“UbuntuHelp:Postfix/SPF”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
(未显示2个用户的5个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/Postfix/SPF}} | {{From|https://help.ubuntu.com/community/Postfix/SPF}} | ||
{{Languages|UbuntuHelp:Postfix/SPF}} | {{Languages|UbuntuHelp:Postfix/SPF}} | ||
− | |||
− | |||
== Introduction == | == Introduction == | ||
− | |||
This guide explains how to install and integrate [http://www.openspf.org/ Sender Policy Framework (SPF)] checking with [http://www.postfix.org/ Postfix]. It applies to Ubuntu 7.04 and later releases. Previous Ubuntu releases do not have the packages necessary. | This guide explains how to install and integrate [http://www.openspf.org/ Sender Policy Framework (SPF)] checking with [http://www.postfix.org/ Postfix]. It applies to Ubuntu 7.04 and later releases. Previous Ubuntu releases do not have the packages necessary. | ||
− | |||
SPF is an e-mail anti-forgery technology the enables domain owners to list, in the Domain Name Service (DNS), authorized sources of mail from their domains. It enables mail receivers to reject mail that does not come from authorized sources. This guide describes the second part of the protocol, rejecting mail from unauthorized sources. It assumes you have your Postfix set up and running. Setting up and running Postfix is described elsewhere in the wiki and in the Postfix documentation. | SPF is an e-mail anti-forgery technology the enables domain owners to list, in the Domain Name Service (DNS), authorized sources of mail from their domains. It enables mail receivers to reject mail that does not come from authorized sources. This guide describes the second part of the protocol, rejecting mail from unauthorized sources. It assumes you have your Postfix set up and running. Setting up and running Postfix is described elsewhere in the wiki and in the Postfix documentation. | ||
− | |||
== SPF Package selection and installation == | == SPF Package selection and installation == | ||
− | + | In Ubuntu 7.04 and 7.10 there are two [http://www.openspf.org/RFC_4408 RFC 4408] compliant package sets you can use. One is written in Python. The other is written in Perl. The Perl package meets most basic requirements. The recent versions of the Python package are significantly more sophisticated (it provides a sane set of defaults, so setup is not necessarily more complex). 7.04 has an earlier version in the repository and a relatively current version in feisty-backports. For 6.06 and 6.10 the Python progams are in dapper-backports and edgy-backports. | |
− | In Ubuntu 7.04 there are two [http://www.openspf.org/RFC_4408 RFC 4408] compliant package sets you can use. One is written in Python. The other is written in Perl. | + | |
− | + | ||
For the Python programs, installation is: | For the Python programs, installation is: | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
apt-get install python-policyd-spf python-spf | apt-get install python-policyd-spf python-spf | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
For the Perl system, installation is: | For the Perl system, installation is: | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
apt-get install postfix-policyd-spf-perl libmail-spf-perl | apt-get install postfix-policyd-spf-perl libmail-spf-perl | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
== Postfix Integration == | == Postfix Integration == | ||
− | |||
There are a number of changes the need to be made to integrate SPF checking with Postfix. In this guide, integration of the Python programs is described. The Perl programs are integrated very similarly. See man postfix-policyd-spf-perl for details. | There are a number of changes the need to be made to integrate SPF checking with Postfix. In this guide, integration of the Python programs is described. The Perl programs are integrated very similarly. See man postfix-policyd-spf-perl for details. | ||
− | |||
=== Enabling the Policy Service === | === Enabling the Policy Service === | ||
− | |||
In /etc/postfix/main.cf you will need to add the following line (it doesn't matter where, usually they get added to the end. | In /etc/postfix/main.cf you will need to add the following line (it doesn't matter where, usually they get added to the end. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
− | + | spf-policyd_time_limit = 3600s | |
</nowiki></pre> | </nowiki></pre> | ||
− | |||
This changed the ups the policy time limit so the policy server won't time out while a message is still being processed. | This changed the ups the policy time limit so the policy server won't time out while a message is still being processed. | ||
− | + | Add this section to /etc/postfix/master.cf for the Python script | |
− | Add this section to /etc/postfix/master.cf | + | |
− | + | ||
<pre><nowiki> | <pre><nowiki> | ||
policy-spf unix - n n - - spawn | policy-spf unix - n n - - spawn | ||
− | user=nobody argv=/usr/bin/ | + | user=nobody argv=/usr/bin/policyd-spf |
</nowiki></pre> | </nowiki></pre> | ||
− | + | or for the Perl script | |
− | Finally, you need to add the policy service to your smtpd_recipient_restrictions: | + | <pre><nowiki> |
− | + | policy-spf unix - n n - - spawn | |
+ | user=nobody argv=/usr/sbin/postfix-policyd-spf-perl | ||
+ | </nowiki></pre> | ||
+ | Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf: | ||
<pre><nowiki> | <pre><nowiki> | ||
