KutuKupret

Postfix IPv6 + SPF (sender policy framework)

Even though spammers may not have thought to do the email forgery yet, I’m publishing SPF txt record in dns.

# dig txt ipv6.kutukupret.com +short
"v=spf1 ip6:2001:470:19:13c::2 -all"

I don’t even know whose gonna validate my spf record anyway But for the sake of my curiousity, i’m continue developing SPF on my ipv6 postfix smtp. first i need to publish spf txt record

ipv6.kutukupret.com.    86400   IN      TXT     "v=spf1 ip6:2001:470:19:13c::2 -all"

for the scanner, i’m using postfix-policyd-spf-perl, can be download at http://www.openspf.org/Software The following Perl version and packages are required for running postfix-policyd-spf-perl: Perl 5.6 NetAddr-IP 4 Mail-SPF (not Mail-SPF-Query) perl-Net-DNS >= 0.65 perl-Net-IP >= 1.25 Test the postfix-policyd-spf-perl script, just make sure it works with ipv6 address.

# ./postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=mx.ipv6.kutukupret.com
queue_id=
instance=71b0.45e2f5f1.d4da1.0
sender=henet@ipv6.kutukupret.com
recipient=hari.h@ipv6.kutukupret.com
client_address=2001:470:19:13c::2
client_name=another.domain.tld

action=PREPEND Received-SPF: pass (ipv6.kutukupret.com: 2001:470:19:13c::2 is authorized to use 'henet@ipv6.kutukupret.com' in 'mfrom' identity (mechanism 'ip6:2001:470:19:13C::2' matched)) receiver=unknown; identity=mailfrom; envelope-from="henet@ipv6.kutukupret.com"; helo=mx.ipv6.kutukupret.com; client-ip="2001:470:19:13c::2"

as we can see, if i sent from my ip/client_address which published in dns, it’ll passed do it again with different ip/client_address

# ./postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=mx.ipv6.kutukupret.com
queue_id=
instance=71b0.45e2f5f1.d4da1.0
sender=henet@ipv6.kutukupret.com
recipient=hari.h@ipv6.kutukupret.com
client_address=2001:4860:c004::68
client_name=another.domain.tld

action=550 Please see http://www.openspf.org/Why?s=mfrom;id=henet%40ipv6.kutukupret.com;ip=2001%3A4860%3Ac004%3A%3A68;r=unknown

rejected!!, 2001:4860:c004::68 is not me.
Installing

1. Copy postfix-policyd-spf-perl to /usr/local/bin/policyd-spf-perl
2. Add the following to /etc/postfix/master.cf:

        policy  unix  -       n       n       -       0       spawn
            user=nobody argv=/usr/local/lib/policyd-spf-perl

3. Configure the Postfix policy service in /etc/postfix/main.cf:

        smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policy
            ...

NOTES: Specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. The user ‘nobody’ is used in this example. This is appropriate if you do not have any other services running as nobody. If you do, create a dedicated user for this service and use it instead.

4. Add “policy_time_limit = 3600″ to main.cf
5. Restart Postfix. example spf log

Aug  8 15:31:19 fire sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (0)
Aug  8 15:31:19 fire sqlgrey: grey: domain awl match: updating 4f8(2001:4f8:3:7:2e0:81ff:fe52:9ab6), netbsd.org
Aug  8 15:31:20 fire postfix/policy-spf[25069]: : SPF none (No applicable sender policy available): Envelope-from: bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org
Aug  8 15:31:20 fire postfix/policy-spf[25069]: handler sender_policy_framework: is decisive.
Aug  8 15:31:20 fire postfix/policy-spf[25069]: : Policy action=PREPEND Received-SPF: none (netbsd.org: No applicable sender policy available) receiver=unknown; identity=mailfrom; envelope-from="bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org"; helo=mail.netbsd.org; client-ip="2001:4f8:3:7:2e0:81ff:fe52:9ab6"

netbsd.org not publishing spf record.

Tags: ipv6, linux, perl, postfix, smtp, spam, spf

admin posted this article under ipv6, linux, postfix, smtp, spam on Saturday, August 8th, 2009 at 4:32 pm You can follow any responses to this entry through the RSS feed. You can skip to the end and leave a comment. Pinging is currently not allowed.