OPS535 Postfix SPF
Objective
- Configure Postfix to check for SPF record and reject spam mails
References
Please read the information provided by the following three links to get a better understanding of basic concept of the Sender Policy Framework (SPF)
Pre-requisite
- Root name server
- Primary DNS server
- Caching-only DNS server
- Postfix installed and configure for your domain
Required Packages for checking SPF in Postfix
- pypolicyd-spf (from the epel repository, if epel is not enable on your CentOS 7.0 system, you need to run "yum install epel-release" to install it.)
- pypolicyd-spf depends on python-pydns, python-pyspf, and python-ipaddr packages. All three python modules be installed if you use yum to install pypolicyd-spf.
Tasks
- update your primary DNS server with SPF record
- configure your postfix server to check sender address
Primary DNS updates - email sender
Assumption: You own the bigfoot.com domain
You should have the following zone entry in the file /etc/named.conf on your primary DNS server:
zone "bigfoot.com" IN { type master; file "zone-bigfoot.com"; };
You should have the zone file for your bigfoot.com zone in /var/named directory:
[root@pri named]# cat zone-bigfoot.com $TTL 300 @ IN SOA pri.cp.net. root.cp.net. ( 20151111 ; serial 1h ; refresh 15m ; retry 3d ; expire 10m) ; minimum IN NS pri.cp.net. mail IN A 192.168.99.1 bigfoot.com. IN MX 10 mail.bigfoot.com. bigfoot.com. IN TXT "v=spf1 mx -all"
MTA configuration updates - email receiver
/etc/postfix/master.cf
[root@mail ~]# diff /etc/postfix/master.cf /etc/postfix/master.cf.org 128,131d127 < # < # Add pypolicyd-spf to test for SPF record < policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf <
/etc/postfix/main.cf
[root@mail ~]# diff /etc/postfix/main.cf /etc/postfix/main.cf.org 113c113 < inet_interfaces = all --- > #inet_interfaces = all 116c116 < #inet_interfaces = localhost --- > inet_interfaces = localhost 680,686d679 < < disable_vrfy_command = yes < < smtpd_recipient_restrictions = < reject_unauth_destination < check_policy_service unix:private/policyd-spf < policyd-spf_time_limit = 3600
Restart the postfix service after making changes to master.cf and main.cf.
Examples
Before sender added the SPF record to their DNS domain:
[root@localhost ~]# telnet 192.168.99.25 25 Trying 192.168.99.25... Connected to 192.168.99.25. Escape character is '^]'. 220 mail.cp.net ESMTP Postfix HELO bigfoot.com 250 mail.cp.net MAIL FROM: raymond@bigfoot.com 250 2.1.0 Ok RCPT TO: root 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> HEllo, spf okay? . 250 2.0.0 Ok: queued as DE38A10D8AEC quit 221 2.0.0 Bye Connection closed by foreign host.
After sender added the SPF record to their DNS domain and email from non-authorized host:
[root@localhost ~]# telnet 192.168.99.25 25 Trying 192.168.99.25... Connected to 192.168.99.25. Escape character is '^]'. 220 mail.cp.net ESMTP Postfix helo bigfoot.com. 250 mail.cp.net mail from: ray@bigfoot.com 250 2.1.0 Ok rcpt to: root 550 5.7.1 <root>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=ray@bigfoot.com;ip=192.168.99.1;r=root quit 221 2.0.0 Bye Connection closed by foreign host.
Email from authorized host:
[root@localhost ~]# telnet 192.168.99.25 25 Trying 192.168.99.25... Connected to 192.168.99.25. Escape character is '^]'. 220 mail.cp.net ESMTP Postfix helo bigfoot.com. 250 mail.cp.net mail from: ray@bigfoot.com 250 2.1.0 Ok rcpt to: root 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello, how your spf filter will pass this email. bye. . 250 2.0.0 Ok: queued as 1CEE61055143 quit 221 2.0.0 Bye Connection closed by foreign host.
messages in root's mail box
[root@mail ~]# cat /var/mail/root From raymond@bigfoot.com Tue Nov 24 12:56:07 2015 Return-Path: <raymond@bigfoot.com> X-Original-To: root Delivered-To: root@mail.cp.net Received-SPF: None (no SPF record) identity=mailfrom; client-ip=192.168.99.1; helo=bigfoot.com; envelope-from=raymond@bigfoot.com; receiver=root Received: from bigfoot.com (unknown [192.168.99.1]) by mail.cp.net (Postfix) with SMTP id DE38A10D8AEC for <root>; Tue, 24 Nov 2015 12:55:52 -0700 (MST) HEllo, spf okay? From ray@bigfoot.com Tue Nov 24 16:07:33 2015 Return-Path: <ray@bigfoot.com> X-Original-To: root Delivered-To: root@mail.cp.net Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.168.99.1; helo=bigfoot.com.; envelope-from=ray@bigfoot.com; receiver=root Received: from bigfoot.com. (mail.bigfoot.com [192.168.99.1]) by mail.cp.net (Postfix) with SMTP id 1CEE61055143 for <root>; Tue, 24 Nov 2015 16:07:06 -0700 (MST) Hello, how your spf filter will pass this email. bye.
