海运的博客

之前有介绍Postfix服务器在转发授权用户邮件时防止发件人伪造，如果在接收邮件时怎么确认收到的邮件发件人是真实的呢？这个就要靠SPF的帮忙了。
当服务器接收到邮件时会检查域名的SPF记录与客户端IP是否匹配，如匹配就被认为是真实的邮件，不匹配就被认为是假冒的邮件，当然如果对方域名未做SPF记录会被误报。
安装postfix-policyd-spf-perl用以检查域SPF记录并匹配：

#https://www.haiyun.me
yum install perl-Mail-SPF perl-Sys-Hostname-Long
wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz
tar zxvf postfix-policyd-spf-perl-2.010.tar.gz 
mv postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/sbin/
chmod +x /usr/sbin/postfix-policyd-spf-perl

开启postfix-policyd-spf-perl服务：

cat /etc/postfix/master.cf
policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

编辑Postfix主配置文件添加SPF过滤规则：

cat /etc/postfix/main.cf
smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination,
     #reject_unknown_client,
     check_policy_service unix:private/policy-spf

重新加载Postfix配置文件：

/etc/init.d/postfix reload

测试SPF效果：

#下为错误
postfix/policy-spf[15857]: Policy action=PREPEND Received-SPF: softfail (www.haiyun.me: Sender is not authorized by default
#下为正确
postfix/policy-spf[15726]: Policy action=PREPEND Received-SPF: pass (qq.com: Sender is authorized to use 'qq@qq.com'

Policy-spy默认不阻止验证失败的发件人邮件，会在邮件头部添加Received-SPF: softfail标签，如果要对其处理可使用Postfix过滤规则header_checks进行匹配操作。
添加header_checks匹配规则：

cat /etc/postfix/header_checks 
/Received-SPF: softfail/   REJECT

编辑主Postfix主配置文件应用此规则：

cat main.cf
header_checks = pcre:/etc/postfix/header_checks

再次测试效果：

postfix/cleanup[15865]: A3A6410C005D: reject: header Received-SPF: softfail

根据SMTP协议流程Postfix可在以下规则内对客户端信息进行限制：

#https://www.haiyun.me
smtpd_client_restrictions = 
#客户端连接后匹配登录IP、反向查询在此匹配
smtpd_helo_restrictions = 
#客户端连接后以HELO显示送信方主机名称在此限制。
smtpd_sender_restrictions = 
#寄件人名称限制
smtpd_recipient_restrictions = 
#收件人名称限制
smtpd_data_restrictions = 
#内容限制，分header_check和check_body

Postfix过滤限制规则：
1.客户端SMTP连接时过滤：

smtpd_client_restrictions = 
     check_client_access = type:map #检查匹配表操作
     reject_rbl_client = #针对IP黑名单
     reject_rhsbl_client = #针对IP黑名单
     reject_unknown_client #拒绝客户地址没有反解及对应A记录

2.HELO阶段过滤：

smtpd_helo_restrictions = 
     check_helo_access = type:map #检查匹配表操作
     permit_naked_ip_address #允许直接使用ip地址的连接
     reject_invalid_hostname #拒绝无效格式的主机名
     reject_unknown_hostname  #拒绝未知的主机名连接，即无有效A或MX记录
     reject_no_fqdn_hostname #拒绝主机名非FQDN格式

3.发件人过滤，可在此限制Postfix发件人欺骗。

smtpd_sender_restrictions = 
     check_sender_access = type:map #检查匹配表操作
     reject_no_fqdn_sender #拒绝发件人非FQDN格式
     reject_rhsbl_sender = #发件人黑名单
     reject_unknown_sender_domain  #拒绝未知的发件人域，即无有效A或MX记录
     reject_sender_login_mismatch #拒绝登录用户与发件人不匹配

4.收件人过滤：

smtpd_recipient_restrictions = 
     check_recipient_access = type:map #检查匹配表操作
     permit_mynetworks      #mynetworks用户通过，匹配结束
     permit_sasl_authenticated  #sasl验证用户通过，匹配结束
     reject_unauth_destination #拒绝收件人非mydestination、relay_domains或virtual_alias_maps定义域邮件
     reject_no_fqdn_recipient  #拒绝收件人非FQDN格式
     reject_rhsbl_recipient = #收件人黑名单
     reject_unknown_recipient_domain  #拒绝未知的收件人域，即无有效A或MX记录

5.邮件内容过滤：

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/nested_header_checks
body_checks = pcre:/etc/postfix/body_checks

