之前有介绍Postfix服务器在转发授权用户邮件时防止发件人伪造,如果在接收邮件时怎么确认收到的邮件发件人是真实的呢?这个就要靠SPF的帮忙了。
当服务器接收到邮件时会检查域名的SPF记录与客户端IP是否匹配,如匹配就被认为是真实的邮件,不匹配就被认为是假冒的邮件,当然如果对方域名未做SPF记录会被误报。
安装postfix-policyd-spf-perl用以检查域SPF记录并匹配:
#https://www.haiyun.me
yum install perl-Mail-SPF perl-Sys-Hostname-Long
wget https://launchpad.net/postfix-policyd-spf-perl/trunk/release2.010/+download/postfix-policyd-spf-perl-2.010.tar.gz
tar zxvf postfix-policyd-spf-perl-2.010.tar.gz
mv postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl /usr/sbin/
chmod +x /usr/sbin/postfix-policyd-spf-perl
开启postfix-policyd-spf-perl服务:
cat /etc/postfix/master.cf
policy-spf unix - n n - - spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
编辑Postfix主配置文件添加SPF过滤规则:
cat /etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
#reject_unknown_client,
check_policy_service unix:private/policy-spf
重新加载Postfix配置文件:
/etc/init.d/postfix reload
测试SPF效果:
#下为错误
postfix/policy-spf[15857]: Policy action=PREPEND Received-SPF: softfail (www.haiyun.me: Sender is not authorized by default
#下为正确
postfix/policy-spf[15726]: Policy action=PREPEND Received-SPF: pass (qq.com: Sender is authorized to use 'qq@qq.com'
Policy-spy默认不阻止验证失败的发件人邮件,会在邮件头部添加Received-SPF: softfail标签,如果要对其处理可使用Postfix过滤规则header_checks进行匹配操作。
添加header_checks匹配规则:
cat /etc/postfix/header_checks
/Received-SPF: softfail/ REJECT
编辑主Postfix主配置文件应用此规则:
cat main.cf
header_checks = pcre:/etc/postfix/header_checks
再次测试效果:
postfix/cleanup[15865]: A3A6410C005D: reject: header Received-SPF: softfail
标签:mail, postfix, 邮件服务器, postfix防垃圾邮件, SPF, postfix配置SPF防发件人伪造