maillog (postfix)
[root@mail log]# ls -l maillog -rw-------. 1 root root 5896 Nov 24 16:16 maillog [root@mail log]# cat maillog Nov 24 12:55:20 mail postfix/postfix-script[2283]: starting the Postfix mail system Nov 24 12:55:20 mail postfix/master[2285]: daemon started -- version 2.10.1, configuration /etc/postfix Nov 24 12:55:26 mail postfix/smtpd[2289]: connect from unknown[192.168.99.1] Nov 24 12:55:57 mail policyd-spf[2293]: None; identity=helo; client-ip=192.168.99.1; helo=bigfoot.com; envelope-from=raymond@bigfoot.com; receiver=root Nov 24 12:55:57 mail policyd-spf[2293]: None; identity=mailfrom; client-ip=192.168.99.1; helo=bigfoot.com; envelope-from=raymond@bigfoot.com; receiver=root Nov 24 12:55:57 mail postfix/smtpd[2289]: DE38A10D8AEC: client=unknown[192.168.99.1] Nov 24 12:56:07 mail postfix/cleanup[2294]: DE38A10D8AEC: message-id=<> Nov 24 12:56:07 mail postfix/qmgr[2287]: DE38A10D8AEC: from=<raymond@bigfoot.com>, size=327, nrcpt=1 (queue active) Nov 24 12:56:07 mail postfix/local[2295]: DE38A10D8AEC: to=<root@mail.cp.net>, orig_to=<root>, relay=local, delay=16, delays=16/0.04/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox) Nov 24 12:56:07 mail postfix/qmgr[2287]: DE38A10D8AEC: removed Nov 24 12:56:14 mail postfix/smtpd[2289]: disconnect from unknown[192.168.99.1] Nov 24 16:04:34 mail postfix/smtpd[2843]: connect from mail.bigfoot.com[192.168.99.1] Nov 24 16:04:58 mail policyd-spf[2847]: None; identity=helo; client-ip=192.168.99.1; helo=bigfoot.com.; envelope-from=ray@bigfoot.com; receiver=root Nov 24 16:04:58 mail policyd-spf[2847]: Fail; identity=mailfrom; client-ip=192.168.99.1; helo=bigfoot.com.; envelope-from=ray@bigfoot.com; receiver=root Nov 24 16:04:58 mail postfix/smtpd[2843]: NOQUEUE: reject: RCPT from mail.bigfoot.com[192.168.99.1]: 550 5.7.1 <root>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=ray@bigfoot.com;ip=192.168.99.1;r=root; from=<ray@bigfoot.com> to=<root> proto=SMTP helo=<bigfoot.com.> Nov 24 16:06:47 mail postfix/smtpd[2843]: disconnect from mail.bigfoot.com[192.168.99.1] Nov 24 16:06:48 mail postfix/smtpd[2843]: connect from mail.bigfoot.com[192.168.99.1] Nov 24 16:07:11 mail policyd-spf[2847]: None; identity=helo; client-ip=192.168.99.1; helo=bigfoot.com.; envelope-from=ray@bigfoot.com; receiver=root Nov 24 16:07:11 mail policyd-spf[2847]: Pass; identity=mailfrom; client-ip=192.168.99.1; helo=bigfoot.com.; envelope-from=ray@bigfoot.com; receiver=root Nov 24 16:07:11 mail postfix/smtpd[2843]: 1CEE61055143: client=mail.bigfoot.com[192.168.99.1] Nov 24 16:07:33 mail postfix/cleanup[2849]: 1CEE61055143: message-id=<> Nov 24 16:07:33 mail postfix/qmgr[2287]: 1CEE61055143: from=<ray@bigfoot.com>, size=379, nrcpt=1 (queue active) Nov 24 16:07:33 mail postfix/local[2850]: 1CEE61055143: to=<root@mail.cp.net>, orig_to=<root>, relay=local, delay=27, delays=27/0.03/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox) Nov 24 16:07:33 mail postfix/qmgr[2287]: 1CEE61055143: removed Nov 24 16:07:36 mail postfix/smtpd[2843]: disconnect from mail.bigfoot.com[192.168.99.1] Nov 24 16:14:54 mail postfix/smtpd[2853]: connect from pri[192.168.99.53] Nov 24 16:15:21 mail policyd-spf[2857]: None; identity=helo; client-ip=192.168.99.53; helo=bigfoot.com.; envelope-from=tommy@bigfoot.com; receiver=root Nov 24 16:15:21 mail policyd-spf[2857]: Fail; identity=mailfrom; client-ip=192.168.99.53; helo=bigfoot.com.; envelope-from=tommy@bigfoot.com; receiver=root Nov 24 16:15:21 mail postfix/smtpd[2853]: NOQUEUE: reject: RCPT from pri[192.168.99.53]: 550 5.7.1 <root>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=tommy@bigfoot.com;ip=192.168.99.53;r=root; from=<tommy@bigfoot.com> to=<root> proto=SMTP helo=<bigfoot.com.> Nov 24 16:16:03 mail postfix/smtpd[2853]: NOQUEUE: reject: RCPT from pri[192.168.99.53]: 550 5.7.1 <spr500>: Recipient address rejected: Received-SPF: Fail (SPF fail - not authorized) identity=mailfrom; client-ip=192.168.99.53; helo=bigfoot.com.; envelope-from=tommy@bigfoot.com; receiver=root ; from=<tommy@bigfoot.com> to=<spr500> proto=SMTP helo=<bigfoot.com.> Nov 24 16:16:06 mail postfix/smtpd[2853]: disconnect from pri[192.168.99.53]