Download
1 / 19
190 likes | 471 Views
Postfix Spam Ayarları. Tufan KARADERE Sistem Yöneticisi tufan @ulakbim.gov.tr TÜBİTAK - ULAKBİM. Spam Engelleme. Tam otomatize bir yol yok Politika Tepki Kara liste oluşturma Third-party yazılımlar MTA’da yapılabilecekler (Postfix Ayarlar ı). Postfix Ayarları. Filtreler Header
E N D
PostfixSpam Ayarları Tufan KARADERE Sistem Yöneticisi tufan@ulakbim.gov.tr TÜBİTAK - ULAKBİM
Spam Engelleme • Tam otomatize bir yol yok • Politika • Tepki • Kara liste oluşturma • Third-party yazılımlar • MTA’da yapılabilecekler (Postfix Ayarları)
Postfix Ayarları • Filtreler • Header • Body • main.cf • Genel Kontroller • Kısıtlamalar • İstemci • Helo • Gönderici • Alıcı • SASL + TLS
Filtreler - Header • header_checks = regexp:/etc/postfix/maps/header_checks • /^HEADER: .*içerik/ EYLEM BİLGİ • EYLEM: • IGNORE: Satırı siler • WARN: Sadece log’a ekler • HOLD: Queue’da bekletir • DISCARD: Göndericiye bilgi vermeden siler • REJECT: Dağıtılmasını engeller • Örnekler: • /^From:.*edu.tr/ REJECT Blacklisted site • /name=[^>]*\.(pif|scr|exe)/ REJECT Invalid attachments • /^Subject:.*I.*love.*you/ REJECT Suspicious subject
Filtreler - Body • body_checks = regexp:/etc/postfix/maps/header_checks • /içerik/ EYLEM BİLGİ • EYLEM: • IGNORE: Satırı siler • WARN: Sadece log’a ekler • HOLD: Queue’da bekletir • DISCARD: Göndericiye bilgi vermeden siler • REJECT: Dağıtılmasını engeller • Örnekler: • /viagra/ REJECT Forbidden content • /enlarge your/ REJECT No need, thanks • /www.tanitimreklamvesaire.com/ REJECT Invalid site name in body
main.cf • Genel kontroller • Kara listelerin kullanımı • Kısıtlamalar • İstemci • Helo • Gönderici • Alıcı
Genel Kontroller • strict_rfc821_envelopes = yes • disable_vrfy_command = yes • relay_domains = hash:/etc/postfix/relay_domains • smtpd_helo_required = yes • mynetworks = 10.10.10.0/24
Kara listeler • maps_rbl_domains = blackholes.mail-abuse.org dialups.mail-abuse.org relays.mail-abuse.org
Kısıtlamalar • smtpd_client_restrictions • smtpd_helo_restrictions • smtpd_sender_restrictions • smtpd_recipient_restrictions
SMTP helo Client Server sender mail from: recipient rcpt to:
smtpd_client_restrictions • check_client_access hash:dosyaismi • permit_mynetworks ($mynetworks) • reject_unknown_client (PTR, A) • smtpd_helo_restrictions • check_helo_access hash:dosyaismi • reject_invalid_hostname (syntax) • reject_unknown_hostname (A, MX) • permit_naked_ip_address (IP) • reject_non_fqdn_hostname (RFC)
smtpd_sender_restrictions • check_sender_access hash:dosyaismi • reject_unknown_sender_domain (A, MX) • reject_non_fqdn_sender (FQDN) • smtpd_recipient_restrictions • check_recipient_access hash:dosyaismi • permit_auth_destination ($relay_domains, $mydestination) • reject_unauth_destination • reject_non_fqdn_recipient (FQDN) • reject_unknown_recipient_domain (A, MX)
Örnek smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, #reject_unknown_client, #reject_invalid_hostname, #reject_non_fqdn_hostname, #reject_unknown_hostname, #reject_non_fqdn_sender, #reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access dbm:/etc/postfix/checks_sender, check_helo_access dbm:/etc/postfix/checks_helo
check_*_access hash:dosyaismi • dosyaismi (helo): ulakbim.gov.tr REJECT You are not in ulakbim.gov.tr ulak.net.tr REJECT You are not in ulak.net.tr • dosyaismi (sender): daltons.org REJECT Blacklisted site parkorman.com.trREJECT Blacklisted site cihanakin978@hotmail.comREJECT Blacklisted iktibas.net REJECT Blacklisted site sektorelrehber.comREJECT Blacklisted site
From: user@relay.server To: recipient@server • İki problem: • Dış network erişim izni • Dış network göndericisinin kimliği Relay Server Server Client (Dış Network) gönderici alıcı
Problem: • Dış network göndericisinin kimliği From: user@server To: recipient@server Server Client (Dış Network) gönderici alıcı
SASL + TLS • Basit kimlik doğrulama ve güvenlik katmanı(Simple Authentication and Security Layer) • Cyrus-Sasl: http://asg.web.cmu.edu/sasl/ • Carnegie Mellon University: http://asg.web.cmu.edu/sasl/sasl-library.html • TLS Patch, Lutz Janicke: http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/
Postfix SASL + TLS #TLS smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newreq.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #SASL smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
http://spamlinks.net/http://www.postfix.orghttp://asg.web.cmu.edu/sasl/http://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/Teşekkürlerhttp://spamlinks.net/http://www.postfix.orghttp://asg.web.cmu.edu/sasl/http://asg.web.cmu.edu/sasl/sasl-library.htmlhttp://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/Teşekkürler
