The Sender Policy Framework ensures, that email sent from a domain is allowed to be sent from the server, it is origination from.
In the past, it was quite easy to spoof a email sender domain (for example from email@example.com). Since this was quite a huge problem for companies and even the whole internet communication, SPF was introduced. SPF ensures, that the servers sending mails for a certain domain, are fully qualified and allowed to send emails for that domain. An attacker might not be able to spoof your company’s email address to send „faked“ information to other people.
Implementing SPF is quite easy and does not cost any single bit of a coin. We are talking about a DNS Lookup (which is done by your system to verify other systems sending servers approval) and a DNS Record on your domain, to tell other people the server(s) you are trusting to send email for you.
Sounds easy ? – it is !
This HOW-TO gives you a step by step instructions on how to enable SPF for your email system and your domains.
Part1: enable checking on your postfix system to not retreive forged domain spam
Part2: secure your domain(s), so an attacker is not able to abuse your domains any more for spoofed emails
Further reading regarding SPF can be found here: www.openspf.org/Introduction
Part #1 – SPF – verify incoming email on your mailserver (postfix)
To ensure, your mailserver would not get hit by emails from forged domains, SPF checking is the thing you want to enable.
This does NOT protect your domains from being sent from a foreign server – this blog entry just enables your server from accepting forged domain spam.
Install the SPF Checker for postfix
apt-get install postfix-policyd-spf-python
edit your /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn user=policyd-spf argv=/usr/bin/policyd-spf
edit your /etc/postfix/main.cf
policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service unix:private/policyd-spf, ...
Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world.
Finally, do not forget to reload / restart your postfix
If you find the following in received Email Headers, your SPF is working properly
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=18.104.22.168; helo=mail-qt0-f181.google.com; firstname.lastname@example.org; email@example.com
Step 6 (optional)
instead of blocking wrong SPF Senders(default behaviour), you can just let python-spf tag them for spamassasin
edit /etc/postfix-policyd-spf-python/policyd-spf.conf and set
HELO_reject False Mail_From_reject False
this will accept Emails with wrong SPF but SA will mark them as spam afterwards.
(all steps have been tested on debian8 jessie)
Part #2 – Protect your own domain(s) with SPF records
Protecting your domain(s) with SPF
Create a TXT Record in for domain – the simpliest way to achieve that would be as follows:
v=spf1 mx -all
This line as TXT record implies that for all servers listed in your domain as MX records are allowed to send mail (mx) and all other servers are declined (-all).
another example could be the following:
v=spf1 mx a:mail.miyw.de -all
This line allows all mx records as well as the additional domain (a:mail.miyw.de) to send email , once again all other servers are declined (-all).
Find the whole „spf Record“ syntax explained here: www.openspf.org/SPF_Record_Syntax
One more cool thing is this litte Site – a SPF Record generator.
TEST – double and yes – triple test your settings !!!
Send Emails from the Domain you just protected by SPF to a whole bunch of mail servers.
As Test we sent an email from our domain (firstname.lastname@example.org) to a gmail account and got the following line in our header:
spf=pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) firstname.lastname@example.org
any questions ? go ahead and write us !
a good read ahead: https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
Hinterlasse einen Kommentar
Du musst angemeldet sein, um einen Kommentar schreiben zu können.