Configure an antispam gateway (part I)

In this tutorial i’ll show how to ensure and apply many feature for our mail gateway try to avoid most of the mail spam. I’ll explain all the options that we’ll setup to understand it and modify it to any scenario. For this tutorial I used a machine with Centos 6.0 with the postfix mail software and other virtual machine Debian Squeeze running bind9 for DNS request. We’ll configure SPF (sender profile framework) to check the DNS records txt for check which servers are allowed to send mails with the domains that we’ll received mails in our servers, also we’ll configure some RBL to check in real time server black list and avoid these servers.

Image


1.- Install postfix and setup to autostart service:


# yum install postfix

# chkconfig --levels 235 postfix on

2.- Edit some options for ensure our mail server and avoid a lot of spam:


# vi /etc/postfix/main.cf


myhostname = mail.mydomain.com #host name


myorigin = mydomain.com #Domain name for mail senders


mydestination = mydomain.com #Local domains


mynetworks = 127.0.0.1/32, 192.168.1.0/24 # Networks that are allowed to send


inet_interfaces = localhost, 192.168.1.200


relay_domains = hash:/etc/postfix/relay_domains #File with accepted domains



parent_domain_matches_subdomains = debug_peer_list smtpd_access_maps #Not accept subdomains


smtpd_recipient_restrictions =

reject_unauth_destination #Deny domains that are not included in relay_domains

check_policy_service unix:private/policy #Check SPF policy

reject_unauth_pipelining

reject_unknown_sender_domain #Deny the request for the mail from address for non exist domain name

reject_unknown_recipient_domain #Deny the request for the rcpt to address for non exist domain name

reject_invalid_hostname #Deny the helo request for invalid FQDN host name

reject_non_fqdn_helo_hostname #Deny the helo request for non exist FQDN host name

reject_non_fqdn_sender #Deny the request for mail from address that don't follow a FQDN

reject_non_fqdn_recipient #Deny the request for rcpt to address that don't follow a FQDN

permit_mynetworks #Allow send mails from our network


smtpd_banner = $myhostname Microsoft ESMTP MAIL service ready


smtpd_helo_required = yes

3.- Edit the file relay_domains to add the domain names that are allowed for send mails to our server:


# vi /etc/postfix/relay_domains

mydomain.com OK

4.- Compile our relay_domains file:


# postmap /etc/postfix/relay_domains

5.- Configure SPF in our domain (192.168.1.57):


@ IN TXT "v=spf1 mx ip4:192.168.1.200/24 ~all"


6.- Configure spf in postfix:


# yum install perl-CPAN wget perl-NetAddr-IP perl-Module-Build perl-Test-Base perl-Net-DNS perl-Net-DNS-Nameserver

# perl -MCPAN -e shell

cpan[1]> install Net::DNS::Resolver::programmable

cpan[2]> install Error

cpan[3]> q

# perl -MCPAN -e "get('Mail::SPF')"

# cd /root/.cpan/sources/authors/id/J/JM/JMEHNLE/mail-spf

# tar -xzvf Mail-SPF-v2.8.0.tar.gz

# cd Mail-SPF-v2.8.0/

# perl Build.PL

# ./Build

# ./Build test

# ./Build install


7.- Download spf software and setup postfix:


# wget https://launchpad.net/postfix-policyd-spf-perl/trunk/2.009/+download/postfix-policyd-spf-perl-2.009.tar.gz

# tar -xzvf postfix-policyd-spf-perl-2.009.tar.gz

# cp postfix-policyd-spf-perl-2.009/postfix-policyd-spf-perl /usr/libexec/postfix/postfix-policyd-spf-perl

# vi /etc/postfix/master.cf

policy unix - n n - - spawn

user=nobody argv=/usr/bin/perl /usr/libexec/postfix/policyd-spf-perl


8.- Configure database RBL (Realtime Blackhole List):



# vi /etc/postfix/main.cf

smtpd_recipient_restrictions=

...

reject_rbl_client zen.spamhaus.org

reject_rbl_client relays.ordb.org

reject_rbl_client blackholes.wirehub.net

reject_rbl_client list.dsbl.org

permit_mynetworks


8.- Add Iptables rule:



# vi /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT



Image

9.- Restart services postfix and iptables:


# service iptables restart

# service postfix restart

Test our configuration postfix:

- forces to use ehlo to establish a connection with mail server:

Image

- Domains don’t listed in relay_domains file are not allowed to send mails with our server:

Image

- check SPF records and reject non valid mails from other servers:

Image

logs for spf:

Image

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

CLEANING UP THE ZABBIX DATABASE

My Zabbix database size increased a lot in the last few months and since my disk was running out space, I decided to clean up the old events from the database. Looking at the database tables, the biggest one was  history_uint , which holds the items history data – over 400 millions of records and over 30 Gb of disk space before the clean up. Since deleting the old records from this table directly would be a very slow process, I decided to create a new table and insert the latest records from the  history_uint  table and then just replace the old table with a new one. Since this is not an offical procedure, use it at your own risk. Environment: Zabbix v2.2 MySql 5.1 – InnoDB with  innodb_file_per_table=ON Step 1 – Stop the Zabbix server Step 2 – Open your favourite MySQL client and create a new table CREATE TABLE  history_uint_new  LIKE  history_uint; Step 3 – Insert the latest records from the  history_uint  table to the...
Đọc thêm

Configuring DHCP Relay service on the FortiGate unit

Configuring DHCP Relay service on the FortiGate unit If the clients are configured to obtain a IP address using DHCP relay, configure the FortiGate server as below: To configure DHCP relay on the FortiGate unit   1. Go to System > Network > Interfaces and select Interface want to configure DHCP relay.   2. Enable DHCP Server in the interface and choose Advanced   3. For Mode, select Relay.   4. In Type select Regular.   5. Select OK.   6. If a router is installed between the FortiGate unit and the DHCP server, define a static route to the DHCP server. Note : Sometimes it is required to specify more than one DHCP relay IP, to allow for the coverage of additional LAN subnets. Although the Web Based Manager (GUI) does not provide an option to configure this, it is possible to set up to 8 IPs from the CLI.       config system interface             edit <REQUIRED_INTERFACE_HERE>   ...
Đọc thêm

[Resolved] Amazon EC2 Redhat 7 using 6GB for the root space

Hình ảnh
I create new server with 10GB of HDD, but when i check on the command line, the root space only show 6GB. I'm using t2.micto and Redhat 7.0, disk type: XFS. - xvda1: boot partition - xvda2: root partition Fix Step: We have instance A with the volume VA. 1) Stop the current instace A 2) Snapshot the current volume VA of the instance A 3) Start the instance A 4) Create new volume with 25GB by using the snapshot of volume VA then we have new volume VB 5) Attach the new volume VB to the instance A as default (/dev/sdf) 6) From the ssh console, i use the lsblk command to list the disk. # lsblk 7) Using the xfs_repair to repair the /dev/xvdf2 ( yum install xfsprogs) # xfs_repair /dev/xvdf2 8) Continue as the image below 9) Remove the /dev/xvdf2, remember the start of this disk then we will create the new one with the same. 10) Using XFS command to repair the /dev/xvdf2 again. # xfs_repair /dev/xvdf2 11) Use the lsblk co...
Đọc thêm