- [Show page]
- [Old revisions]
- [[unknown link type]]
- []
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
linux:skoleni:mailserver [2014/04/25 17:42] admin |
linux:skoleni:mailserver [2014/05/02 00:50] (current) admin [SPF, cast druha] |
||
|---|---|---|---|
| Line 458: | Line 458: | ||
| -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks | -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks | ||
| </file> | </file> | ||
| + | |||
| + | ====== SPF - cast prvni====== | ||
| + | Kdyz jsme venovali tolik prace DNS, ukazeme si pomerne hezkou antispamovou techniku. Jedna se o hlubsi overovani domeny odesilatele. Konkretne se dotazeme serveru jahoda.cz, jestli adresa 1.2.3.4 mohla odeslat e-mail From:<nekdo@jahoda.cz>. | ||
| + | |||
| + | Pokud spravce domeny jahoda.cz presne vi, ze vsichni jeho uzivatele pouzivaji jeden centralni server, vuci kteremu se overuji a odesilaji pres nej postu, pak muze vesele do DNS napsat informaci: | ||
| + | "Mame jeden centralni server pres ktery odesilame postu na IPv4: 9.8.7.6, jine jsou podvod." | ||
| + | |||
| + | Akorat se to zapisuje takto: | ||
| + | jahoda.cz. IN TXT "v=spf1 ip4:9.8.7.6 -all" | ||
| + | |||
| + | Zaznamy, ktere nemaji pred sebou znamenko +/- se berou, jako by mely +. Tedy "+ipv4" v nasem prikladu. | ||
| + | |||
| + | Vysvetleni: | ||
| + | * spf1 - zaznam popisuje Sender Policy Framework | ||
| + | * ipv4 - oznamuje ip aderesu, ktera patri mezi povolene | ||
| + | * -all - oznamuje ze vse ostatni je neplatne | ||
| + | |||
| + | Kdyby nekoho zajimalo, jak vypada nas SPF zaznam, tady je: | ||
| + | starlab.cz. IN TXT "v=spf1 mx -all". | ||
| + | Promite mi, ze to sem pisu, vdyt' vsichni umite | ||
| + | host -t txt starlab.cz | ||
| + | |||
| + | **Upozorneni: Tim ovsem pomahate jen druhym, aby e-maily s vasi podvrzenou domenou nikde nezpusobovali spam.** Jeste je potreba take nastavit druhou cast tj. implementovat ochranu na vlastnim serveru. | ||
| + | |||
| + | ====== SPF - cast druha ======= | ||
| + | Zarazeni do postfixu je obvykla trojkombinace | ||
| + | * apt-get install <neceho> | ||
| + | * pridani do main.cf | ||
| + | * pridani do master.cf | ||
| + | A pak trocha ladeni a opravovani preklepu. | ||
| + | |||
| + | Existuje python i perl verze. | ||
| + | apt-get install postfix-policyd-spf-python | ||
| + | apt-get install postfix-policyd-spf-perl | ||
| + | Pro ty co se nudi mohou napsat pojednani, jaky je mezi nimi rozdil. | ||
| + | |||
| + | Do ''main.cf'' pridame kamkoliv <code>policy-spf_time_limit = 3600s</code> | ||
| + | |||
| + | A do ''master.cf'' pridame treba pythonovsky skript | ||
| + | <code> | ||
| + | policy-spf unix - n n - - spawn | ||
| + | user=nobody argv=/usr/bin/policyd-spf | ||
| + | </code> | ||
| + | |||
| + | A obohatime ''smtpd_recipient_restrictions'' v main.cf: | ||
| + | |||
| + | <code> | ||
| + | smtpd_recipient_restrictions = | ||
| + | ... | ||
| + | permit_sasl_authenticated | ||
| + | permit_mynetworks | ||
| + | reject_unauth_destination | ||
| + | check_policy_service unix:private/policy-spf | ||
| + | </code> | ||
| ====== Sieve filtry v akci ====== | ====== Sieve filtry v akci ====== | ||
| Line 527: | Line 581: | ||
| vfJoXbthligLcvK5OYFor1v5L3Gl/PBDHAAA | vfJoXbthligLcvK5OYFor1v5L3Gl/PBDHAAA | ||
| </file> | </file> | ||
| + | |||
| + | ======= LDAP ======= | ||
| + | [[http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-with-dovecot-as-imap-pop3-server-on-ubuntu-karmic-koala-9.10-p2]] | ||
linux/skoleni/mailserver.1398440566.txt.gz · Last modified: 2014/04/25 17:42 by admin