail if the IP address comes from their network.
(In this example) Hotmail publishes an SPF record. That record tells you how to find out if the sending machine is allowed to send mail from Hotmail. If Hotmail says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it’s a forgery. That’s how you can tell it’s probably a spammer.

Now time to start setting everything, for the spf filtering we need to install a few packages so start with (i use the epel rep http://fedoraproject.org/wiki/EPEL)

yum --enable epel install python-dns python-pydns

we also need “pyspf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)
wget http://sourceforge.net/projects/pymilter/files/pyspf/pyspf-2.0.8/pyspf-2.0.8.tar.gz/download
tar xvfz pyspf-2.0.8.tar.gz
cd pyspf-2.0.8/
python setup.py build
python setup.py install

Finally we need “pypolicyd-spf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)

wget https://launchpad.net/pypolicyd-spf/1.2/1.2/+download/pypolicyd-spf-1.2.tar.gz
tar xvfz pypolicyd-spf-1.2.tar.gz
cd pypolicyd-spf-1.2/
python setup.py build
python setup.py install

Now everything is install I need to tell postfix to use it. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”

now find “smtpd_recipient_restrictions = “, and add “check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf,” after “reject_unauth_destination,”
It is important that you add it AFTER reject_unauth_destination or else your system can become an open relay!
It should look like this.

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit 

Now I need to edit “/etc/postfix/master.cf”. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” and select “master.cf” from the drop box at the top.

Now i add at the end

policyd-spf  unix  -       n       n       -       0       spawn
                   user=nobody argv=/usr/bin/policyd-spf

The leading spaces before user=nobody are important so Postfix knows this line belongs to the previous one.

The last thing i need to do is create the whitelist file, so login as root

cd /etc/postfix
vi /etc/postfix/rbl_override_whitelist

Then add all ip addresses or hostname that you want whitelisted (one per line only)
here what it should look like
1.2.3.4 OK
mail.example.net OK

After you create/modify the file you need to run
postmap /etc/postfix/rbl_override_whitelist

Finally restart postfix
/etc/init.d/postfix restart 

Now send a test message from an external email account to test, if the email doesn’t arrive check the logs for any errors (something you should do regularly anyway).

Hopefully everything is working fine and you should start seeing a drop in forged emails, don’t forget to create a spf record for your domain so other servers can check your emails. There is a easy to use wizard to help create the record for you.
This is what a record looks like

v=spf1 mx a ip4:144.76.115.197/32 ip6:2a01:4f8:192:70c4::/64 include:spf.mandrillapp.com -all  

It basically lists all the ip address that are allowed to send email for my domain and says reject everything else.
If you wanna check if a particulate site has an spf record or you want to check if its working correctly there is a SPF Record Testing Tools.

Apr 072014
 

When i first setup the server Basic Server setup using virtualmin i used the basic setting for postfix but soon found that i could reduce the amount of spam and load on the server by rejecting it before accepting it, i will do this by forcing mail servers that wanna deliver mail to me to be configured correctly and by using a few RBL (Real-time Blacklists).

Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”

Below is part of my new config file – obviously change the IP’s to your IP’s and the domains to yours.

########################################################
inet_protocols = all
inet_interfaces = 127.0.0.1, 192.168.0.200, [2001:470:1f09:d2b::220], [::1]
smtp_bind_address = 192.168.0.200
smtp_bind_address6 = [2001:470:1f09:d2b::220]
myorigin = $mydomain
mynetworks = 127.0.0.0/8, 192.168.0.200, [2001:470:1f09:d2b::/64], [::1/128]
myhostname = mail.example.com
mydomain = example.com
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost

virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
mailbox_size_limit = 0
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks,  reject_unknown_sender_domain, permit
smtpd_client_restrictions = permit_tls_all_clientcerts, reject_unauth_pipelining
2bounce_notice_recipient = webmaster@example.com
error_notice_recipient = webmaster@example.com
bounce_notice_recipient = webmaster@example.com
smtpd_sasl_local_domain = 
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
 
tls_random_source = dev:/dev/urandom
disable_vrfy_command = yes
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_address_reject_code = 550
myorigin = $mydomain
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
message_size_limit = 40960000
header_size_limit = 402400
maximal_queue_lifetime = 1d

smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem


some people might say this is quite restrictive as it will block any mail server that is mis-configured or using a dynamic ip, or been blocked for sending spam but i have found it blocks 95% of the spam i was receiving beforehand without using a spam filter (thus reducing the load on the server) and i haven’t seen any downsides as all legit mail is getting through fine.

I’ll try and explain what the main changes are. There are 3 main sections I changed “smtpd_helo_restrictions”, “smtpd_sender_restrictions” and “smtpd_recipient_restrictions”

smtpd_sender_restrictions =permit_sasl_authenticated, permit_mynetworks,  reject_unknown_sender_domain, permit
This allows my networks and users that have authenticated themselves to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com) and also stops people trying to relay mail through my server.

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
When mail servers communicate with each other they say hello and identify themselves, this setting allows my networks to connect but blocks any servers that haven’t configured a valid hostname for there mail server (should always use a proper domain name i.e. myhostname = mail.example.com)

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit 
This setting does the same as the above commands except it rejects mail servers that have been listed on RBL (Real-time Blacklists) you can google for more RBL lists but these do just fine for me.
I use dnsbl.sorbs.net, zen.spamhaus.org and bl.spamcop.net

If you want a more detailed explanation of what each option does have a read of Postfix Configuration Parameters it lists every option going.

I have also setup SPF checking and a white-list just in-case a valid email server gets on the RBL list but will explain that in another blog.