In this tutorial i’ll show how to ensure and apply many feature for our mail gateway try to avoid most of the mail spam. I’ll explain all the options that we’ll setup to understand it and modify it to any scenario. For this tutorial I used a machine with Centos 6.0 with the postfix mail software and other virtual machine Debian Squeeze running bind9 for DNS request. We’ll configure SPF (sender profile framework) to check the DNS records txt for check which servers are allowed to send mails with the domains that we’ll received mails in our servers, also we’ll configure some RBL to check in real time server black list and avoid these servers.

Image

1.- Install postfix and setup to autostart service:

# yum install postfix
# chkconfig --levels 235 postfix on

2.- Edit some options for ensure our mail server and avoid a lot of spam:

# vi /etc/postfix/main.cf
myhostname = mail.mydomain.com #host name
myorigin = mydomain.com #Domain name for mail senders
mydestination = mydomain.com #Local domains
mynetworks = 127.0.0.1/32, 192.168.1.0/24 # Networks that are allowed to send
inet_interfaces = localhost, 192.168.1.200
relay_domains = hash:/etc/postfix/relay_domains #File with accepted domains
parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps #Not accept subdomains
smtpd_recipient_restrictions =
reject_unauth_destination #Deny domains that are not included in relay_domains
check_policy_service unix:private/policy #Check SPF policy
reject_unauth_pipelining
reject_unknown_sender_domain #Deny the request for the mail from address for non exist domain name
reject_unknown_recipient_domain #Deny the request for the rcpt to address for non exist domain name
reject_invalid_hostname #Deny the helo request for invalid FQDN host name
reject_non_fqdn_helo_hostname #Deny the helo request for non exist FQDN host name
reject_non_fqdn_sender #Deny the request for mail from address that don't follow a FQDN
reject_non_fqdn_recipient #Deny the request for rcpt to address that don't follow a FQDN
permit_mynetworks #Allow send mails from our network
smtpd_banner = $myhostname Microsoft ESMTP MAIL service ready
smtpd_helo_required = yes

3.- Edit the file relay_domains to add the domain names that are allowed for send mails to our server:

# vi /etc/postfix/relay_domains
mydomain.com OK

4.- Compile our relay_domains file:

# postmap /etc/postfix/relay_domains

5.- Configure SPF in our domain (192.168.1.57):

@ IN TXT "v=spf1 mx ip4:192.168.1.200/24 ~all"

6.- Configure spf in postfix:

# yum install perl-CPAN wget perl-NetAddr-IP perl-Module-Build perl-Test-Base perl-Net-DNS perl-Net-DNS-Nameserver
# perl -MCPAN -e shell
cpan[1]> install Net::DNS::Resolver::programmable
cpan[2]> install Error
cpan[3]> q
# perl -MCPAN -e "get('Mail::SPF')"
# cd /root/.cpan/sources/authors/id/J/JM/JMEHNLE/mail-spf
# tar -xzvf Mail-SPF-v2.8.0.tar.gz
# cd Mail-SPF-v2.8.0/
# perl Build.PL
# ./Build
# ./Build test
# ./Build install

7.- Download spf software and setup postfix:

# wget https://launchpad.net/postfix-policyd-spf-perl/trunk/2.009/+download/postfix-policyd-spf-perl-2.009.tar.gz
# tar -xzvf postfix-policyd-spf-perl-2.009.tar.gz
# cp postfix-policyd-spf-perl-2.009/postfix-policyd-spf-perl /usr/libexec/postfix/postfix-policyd-spf-perl
# vi /etc/postfix/master.cf
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/libexec/postfix/policyd-spf-perl

8.- Configure database RBL (Realtime Blackhole List):

# vi /etc/postfix/main.cf
smtpd_recipient_restrictions=
...
reject_rbl_client zen.spamhaus.org
reject_rbl_client relays.ordb.org
reject_rbl_client blackholes.wirehub.net
reject_rbl_client list.dsbl.org
permit_mynetworks

8.- Add Iptables rule:

# vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT

Image

9.- Restart services postfix and iptables:

# service iptables restart
# service postfix restart

Test our configuration postfix:

– forces to use ehlo to establish a connection with mail server:

Image

– Domains don’t listed in relay_domains file are not allowed to send mails with our server:

Image

– check SPF records and reject non valid mails from other servers:

Image

logs for spf:

Image

Configure an antispam gateway (part I)
Tagged on:                 

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: