Author Topic: SPF check  (Read 5299 times)

Marcus

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 395
  • Karma: +12/-0
    • View Profile
    • Professional IT Service
SPF check
« on: October 04, 2011, 03:52:52 pm »
Hello,

Tested on Zentyal 2.0

In order to improve mail filtering and help discarding spam right when received, we need to add a SPF check.

How to add this filter:

Zentyal 2.2 note
If the files aren't existing yet in the /etc/zentyal/mail folder:
Code: (2.2) [Select]
sudo mkdir /etc/zentyal/mail && sudo cp /usr/share/zentyal/stubs/mail/main.cf.mas /etc/zentyal/stubs/mail/main.cf.mas
Zentyal 2.0 note
If the files aren't existing yet in the /etc/ebox/mail folder:
Code: (2.0) [Select]
sudo mkdir /etc/ebox/mail && sudo cp /usr/share/ebox/stubs/mail/main.cf.mas /etc/ebox/stubs/mail/main.cf.mas
1) Log to your server using a terminal

2) Add the SPF check (in Python)
Code: (all) [Select]
sudo apt-get install postfix-policyd-spf-python
3) Modify the rules to the Postfix main configuration file and replace the default SMTP restriction:
Code: (2.2) [Select]
sudo nano /etc/zentyal/stubs/mail/main.cf.mas
Code: (2.0) [Select]
sudo nano /etc/ebox/stubs/mail/main.cf.mas
Rules to add to the "smtpd_recipient_restrictions":
Code: (all) [Select]
, check_policy_service unix:private/policy-spf
And, right under it:
Code: (all) [Select]
# SPF
spf-policyd_time_limit = 3600s

e.g. once both rules added to the configuration:
Code: (all) [Select]
# Mail filter
smtpd_recipient_restrictions = <% $smtpRecipientRestrictions %>, check_policy_service unix:private/policy-spf

# SPF
spf-policyd_time_limit = 3600s

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Side note;
While beeing there, you may add to this a RBL by adding this line following the smtpd_recipient_restrictions modification previously done:
Code: (all) [Select]
, reject_rbl_client zen.spamhaus.org
So that it looks like:
Code: [Select]
smtpd_recipient_restrictions = <% $smtpRecipientRestrictions %>, check_policy_service unix:private/policy-spf, reject_rbl_client zen.spamhaus.org~~~~~~~~~~~~~~~~~~~~~~~~~~~

4) Modify the SPF rule to the Postfix's master configuration file:
Code: (2.2) [Select]
sudo nano /etc/zentyal/stubs/mail/master.cf.mas
Code: (2.0) [Select]
sudo nano /etc/ebox/stubs/mail/master.cf.mas
Code: (all) [Select]
# SPF Policy
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf


5) Restart Zentyal mail service using this command line (or through the GUI by clicking "Restart" at the right of "Mail" on the dashboard)
Code: [Select]
sudo /etc/init.d/ebox mail restart
**You may verify your work by typing this command:
Code: (all) [Select]
tail -f /var/log/mail.log
The SPF should show up in it.  You may also make sure that you didn't messed up anything by sending yourself an email from GMail.  Once again, it should show up in the logs.

e.g. (with bogus emails)
Oct  4 08:37:30 mtl policyd-spf[29529]: None; identity=helo; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com; envelope-from=marcus@gmail.com; receiver=email@exemple.com
Oct  4 08:37:30 mtl policyd-spf[29529]: Pass; identity=mailfrom; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com; envelope-from=marcus@gmail.com; receiver=email@exemple.com


Something else that will be visible is the SPF check in your email headers.

e.g.
email received from GMail
Received-spf: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.160.175; helo=mail-gy0-f175.google.com;

Best,

Marcus
« Last Edit: March 09, 2012, 09:25:32 pm by Marcus »