Postfix

8 月 29 2013

[FreeBSD] 讓 Postfix 使用 Gmail 的 SMTP server 送信

數月前,我在 Amazon EC2 開了一個跑 FreeBSD 的 Micro Instance 來 maintain ports。
我認為這台虛擬機器隨時都可以重造,所以我在 Security Groups 的設定中只幫 Inbound 綁了幾個特定的 IP,讓我可以 ssh 登入就好。
於是我就讓這台虛擬機器跑 Postfix,透過 gmail 的 SMTP server 幫我送 PR 。

目前在網路上找到的說明,大多都會提到 SSL/TLS certificate 的設定,我倒是跳過了這段,而且就目前看來是運作良好。
步驟大致如下:

  1. 用以下指令作 Postfix 的編譯設定:
    # cd /usr/ports/mail/postfix && make config

    其中 TLS 選項一定要勾。

  2. 安裝(或重新安裝) postfix。
  3. 在 /usr/local/etc/postfix/main.cf 放進以下的設定:
    relayhost = smtp.gmail.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/gmail_passwd
smtp_sasl_security_options =
smtp_use_tls = yes
  4. 編輯 /usr/local/etc/postfix/gmail_passwd ,內容大致如下(記得填上自己的 gmail 帳號與密碼):
    smtp.gmail.com:587 帳號@gmail.com:密碼
  5. 用以下指令製作 hash map:
    # postmap /usr/local/etc/postfix/gmail_passwd
  6. 啟動(或重新啟動)Postfix:
    # /usr/local/etc/rc.d/postfix restart

PS1. 以上的設定只適合單人用機,因為所有外寄的郵件都會透過同一個 gmail 位址寄出。 :p
PS2. 記得刪掉 /usr/local/etc/postfix/gmail_passwd ,或是作 chmod 。

By , 0 • Tags: , ,

8 月 16 2008

用 Postfix 擋偽造來源位址的信件

現在許多廣告信件都是亂丟,配合來源位址的偽造,可能造成主機在發信上有所阻礙。
例如這種狀況:

廣告信偽造的寄件位址是 [email protected],寄給 [email protected]。如果 example-host.com 沒有 no-this-user 這個使用者,那信件會被退到 [email protected],久而久之,example-host.com 可能會被 yahoo.com.tw 擋掉。

之前的文章 只提過 exim 上面的擋法,最近是摸出了 Postfix 的設定方式。

  1. 讓系統進行檢查,main.cf 要有這些片段:
    smtpd_restriction_classes =
        fakemail_yahoo
        fakemail_gmail
        ...
#
fakemail_yahoo = check_client_access pcre:/usr/local/etc/postfix/fake/yahoo
fakemail_gmail = check_client_access pcre:/usr/local/etc/postfix/fake/gmail
#
smtpd_sender_restrictions =
        ...,
        check_sender_access hash:/usr/local/etc/postfix/fake/CHECK,
        ...
  2. 製作規則對應檔(/usr/local/etc/postfix/fake/CHECK),內容大致如下(中間的大空格用 tab 隔開):
    yahoo.com       fakemail_yahoo
yahoo.com.tw    fakemail_yahoo
gmail.com       fakemail_gmail
...
  3. 製作規則檔(以 /usr/local/etc/postfix/fake/yahoo 為例),內容如下(中間的大空格用 tab 隔開):
    /(^|\.)yahoo\.com$/     DUNNO
/./                     REJECT Fake address
  4. 用 postmap 產生規則對應檔的 hash map,接著讓 postfix 重新讀入設定檔。

對了,如果有 MX server 的話,都得一起上,不然沒用。
跑了一段時間後,效果還真的蠻顯著的。 :-P

By 1 • Tags: , ,

12 月 19 2007

不用 anti-spam.org.cn 的 RBL 了…

剛剛發現 anti-spam.org.cn 的 CBL 把 Xuite 的 smtp server 列進去了(IP 是 210.242.46.140)。

所以在 sendmailPostfixexim 的設定中把 anti-spam.org.cn 的 RBL 拿掉了。

另外,在 exim 中,把 前一篇 post 的 ACL 擴充成以下這樣:

check_hello:

deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO my.ip
condition = ${if eq {$sender_helo_name}{###.###.###.###} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
hosts = !+relay_hosts
log_message = HELO/EHLO localhost
condition = ${if match {$sender_helo_name}{localhost} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO none
condition = ${if match {$sender_helo_name}{none} {yes}{no}}
deny message = HELO/EHLO with wrong IP address.
log_message = HELO/EHLO no dot
condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}
accept

check_mail:

