![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
#author("2023-06-13T12:19:29+09:00","default:kuji","kuji") #author("2023-06-13T14:26:40+09:00","default:kuji","kuji") CONTENTS #contents ---- Lastmodified &lastmod; ---- *SPF受信側の設定 [#o66b3d59] https://admnote.paix.jp/2022/07/postfix%E3%81%ABspf%E5%B0%8E%E5%85%A5/ **py-spf-engine をインストール [#le002cae] portinstall mail/py-spf-engine ---- # # Using policyd-spf with Postfix # Policyd-spf must be integrated with Postfix to be effective: 1. Add to your postfix master.cf: policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/local/bin/policyd-spf 2. Configure the Postfix policy service in your main.cf so that the "smtpd_recipient_restrictions" includes a call to the policyd-spf policy filter. If you already have a "smtpd_recipient_restrictions" line, you can add the "check_policy_service" command anywhere *after* the line which reads "reject_unauth_destination" (otherwise you're system can become an open relay). smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policyd-spf ... policyd-spf_time_limit = 3600 3. Please consult the postfix documentation for more information on these and other settings you may wish to have in the "smtpd_recipient_restrictions" configuration. 4. Reload postfix. # # Automatically starting pyspf-milter at boot time. # Add 'pyspf_milter_enable="YES"' to /etc/rc.conf. ***master.cf [#z7d873c9] policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/local/bin/policyd-spf ***main.cf [#c1791828] smtpd_recipient_restrictions = reject_unauth_destination check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600 smsmtpd_recipient_restrictionsの定義がすでにある場合には、check_policy_serviceの定義を必ずreject_unauth_destinationの後ろに追記する。記載順を間違えるとオープンリレーになってしまう ***policyd-spf.conf [#sc84e5a1] https://server-setting.info/debian/postfix-policyd-spf-python.html debugLevel = 1 TestOnly = 1 HELO_reject = False ← デフォルト設定では Fail となっている Mail_From_reject = False ← デフォルト設定では Fail となっている PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 |BOLD:HELO_reject|>|CENTER:HELO をチェックし、拒否するポリシー(rejection policy)を設定します。|h || SPF_Not_Pass (default) | Pass/None/Tempfail の場合、拒否(Reject)しない。| || Softfail | Softfail / Fail の場合、拒否(Reject)する。| ||Fail | HELO Fail の場合、拒否(Reject)する。| ||Null | HELO Fail for Null sender (SPF Classic) の場合のみ、拒否(Reject)する。| || False | ヘッダへ情報を付加するだけ。何もしない。| || No_Check | HELO チェックそのものを行わない。| ***rc.conf [#j33a5220] pyspf_milter_enable="YES" ---- # # Using pyspf-milter with Postfix # Integration of pyspf-milter into Postfix is like any milter (See Postfix's README_FILES/MILTER_README). But care is required to segregate outbound mail from inbound mail to be checked. Here is example using milter macros to keep the mail streams segregated. /usr/local/etc/postfix/main.cf: smtpd_milters = unix:/var/run/pyspf-milter/pyspf-milter.sock /usr/local/etc/postfix/master.cf: smtp inet n - - - - smtpd ... -o milter_macro_daemon_name=VERIFYING ... /usr/local/etc/python-policyd-spf/policyd-spf.conf: MacroList daemon_name|VERIFYING * Postfixでの pyspf-milter の使用 [#j9579e79] pyspf-milter の Postfix への統合は、他の milter と同様です (Postfix の README_FILES/MILTER_README を参照)。 ただし、送信メールと受信メールを区別してチェックする必要があります。 以下は、milter マクロを使用してメール ストリームを分離する例です。 /usr/local/etc/postfix/main.cf smtpd_milters = unix:/var/run/pyspf-milter/pyspf-milter.sock /usr/local/etc/postfix/master.cf smtp inet n - - - - smtpd ... -o milter_macro_daemon_name=VERIFYING ... /usr/local/etc/python-policyd-spf/policyd-spf.conf MacroList daemon_name|VERIFYING **warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock: No such file or directory [#t737650f] /usr/local/etc/pyspf-milter/pyspf-milter.conf # Milter specific options Socket = local:/var/run/pyspf-milter/pyspf-milter.sock ←こちらのコメントを外す #Socket = inet:8893@localhost ←こちらのコメントする **warning: connect to Milter service unix:/var/run/pyspf-milter/pyspf-milter.sock: Permission denied [#i334dd32] pyspf-milter のグループへ postfix をマージする # pw group mod pyspf-milter -m postfix # service pyspf-milter restart # postfix reload /usr/local/etc/pyspf-milter/pyspf-milter.conf HELO_reject = False Mail_From_reject = False この二項目は、Fail からFalseに変更して、ちと、様子見。 ---- Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday); #counter([total|today|yesterday]);
