SPF, Postgrey, Greylist di Postfix

Implementasi SPF filter.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL

Bagian II -- Sender Policy Framework

Open.ch, OpenSPF.org, IETF proposed standard
(catatan Postfix harus versi > 2.3.x)

1a. Instalasi program-program PERL yang dibutuhkan greylist (Perl > 5.8.9)
perl -MCPAN -e'CPAN::Shell->install("DB_File")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Syslog")'
perl -MCPAN -e'CPAN::Shell->install("Fcntl")'


1b. Instalasi program-program PERL yang dibutuhkan policyd
perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'


1c. Instalasi program-program PERL yang dibutukan Postgrey (Berkeley DB (Library) >= 4.1)
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("IO:Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("BerkeleyDB")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Hostname")'
perl -MCPAN -e'CPAN::Shell->install("POD:Usage")'
perl -MCPAN -e'CPAN::Shell->install("Getopt::Long")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server::Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("POSIX")'


2a.1. Instalasi greylist (last update: 22Jan2009)
cd /usr/local/src/postfix-2.4.${sub.minor.version}
cp examples/smtpd-policy/greylist.pl /etc/postfix/greylist.pl
chmod 755 /etc/postfix/greylist.pl


2a.2. Setup database greylist.db
mkdir /var/mta
touch /var/mta/greylist.db
chown -R nobody.nogroup /var/mta


2b. Instalasi policyd 2.007 (last update: 21Jan2009)
cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl


2c. Instalasi postgrey 1.32 (last update: 23Jan2009)
cd /usr/local/src
wget -c http://postgrey.schweikert.ch/pub/postgrey-1.32.tar.gz
tar -xzvf postgrey-1.32.tar.gz
cd postgrey-1.32
cp postgrey /etc/postfix/
cp policy-test /etc/postfix/
cp postgrey_whitelist_recipients /etc/postfix/
cp postgrey_whitelist_clients /etc/postfix/
chmod 755 /etc/postfix/postgrey


3. backup master.cf dan main.cf
cd /etc/postfix
cp master.cf master.cf.nonspf
cp main.cf main.cf.nonspf


4. tambahkan policyd di master.cf

cd /etc/postfix
vi master.cf

---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009

#postgrey
postgrey unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/postgrey

#internal spfpolicy
greylist unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/greylist.pl
#policyd
127.0.0.1:9998 inet - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------


5. Reload postfix
postfix reload


6. Melihat keaktifan domain key
netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master


7a. ubah konfigurasi di main.cf
cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
postgrey_time_limit =3600
greylist_time_limit =3600
restriction_classes = greylist
greylist = check_policy_service unix:private/policy

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
check_policy_service unix:private/greylist,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


7b. Menambahkan policy di sender_access
cd /etc/postfix
vi sender_access

------------------perubahan isi sender_access-------------------
yahoo.com greylist
ymail.com greylist
rocketmail.com greylist
aol.com greylist
hotmail.com greylist
bigfoot.com greylist
gmail.com greylist
[Esc][Shift-ZZ]
------------------perubahan isi sender_access-------------------
postmap /etc/postfix/sender_access


8. Reload postfix
postfix reload


9. Coba mengirim email dan amati lognya


10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998 dst
cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
#check_policy_service unix:private/greylist,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------


11. Reload postfix
postfix reload


12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.


13. Edit entri di DNS server / Hosting
namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"
subdomain.namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"

Comments

Popular posts from this blog

Merakit Destilator Bioetanol Sederhana (1)

DHT11 incubator with I2C LCD (part 1)

LM35 Incubator with LCD 16x2 on Arduino