deny message = $sender_host_address is listed in $dnslist_domain
hosts = !+relay_hosts
!authenticated = *
dnslists = bl.spamcop.net : \
sbl.spamhaus.org : \
list.dsbl.org
deny message = Invalid mail-from envelope header
hosts = !+relay_hosts
!authenticated = *
log_message = Invalid mail-from envelope header
condition = ${if match {$sender_address} {\\.} {no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Yahoo
senders = *@yahoo.com.tw
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake hotmail
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake MSN
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake AOL
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Nmx.aol.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Gmail
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@msa.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@umail.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Hinet
senders = *@cm1.hinet.net
condition = ${if match {$sender_host_name}{\Nhinet.net$\N}{no}{yes}}
deny message = Fake mail address.
hosts = !+relay_hosts
!authenticated = *
log_message = Fake Xuite
senders = *@xuite.net
condition = ${if match {$sender_host_name}{\Nxuite.net$\N}{no}{yes}}
accept

check_data:

deny message = Message SHOULD have Message-ID.
hosts = !+relay_hosts
!authenticated = *
log_message = No Message-ID
condition = ${if !def:h_Message-ID: {1}}
deny message = Message SHOULD have Date.
hosts = !+relay_hosts
!authenticated = *
log_message = No Date
condition = ${if !def:h_Date: {1}}
accept

話說… 前一篇 post 的 ACL 加上去之後, reject log 的檔案大小爆跳成原本的三倍多。 XD

By 0 • Tags: , , , ,

12 月 12 2007

anti-spam.org.cn 的 RBL

上一篇文章 中,可以看到我習慣用的 DNSBL 列表:

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cblless.anti-spam.org.cn,

sendmail 中,我是用這些設定:

FEATURE(`dnsbl”, `bl.spamcop.net”, `”550 Spam blocked, see: http://spamcop.net/bl.shtml?”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `sbl.spamhaus.org”, `”550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip=”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `list.dsbl.org”, `”550 Spam blocked, see: http://dsbl.org/listing?”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `cblless.anti-spam.org.cn”, `”550 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=”$&{client_addr}”)dnl

剛剛收到一封信件,說 Hinet 的信箱被擋了。
查詢 mailog 之後看到這些:

Dec 12 15:27:45 #### sm-mta[56538]: lBC7RiVG056538: ruleset=check_rcpt, arg1=< ####@####.####>, relay=msr14.hinet.net [168.95.4.114], reject=550 5.7.1 < ####@####.####>… Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.114

Dec 12 10:26:55 #### sm-mta[42224]: ruleset=check_relay, arg1=msr28.hinet.net, arg2=127.0.8.5, relay=msr28.hinet.net [168.95.4.128], reject=550 5.7.1 Spam blocked, see: http://anti-spam.org.cn/services/rblquery.php?IP=168.95.4.128

anti-spam.org.cn 有以下這幾種名單:

  • CBL(中國垃圾郵件黑名單):主要面向中國國內的垃圾郵件情況,所甄選的黑名單地址也以中國境內的垃圾郵件回應情況為主。
  • CDL(中國動態地址列表):中國國內與台灣省的動態分配的地址。
  • BML(大型郵件運營商列表)
  • TML(可信郵件伺服器地址)

可供應用的黑名單有這些(這些黑名單都已經把 BML 剔除了):

  • CBL
  • CDL
  • CBL+:內容是 CBL 加上 CDL。
  • CBL-:內容是 CBL 加上 CDL,再減去 TML。

其中,CBL- 就是這篇文章上面的設定用到的。

anti-spam.org.cn 的首頁 中,把 Hinet 的這兩台 mail server 丟進去作黑名單查詢,可以發現,這兩台 mail server 被誤判,放進 CDL 名單。

我覺得, Hinet 的 mail server 應該被放進 BML ,不過 anti-spam.org.cn 並沒有這樣作。
目前,因應 Hinet 的 mail server 還存在於 CDL 中,我們大概只能委屈一點,單純地使用 CBL 名單了。

所以,剛剛把 Postfix 的設定調成這樣:

reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client cbl.anti-spam.org.cn,

sendmail 則是用這些:

FEATURE(`dnsbl”, `bl.spamcop.net”, `”550 Spam blocked, see: http://spamcop.net/bl.shtml?”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `sbl.spamhaus.org”, `”550 Spam blocked, see: http://www.spamhaus.org/query/bl?ip=”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `list.dsbl.org”, `”550 Spam blocked, see: http://dsbl.org/listing?”$&{client_addr}”)dnl
FEATURE(`dnsbl”, `cbl.anti-spam.org.cn”, `”550 Spam blocked, see: http://anti-spam.org.cn/”)dnl

話說,有沒有哪位大大用過其他的 DNSBL ,覺得還不錯的呀?
麻煩推薦一下吧~

By 0 • Tags: , , ,