Postfix Spam Ayarları
Download
Report
Transcript Postfix Spam Ayarları
Postfix
Spam Ayarları
Tufan KARADERE
Sistem Yöneticisi
[email protected]
TÜBİTAK - ULAKBİM
Spam Engelleme
Tam
otomatize bir yol yok
Politika
– Tepki
– Kara liste oluşturma
– Third-party yazılımlar
MTA’da
yapılabilecekler
(Postfix Ayarları)
Postfix Ayarları
Filtreler
– Header
– Body
main.cf
– Genel Kontroller
– Kısıtlamalar
İstemci
Helo
Gönderici
Alıcı
SASL + TLS
Filtreler - Header
header_checks = regexp:/etc/postfix/maps/header_checks
– /^HEADER: .*içerik/ EYLEM BİLGİ
EYLEM:
–
–
–
–
–
IGNORE: Satırı siler
WARN: Sadece log’a ekler
HOLD: Queue’da bekletir
DISCARD: Göndericiye bilgi vermeden siler
REJECT: Dağıtılmasını engeller
Örnekler:
– /^From:.*edu.tr/ REJECT Blacklisted site
– /name=[^>]*\.(pif|scr|exe)/ REJECT Invalid attachments
– /^Subject:.*I.*love.*you/ REJECT Suspicious subject
Filtreler - Body
body_checks = regexp:/etc/postfix/maps/header_checks
– /içerik/ EYLEM BİLGİ
EYLEM:
–
–
–
–
–
IGNORE: Satırı siler
WARN: Sadece log’a ekler
HOLD: Queue’da bekletir
DISCARD: Göndericiye bilgi vermeden siler
REJECT: Dağıtılmasını engeller
Örnekler:
– /viagra/ REJECT Forbidden content
– /enlarge your/ REJECT No need, thanks
– /www.tanitimreklamvesaire.com/ REJECT Invalid site name in
body
main.cf
Genel
kontroller
Kara listelerin kullanımı
Kısıtlamalar
– İstemci
– Helo
– Gönderici
– Alıcı
Genel Kontroller
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
relay_domains =
hash:/etc/postfix/relay_domains
smtpd_helo_required = yes
mynetworks = 10.10.10.0/24
Kara listeler
maps_rbl_domains
=
blackholes.mail-abuse.org
dialups.mail-abuse.org
relays.mail-abuse.org
Kısıtlamalar
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
SMTP
helo
Client
mail from:
rcpt to:
sender
recipient
Server
smtpd_client_restrictions
– check_client_access hash:dosyaismi
– permit_mynetworks ($mynetworks)
– reject_unknown_client (PTR, A)
smtpd_helo_restrictions
–
–
–
–
–
check_helo_access hash:dosyaismi
reject_invalid_hostname (syntax)
reject_unknown_hostname (A, MX)
permit_naked_ip_address (IP)
reject_non_fqdn_hostname (RFC)
smtpd_sender_restrictions
– check_sender_access hash:dosyaismi
– reject_unknown_sender_domain
(A, MX)
– reject_non_fqdn_sender (FQDN)
smtpd_recipient_restrictions
– check_recipient_access hash:dosyaismi
– permit_auth_destination
($relay_domains, $mydestination)
– reject_unauth_destination
– reject_non_fqdn_recipient (FQDN)
– reject_unknown_recipient_domain
MX)
(A,
Örnek
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unauth_pipelining,
#reject_unknown_client,
#reject_invalid_hostname,
#reject_non_fqdn_hostname,
#reject_unknown_hostname,
#reject_non_fqdn_sender,
#reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_sender_access dbm:/etc/postfix/checks_sender,
check_helo_access dbm:/etc/postfix/checks_helo
check_*_access hash:dosyaismi
dosyaismi
ulakbim.gov.tr
ulak.net.tr
dosyaismi
(helo):
REJECT You are not in ulakbim.gov.tr
REJECT You are not in ulak.net.tr
(sender):
daltons.org
parkorman.com.tr
[email protected]
iktibas.net
sektorelrehber.com
REJECT
REJECT
REJECT
REJECT
REJECT
Blacklisted
Blacklisted
Blacklisted
Blacklisted
Blacklisted
site
site
site
site
From: [email protected]
To: recipient@server
İki problem:
– Dış network erişim izni
– Dış network
göndericisinin kimliği
Relay
Server
Server
Client
(Dış Network)
gönderici
alıcı
Problem:
From: user@server
To: recipient@server
Server
– Dış network
göndericisinin
kimliği
Client
(Dış Network)
gönderici
alıcı
SASL + TLS
Basit kimlik doğrulama ve güvenlik katmanı
(Simple Authentication and Security Layer)
Cyrus-Sasl: http://asg.web.cmu.edu/sasl/
Carnegie Mellon University:
http://asg.web.cmu.edu/sasl/sasl-library.html
TLS Patch, Lutz Janicke:
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
Postfix SASL + TLS
#TLS
smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
http://spamlinks.net/
http://www.postfix.org
http://asg.web.cmu.edu/sasl/
http://asg.web.cmu.edu/sasl/sasl-library.html
http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
Teşekkürler