Apr 072014

Following on from postfix blocking spam before it enters the server i setup a whitelist and SPF filtering.

The whitelist will allow me to manually allow any mail servers to bypass the spf filtering and RBL(Real-time Blacklists) lists.

What does SPF filtering do? Suppose a spammer forges a Hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: , but you don’t have to take his word for it. You can ask Hotmail if the IP address comes from their network.
(In this example) Hotmail publishes an SPF record. That record tells you how to find out if the sending machine is allowed to send mail from Hotmail. If Hotmail says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it’s a forgery. That’s how you can tell it’s probably a spammer.

Now time to start setting everything, for the spf filtering we need to install a few packages so start with (i use the epel rep http://fedoraproject.org/wiki/EPEL)

yum --enable epel install python-dns python-pydns

we also need “pyspf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)
wget http://sourceforge.net/projects/pymilter/files/pyspf/pyspf-2.0.8/pyspf-2.0.8.tar.gz/download
tar xvfz pyspf-2.0.8.tar.gz
cd pyspf-2.0.8/
python setup.py build
python setup.py install

Finally we need “pypolicyd-spf”. check for any updates from here
Then install it, you need to be the root user (change the version numbers if theirs an update)

wget https://launchpad.net/pypolicyd-spf/1.2/1.2/+download/pypolicyd-spf-1.2.tar.gz
tar xvfz pypolicyd-spf-1.2.tar.gz
cd pypolicyd-spf-1.2/
python setup.py build
python setup.py install

Now everything is install I need to tell postfix to use it. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” or manually edit “/etc/postfix/main.cf”

now find “smtpd_recipient_restrictions = “, and add “check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf,” after “reject_unauth_destination,”
It is important that you add it AFTER reject_unauth_destination or else your system can become an open relay!
It should look like this.

smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit 

Now I need to edit “/etc/postfix/master.cf”. Since i use Webmin i just navigate to “servers”, “Posfix Mail server” then click “Edit Config Files” and select “master.cf” from the drop box at the top.

Now i add at the end

policyd-spf  unix  -       n       n       -       0       spawn
                   user=nobody argv=/usr/bin/policyd-spf

The leading spaces before user=nobody are important so Postfix knows this line belongs to the previous one.

The last thing i need to do is create the whitelist file, so login as root

cd /etc/postfix
vi /etc/postfix/rbl_override_whitelist

Then add all ip addresses or hostname that you want whitelisted (one per line only)
here what it should look like OK
mail.example.net OK

After you create/modify the file you need to run
postmap /etc/postfix/rbl_override_whitelist

Finally restart postfix
/etc/init.d/postfix restart 

Now send a test message from an external email account to test, if the email doesn’t arrive check the logs for any errors (something you should do regularly anyway).

Hopefully everything is working fine and you should start seeing a drop in forged emails, don’t forget to create a spf record for your domain so other servers can check your emails. There is a easy to use wizard to help create the record for you.
This is what a record looks like

v=spf1 mx a ip4: ip6:2a01:4f8:192:70c4::/64 include:spf.mandrillapp.com -all  

It basically lists all the ip address that are allowed to send email for my domain and says reject everything else.
If you wanna check if a particulate site has an spf record or you want to check if its working correctly there is a SPF Record Testing Tools.