Postfix内网用户在转发邮件时可以任意填写发件人邮箱，给管理带来诸多不便，可以使用账号登录匹配发件人邮箱进行限制。
编辑Postfix配置文件：

#https://www.haiyun.me
cat /etc/postfix/main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sasl_sender #用户与邮件账号匹配表
smtpd_sender_restrictions = 
      reject_sender_login_mismatch #拒绝发送邮件与登录用户不匹配的邮件
smtpd_recipient_restrictions =
#     permit_mynetworks,  #去除网络区域认证
      permit_sasl_authenticated #用户认证模式

新建用户与账号匹配表：

cat /etc/postfix/sasl_sender
root@www.haiyun.me       root

生成hash数据库：

postmap /etc/postfix/sasl_sender

伪造发件人发送邮件测试：

sendEmail -v -f test@www.haiyun.me -t mail@www.haiyun.me -s smtp.www.haiyun.me -u "test" -m "测试sendemail" -xu root -xp passwd
Feb 29 11:08:00 centos5 sendEmail[21973]: DEBUG => Connecting to smtp.www.haiyun.me:25
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => My IP address is: 192.168.1.3
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     220 mail.www.haiyun.me ESMTP "ONOVPS Mail Server"
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     EHLO centos5.7-x86
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => SMTP-AUTH: Using LOGIN authentication method
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     AUTH LOGIN
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     235 2.0.0 Authentication successful
Feb 29 11:08:01 centos5 sendEmail[21973]: DEBUG => User authentication was successful (Method: LOGIN)
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     MAIL FROM:<test@www.haiyun.me>
Feb 29 11:08:01 centos5 sendEmail[21973]: SUCCESS => Received:     250 2.1.0 Ok
Feb 29 11:08:01 centos5 sendEmail[21973]: INFO => Sending:     RCPT TO:<mail@www.haiyun.me>
Feb 29 11:08:01 centos5 sendEmail[21973]: WARNING => The recipient <mail@www.haiyun.me> was rejected by the mail server, error follows:
Feb 29 11:08:01 centos5 sendEmail[21973]: WARNING => Received:     553 5.7.1 <test@www.haiyun.me>: Sender address rejected: not owned by user root
Feb 29 11:08:01 centos5 sendEmail[21973]: ERROR => Exiting. No recipients were accepted for delivery by the mail server.

生成用户、密码文件：

htpasswd -c /etc/httpd/passwd user

1.直接编辑Apache配置添加认证：

#https://www.haiyun.me
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthName "Httpd Access"
AuthType Basic
AuthUserFile /etc/httpd/passwd
Require valid-user
</Directory>

2.以.htaccess认证，首先授权相应网站建.htaccess验证权限：

Options Indexes FollowSymLinks
AllowOverride AuthConfig 
Order allow,deny
Allow from all

在验证目录新建.htaccess文件：

AuthName "Httpd Access"
AuthType Basic
AuthUserFile /etc/httpd/passwd
Require valid-user

首先生成SSL证书，如需SSL证书认证可先生成证书请求文件再转交CA认证。
Postfix配置SSL：

#https://www.haiyun.me
cat /etc/postfix/main.cf
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/CA/private/server.key
smtpd_tls_cert_file = /etc/postfix/CA/certs/server.crt
smtpd_tls_CAfile = /etc/postfix/CA/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

开启Postfix服务器SMTPS端口监听：

cat /etc/postfix/master.cf
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

测试SMTP SSL是否生效：

openssl s_client -connect smtp.haiyun.me:smtps
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 65424E5937C2EE0453E796BA179DF8F8D92A523FAD5F170CFE11A64E5A0441D3
    Session-ID-ctx: 
    Master-Key: 43EC9C65F8215B3304C62A4E860116D6CA58BFE732514F5B31EC67196D993F43A19E837CA9BD48D6008A06874ED83BB0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341366288
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 mail.www.haiyun.me ESMTP Postfix
quit
221 2.0.0 Bye

Dovecot配置SSL：

cat /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

测试IMAP/POP SSL是否生效：

openssl s_client -connect smtp..haiyun.me:imaps
openssl s_client -connect smtp..haiyun.me:pops
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: A6CD69E16438BB8CBEA7ABCDF74F1BDC844E00C4C7A3B2446FB87E230788D4A5
    Session-ID-ctx: 
    Master-Key: D6135140AC6BAD1AABFD85CE1A28FA66387B60CF6E6744B0F3BDCEFB82F6B7EA4FF28461E6A007DC03B91787C50CDFE0
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1341363344
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK Dovecot ready.