SPF, Postgrey, Greylist di Postfix

Implementasi SPF filter.

Bagian II -- Sender Policy Framework
Open.ch, OpenSPF.org, IETF proposed standard
(catatan Postfix harus versi > 2.3.x)

1a. Instalasi program-program PERL yang dibutuhkan greylist (Perl > 5.8.9)

perl -MCPAN -e'CPAN::Shell->install("DB_File")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Syslog")'
perl -MCPAN -e'CPAN::Shell->install("Fcntl")'



1b. Instalasi program-program PERL yang dibutuhkan policyd

perl -MCPAN -e'CPAN::Shell->install("Mail::SPF")'



1c. Instalasi program-program PERL yang dibutukan Postgrey (Berkeley DB (Library) >= 4.1)

perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("IO:Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("BerkeleyDB")'
perl -MCPAN -e'CPAN::Shell->install("Sys::Hostname")'
perl -MCPAN -e'CPAN::Shell->install("POD:Usage")'
perl -MCPAN -e'CPAN::Shell->install("Getopt::Long")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server::Multiplex")'
perl -MCPAN -e'CPAN::Shell->install("POSIX")'



2a.1. Instalasi greylist (last update: 22Jan2009)

cd /usr/local/src/postfix-2.4.${sub.minor.version}
cp examples/smtpd-policy/greylist.pl /etc/postfix/greylist.pl
chmod 755 /etc/postfix/greylist.pl



2a.2. Setup database greylist.db

mkdir /var/mta
touch /var/mta/greylist.db
chown -R nobody.nogroup /var/mta



2b. Instalasi policyd 2.007 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.007.tar.gz
tar -xzvf postfix-policyd-spf-perl-2.007.tar.gz
cd postfix-policyd-spf-perl-2.007
cp postfix-policyd-spf-perl /usr/local/lib/policyd-spf-perl
chmod 755 /usr/local/lib/policyd-spf-perl



2c. Instalasi postgrey 1.32 (last update: 23Jan2009)

cd /usr/local/src
wget -c http://postgrey.schweikert.ch/pub/postgrey-1.32.tar.gz
tar -xzvf postgrey-1.32.tar.gz
cd postgrey-1.32
cp postgrey /etc/postfix/
cp policy-test /etc/postfix/
cp postgrey_whitelist_recipients /etc/postfix/
cp postgrey_whitelist_clients /etc/postfix/
chmod 755 /etc/postfix/postgrey



3. backup master.cf dan main.cf

cd /etc/postfix
cp master.cf master.cf.nonspf
cp main.cf main.cf.nonspf



4. tambahkan policyd di master.cf

cd /etc/postfix
vi master.cf

---------------------tambahan isi master.cf----------------------
# begin ---- policyd implementation, ARahmadi @20Jan2009

#postgrey
postgrey unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/postgrey

#internal spfpolicy
greylist unix - n n - - spawn
user=nobody argv=/usr/bin/perl /etc/postfix/greylist.pl
#policyd
127.0.0.1:9998 inet - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/lib/policyd-spf-perl
# end ---- policyd implementation
[Esc][Shift-ZZ]
---------------------tambahan isi master.cf----------------------



5. Reload postfix

postfix reload



6. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:9998 0.0.0.0:* LISTEN 30205/master



7a. ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
127.0.0.1:9998_time_limit = 3600
postgrey_time_limit =3600
greylist_time_limit =3600
restriction_classes = greylist
greylist = check_policy_service unix:private/policy

smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unverified_recipient,
reject_unverified_sender,
reject_invalid_hostname,
reject_multi_recipient_bounce,
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
check_policy_service unix:private/greylist,
#---policyd/spf
check_policy_service inet:127.0.0.1:9998,
permit
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------



7b. Menambahkan policy di sender_access

cd /etc/postfix
vi sender_access

------------------perubahan isi sender_access-------------------
yahoo.com greylist
ymail.com greylist
rocketmail.com greylist
aol.com greylist
hotmail.com greylist
bigfoot.com greylist
gmail.com greylist
[Esc][Shift-ZZ]
------------------perubahan isi sender_access-------------------
postmap /etc/postfix/sender_access



8. Reload postfix

postfix reload



9. Coba mengirim email dan amati lognya


10. Apabila gagal, edit kembali main.cf, berikan tanda # didepan check_policy_service inet:127.0.0.1:9998 dst

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_recipient_restrictions =
...
reject_unauth_destination,
#---postgrey
check_policy_service unix:private/postgrey,
#---internal spfpolicy
#check_policy_service unix:private/greylist,
#---policyd/spf
#check_policy_service inet:127.0.0.1:9998,
...
[Esc][Shift-ZZ]
---------------------perubahan isi main.cf----------------------



11. Reload postfix

postfix reload



12. Ulangi langkah-langkah di atas, sampe kesalahannya ditemukan.


13. Edit entri di DNS server / Hosting

namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"
subdomain.namadomain.ac.id. TXT "v=spf1 a mx ptr ~all"

Posted by Sqvalkic at 6:08 PM 0 comments
Labels: sekuritas, teknologi
Signature ganda domainkeys dan DKIM di Postfix
Implementasi Domainkeys.
Anton Rahmadi @23 Januari 2009
versi 1.2 GPL

Bagian I -- Domainkeys
(DKIMProxy dan dkfilter)
catatan:
Yahoo hanya mendukung dkfilter
Gmail hanya mendukung DKIM