smtpd_recipient_restrictions = | smtpd_recipient_restrictions = | ||
第54行: | 第39行: | ||
permit_mynetworks | permit_mynetworks | ||
reject_unauth_destination | reject_unauth_destination | ||
− | check_policy_service unix:private/ | + | check_policy_service unix:private/policy-spf |
... | ... | ||
</nowiki></pre> | </nowiki></pre> | ||
Note: Put the policy server after reject_unauth_destination to prevent risk that unexpected responses from the policy server could make your system and open relay (this is recommended for all policy servers). Put the policy server after you permit local senders. You only want SPF to check inbound mail from the internet and not outbound mail from your users. | Note: Put the policy server after reject_unauth_destination to prevent risk that unexpected responses from the policy server could make your system and open relay (this is recommended for all policy servers). Put the policy server after you permit local senders. You only want SPF to check inbound mail from the internet and not outbound mail from your users. | ||
− | + | Note: Executable path for master.cf corrected 10/27/07. | |
− | === | + | === Reload Postfix === |
− | + | ||
<pre><nowiki> | <pre><nowiki> | ||
− | sudo /etc/init.d/postfix | + | sudo /etc/init.d/postfix reload |
</nowiki></pre> | </nowiki></pre> | ||
− | |||
=== Verifying It's Working === | === Verifying It's Working === | ||
− | |||
Check your mail logs. The Python server logs mail that is rejected or deferred due to SPF. If there is a problem with the policy server or its integration with Postix, it will be logged. | Check your mail logs. The Python server logs mail that is rejected or deferred due to SPF. If there is a problem with the policy server or its integration with Postix, it will be logged. | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
tail -f /var/log/mail.log | tail -f /var/log/mail.log | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
or | or | ||
− | |||
<pre><nowiki> | <pre><nowiki> | ||
less /var/log/mail.log | less /var/log/mail.log | ||
</nowiki></pre> | </nowiki></pre> | ||
− | |||
---- | ---- | ||
− | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年5月12日 (二) 18:26的最新版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Introduction
This guide explains how to install and integrate Sender Policy Framework (SPF) checking with Postfix. It applies to Ubuntu 7.04 and later releases. Previous Ubuntu releases do not have the packages necessary. SPF is an e-mail anti-forgery technology the enables domain owners to list, in the Domain Name Service (DNS), authorized sources of mail from their domains. It enables mail receivers to reject mail that does not come from authorized sources. This guide describes the second part of the protocol, rejecting mail from unauthorized sources. It assumes you have your Postfix set up and running. Setting up and running Postfix is described elsewhere in the wiki and in the Postfix documentation.
SPF Package selection and installation
In Ubuntu 7.04 and 7.10 there are two RFC 4408 compliant package sets you can use. One is written in Python. The other is written in Perl. The Perl package meets most basic requirements. The recent versions of the Python package are significantly more sophisticated (it provides a sane set of defaults, so setup is not necessarily more complex). 7.04 has an earlier version in the repository and a relatively current version in feisty-backports. For 6.06 and 6.10 the Python progams are in dapper-backports and edgy-backports. For the Python programs, installation is:
apt-get install python-policyd-spf python-spf
For the Perl system, installation is:
apt-get install postfix-policyd-spf-perl libmail-spf-perl
Postfix Integration
There are a number of changes the need to be made to integrate SPF checking with Postfix. In this guide, integration of the Python programs is described. The Perl programs are integrated very similarly. See man postfix-policyd-spf-perl for details.
Enabling the Policy Service
In /etc/postfix/main.cf you will need to add the following line (it doesn't matter where, usually they get added to the end.
spf-policyd_time_limit = 3600s
This changed the ups the policy time limit so the policy server won't time out while a message is still being processed. Add this section to /etc/postfix/master.cf for the Python script
policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
or for the Perl script
policy-spf unix - n n - - spawn user=nobody argv=/usr/sbin/postfix-policyd-spf-perl
Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:
smtpd_recipient_restrictions = ... permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy-spf ...
Note: Put the policy server after reject_unauth_destination to prevent risk that unexpected responses from the policy server could make your system and open relay (this is recommended for all policy servers). Put the policy server after you permit local senders. You only want SPF to check inbound mail from the internet and not outbound mail from your users. Note: Executable path for master.cf corrected 10/27/07.
Reload Postfix
sudo /etc/init.d/postfix reload
Verifying It's Working
Check your mail logs. The Python server logs mail that is rejected or deferred due to SPF. If there is a problem with the policy server or its integration with Postix, it will be logged.
tail -f /var/log/mail.log
or
less /var/log/mail.log