Fixes #451 - add incoming mail SPF policy checks (#543)

This commit is contained in:
Daniel S. Reichenbach 2017-03-14 17:21:17 +01:00 committed by Thomas VIAL
parent e7efeda036
commit 62c20295f9
4 changed files with 15 additions and 8 deletions

View file

@ -1,12 +1,12 @@
FROM ubuntu:14.04 FROM ubuntu:14.04
MAINTAINER Thomas VIAL MAINTAINER Thomas VIAL
# Default values ENV DEBIAN_FRONTEND noninteractive
ENV VIRUSMAILS_DELETE_DELAY=7 \ ENV VIRUSMAILS_DELETE_DELAY=7
ONE_DIR=0 ENV ONE_DIR=0
# Packages # Packages
RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \ RUN apt-get update -q --fix-missing && \
apt-get -y upgrade && \ apt-get -y upgrade && \
apt-get -y install --no-install-recommends \ apt-get -y install --no-install-recommends \
amavisd-new \ amavisd-new \
@ -38,6 +38,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update -q --fix-missing && \
p7zip \ p7zip \
postfix \ postfix \
postfix-ldap \ postfix-ldap \
postfix-policyd-spf-python \
pyzor \ pyzor \
razor \ razor \
rsyslog \ rsyslog \
@ -144,5 +145,3 @@ CMD /usr/local/bin/start-mailserver.sh
ADD target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl ADD target/filebeat.yml.tmpl /etc/filebeat/filebeat.yml.tmpl

View file

@ -42,7 +42,7 @@ smtpd_helo_required = yes
smtpd_delay_reject = yes smtpd_delay_reject = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permit
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf,
reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
@ -73,3 +73,6 @@ dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893 dmarc_milter = inet:localhost:8893
smtpd_milters = $dkim_milter,$dmarc_milter smtpd_milters = $dkim_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter non_smtpd_milters = $dkim_milter
# SPF policy settings
policyd-spf_time_limit = 3600

View file

@ -63,6 +63,11 @@ mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user} ${nexthop} ${user}
#
# SPF configuration
#
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
# #
# Amavis configuration # Amavis configuration

View file

@ -147,7 +147,7 @@ load 'test_helper/bats-assert/load'
@test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" { @test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" {
#editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictionswould interfere with it. #editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictionswould interfere with it.
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*reject_unauth_destination,$//g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions = /smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf" run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions = /smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"