1. Instalasi program-program PERL yang dibutuhkan

perl -MCPAN -e'CPAN::Shell->install("Build::CPAN")'
perl -MCPAN -e'CPAN::Shell->install("Crypt::OpenSSL::RSA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA")'
perl -MCPAN -e'CPAN::Shell->install("Digest::SHA1")'
perl -MCPAN -e'CPAN::Shell->install("Error")'
perl -MCPAN -e'CPAN::Shell->install("Mail::Address")'
perl -MCPAN -e'CPAN::Shell->install("MIME::Base64")'
perl -MCPAN -e'CPAN::Shell->install("Net::DNS")'
perl -MCPAN -e'CPAN::Shell->install("Net::Server")'
perl -MCPAN -e'CPAN::Shell->install("Test::More")'


2. Instalasi Mail-DKIM versi 0.32 (last update: 21Jan2009)

cd /usr/local/src
wget -c http://search.cpan.org/CPAN/authors/id/J/JA/JASLONG/Mail-DKIM-0.32.tar.gz
tar -xzvf Mail-DKIM-0.32.tar.gz
cd Mail-DKIM-0.32
make clean
make tidy
perl Makefile.PL
make
make test
make install
cd ..



3a. Instalasi dkfilter versi 0.11 (last update: 22Jan2009)

cd /usr/local/src
wget -c http://jason.long.name/dkfilter/dkfilter-0.11.tar.gz
tar -xzvf dkfilter-0.11.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkfilter
make install



3b. Instalasi dkimproxy versi 1.1 (last update: 21Jan2009)

cd /usr/local/src/
wget -c http://downloads.sourceforge.net/dkimproxy/dkimproxy-1.1.tar.gz
tar -xzvf dkimproxy-1.1.tar.gz
cd dkimproxy-1.1
make clean
make tidy
./configure --prefix=/usr/local/dkimproxy
make install



4. Buat user

groupadd dkim
useradd -s /bin/false -d /dev/null -g dkim dkim



5. Buat private dan public key

cd /usr/local/dkimproxy
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout -out public.key
chown dkim.dkim private.key
chmod 600 private.key
cp private.key public.key /usr/local/dkfilter



6. Edit entri di DNS server / Hosting

_domainkey.namadomain.ac.id IN TXT “t=y; o=~;”
selector1._domainkey.namadomain.ac.id IN TXT "k=rsa; p=ISI_DARI_PUBLIC_KEY;"



7a. Membuat script untuk memulai dkfilter

cd /usr/local/dkfilter
vi dkfilter.sh

-------------------------ISI dkfilter.sh------------------------
#/bin/bash

#dk.out
/usr/local/dkfilter/bin/dk.out --keyfile=/usr/local/dkfilter/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id --method=nowfs 127.0.0.1:10029 127.0.0.1:10030 &
[Esc][Shift-ZZ]
-------------------------ISI dkfilter.sh------------------------
chmod 755 dkfilter.sh
./dkfilter.sh




7b. Membuat script untuk memulai DKIMProxy

cd /usr/local/dkimproxy
vi dkimproxy.sh

-------------------------ISI dkimproxy.sh------------------------
#/bin/bash

#dkimproxy.in
/usr/local/dkimproxy/bin/dkimproxy.in 127.0.0.1:10025 127.0.0.1:10026 &
#dkimproxy.out
/usr/local/dkimproxy/bin/dkimproxy.out --keyfile=/usr/local/dkimproxy/private.key --selector=selector1 --domain=namadomain.ac.id,mail.namadomain.ac.id
--method=relaxed 127.0.0.1:10027 127.0.0.1:10028 &
[Esc][Shift-ZZ]
-------------------------ISI dkimproxy.sh------------------------
chmod 755 dkimproxy.sh
./dkimproxy.sh



8. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl



9. Apabila berhasil, maka masukkan dkfilter.sh dan dkimproxy.sh ke rc.local

cat "/usr/local/dkimproxy/dkimproxy.sh" >> /etc/rc.d/rc.local
cat "/usr/local/dkfilter/dkfilter.sh" >> /etc/rc.d/rc.local



10. Backup /etc/postfix/master.cf

cd /etc/postfix
cp master.cf master.cf.asli



11. Sesuaikan isi dari /etc/postfix/master.cf sebagai berikut:

# a line below is commented to support dkfilter inbound -Arahmadi@20jan2009
#smtp inet n - n - - smtpd

# begin ---- domainkeys implementation, ARahmadi @20Jan2009

#dkim.in
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10

127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
-o receive_override_options=no_unknown_recipient_checks

#dkim.out
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=no
-o content_filter=dkimsign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

dkimsign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10028 inet n - n - 10 smtpd
#---Langsung dilempar ke luar
# -o content_filter=
#---Dilempar kembali ke dkfilter
-o content_filter=dksign:[127.0.0.1]:10029
-o receive_override_options=no_unknown_recipient_checks,no_address_mappings
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

#dk.out
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime

127.0.0.1:10030 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

# end ---- domainkeys implementation

Update 23Jan2009:
Sedikit tune-up tambahan
12. Ubah konfigurasi di main.cf

cd /etc/postfix
vi main.cf

---------------------perubahan isi main.cf----------------------
smtpd_delay_reject = yes
127.0.0.1:10026_time_limit = 3600
127.0.0.1:10028_time_limit = 3600
127.0.0.1:10030_time_limit = 3600
---------------------perubahan isi main.cf----------------------


13. Reload postfix

postfix reload



14. Melihat keaktifan domain key

netstat -plan | grep tcpd
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 6649/perl
tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 30205/master
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 6650/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 30205/master
tcp 0 0 127.0.0.1:10029 0.0.0.0:* LISTEN 6651/perl
tcp 0 0 127.0.0.1:10030 0.0.0.0:* LISTEN 30205/master



15. Mengubah SMTP port dari mail klien menjadi 587, BUKAN 25 atau gunakan NAT dari iptables