SPF, Postgrey, Greylist di Postfix

Implementasi SPF filter.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL

Bagian II -- Sender Policy Framework
Open.ch, OpenSPF.org, IETF proposed standard
(catatan Postfix harus versi > 2.3.x)

1a. Instalasi program-program PERL yang dibutuhkan greylist (Perl > 5.8.9)
perl -MCPAN -e'CPAN::Shell->install("DB_File")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Syslog")'
perl -MCPAN -e'CPAN::Shell->install("Fcntl")'


1b. Instalasi program-program PERL yang dibutuhkan policyd
perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'


1c. Instalasi program-program PERL yang dibutukan Postgrey (Berkeley DB (Library) >= 4.1)
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("IO:Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("BerkeleyDB")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Hostname")'
perl -MCPAN -e'CPAN::Shell->install("POD:Usage")'
perl -MCPAN -e'CPAN::Shell->install("Getopt::Long")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server::Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("POSIX")'


2a.1. Instalasi greylist (last update: 22Jan2009)
cd /usr/local/src/postfix-2.4.${sub.minor.version}
cp examples/smtpd-policy/greylist.pl /etc/postfix/greylist.pl
chmod 755 /etc/postfix/greylist.pl


2a.2. Setup database greylist.db
mkdir /var/mta
touch /var/mta/greylist.db
chown -R nobody.nogroup /var/mta


2b. Instalasi policyd 2.007 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl


2c. Instalasi postgrey 1.32 (last update: 23Jan2009)
cd /usr/local/src
wget -c http://postgrey.schweikert.ch/pub/postgrey-1.32.tar.gz
tar -xzvf postgrey-1.32.tar.gz
cd postgrey-1.32
cp postgrey /etc/postfix/
cp policy-test /etc/postfix/
cp postgrey_whitelist_recipients /etc/postfix/
cp postgrey_whitelist_clients /etc/postfix/
chmod 755 /etc/postfix/postgrey


3. backup master.cf dan main.cf
cd /etc/postfix
cp master.cf master.cf.nonspf
cp main.cf main.cf.nonspf


4. tambahkan policyd di master.cf

cd /etc/postfix
vi master.cf

---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009

#postgrey
postgrey unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/postgrey

#internal spfpolicy
greylist unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/greylist.pl
#policyd
127.0.0.1:9998 inet - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------


5. Reload postfix
postfix reload


6. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master


7a. ubah konfigurasi di main.cf
cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
postgrey_time_limit =3600
greylist_time_limit =3600
restriction_classes = greylist
greylist = check_policy_service unix:private/policy

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
check_policy_service unix:private/greylist,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


7b. Menambahkan policy di sender_access
cd /etc/postfix
vi sender_access

------------------perubahan isi sender_access-------------------
yahoo.com greylist
ymail.com greylist
rocketmail.com greylist
aol.com greylist
hotmail.com greylist
bigfoot.com greylist
gmail.com greylist
[Esc][Shift-ZZ]
------------------perubahan isi sender_access-------------------
postmap /etc/postfix/sender_access


8. Reload postfix
postfix reload


9. Coba mengirim email dan amati lognya


10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998 dst
cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
#check_policy_service unix:private/greylist,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


11. Reload postfix
postfix reload


12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.


13. Edit entri di DNS server / Hosting
namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"
subdomain.namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"

Comments

Post a Comment

Popular posts from this blog

Xeon LGA 771 di mobo LGA 775

Image
Bermula dari jebolnya komputer pribadi yang digunakan untuk layanan e-learning dan repositori abstrak skripsi bagi institusi tempat kami mengabdi, petualangan menyambung nyawa komputer tua dimulai. Spike  listrik adalah biang utama rusaknya perangkat ini. Ya, sebaiknya perangkat elektronik perlu pelindung dari lonjakan listrik sekedipan mata yang mematikan. Komponen yang menjadi almarhum akibat spike  kali ini adalah VGA card dan tombol reset (kok bisa, ya?).  VGA card Radeon X1300 128 MB Komputer ini sudah cukup tua usianya, sekitar 9 tahun. Motherboard-nya Intel DG31PR dengan prosesor Intel Core 2 Duo E7500 , memori DDR 2 3 GB dan harddisk SATA 500 GB 7200 RPM.  Sistem operasi yang digunakan adalah Slackware Linux  versi 13.37. Kinerja komputer ini sebagai server e-learning untuk kategori dosen jelata macam kami sudah cukup memuaskan. Sekitar 80 orang pengguna dapat dilayani secara simultan, walau bottleneck -nya tentu saja di hard-disk dan wifi seputar ruang lab. 
Read more

Writing and reading float using Arduino EEPROM

This post is just for a personal reminder after reading discussions from elsewhere about storing and reading float values to/from EEPROM with Arduino. Scenario Writing negative float to EEPROM can be tricky, since EEPROM only recognises up to 8-bit values (see Tronixstuff  explanation ), therefore it requires an additional algorithm to make it able to store negative and float.  the scheme is to use four bits of the ATmega328's EEPROM to store numerical parts of a float value. The function involved is union . //union  value typedef union{   float flt;   byte array[4]; } FloatConverter; The code You may grab the code here
Read more

LM35 Incubator with LCD 16x2 on Arduino

Image
Past articles: NTC thermistor incubator (part 1): connecting triple thermistor NTC thermistor incubator (part 2): multi-buttons input for single Analog pin   Introducing CodeBender Today I found a great code sharing website called codebender  that allows me to use Arduino in any computer since it has online IDE with crossplatform browser plugin to upload to Arduino system. Remember, Arduino is an Open Source Hardware project, I encourage people to share as much as we learn from others too. Sharing knowledge is awesome! Since everything is online and pretty straight forward, I will try to explain my project as simple as possible. The Aim My aim is still to produce an incubator, but today the specification will be: Internal LM35 temperature sensor that will be placed inside the incubator External LM35 temperature sensor that will monitor ambient/room temperature Peltier element that will be connected through a relay module Displaying internal (current temp, CT), e
Read more