Mail Story 3: SPF + Greylisting

In this third post about configuring your own mail server on Debian (first post, second post), I'm going to talk a bit about SPAM and show you 2 ways of reducing it.

There are a lot of ways of fighting spam with various degrees of effectiveness, simplicity, standards respectful, etc.

For instance, there are some stupid systems like SpamCop based on user submissions. If a user tell that he received a spam from a given IP, then the IP is temporarily marked as a SPAM sender and will be blocked by mail servers using SpamCop black list. So, when your email address is hosted by an ISP used by a lot of people, of course there are emails reported as junk, and your ISP is black listed. Several mails I sent were blocked by SpamCop. Junk emails are a pain, but being blocked is way much worse. So please, don't use system generating too many false positives.

Greylisting

Greylisting consist of sending a temporary error when an email is received, store information about this email (server IP, sender, recipient) and wait for a second attempt after a given amount of time. If the email is received again, it's allowed.

Usually spam senders send emails to a huge list of addresses, so when they received an error, they just try with the next email address. This is very simple and effective against that kind of spam. The bad news is that emails are often delayed (the sender server may try again 5, 10, 30… minutes later). By definition emails are not instantaneous, but usually it's quite fast, so it can be a bit slower with this solution.

SPF

SPF stands for Sender Policy Framework. It's a way to check if the sender if allowed to send mails. For instance, a domain owner can specify in its DNS a TXT record containing IPs allowed to send emails from that domain.

I strongly suggest that you add this record if you have a mail server. For example, if you dig my domain name for TXT records you will get:

$ dig desgrange.net TXT

; <<>> DiG 9.5.0-P2 <<>> desgrange.net TXT
(…)
;; ANSWER SECTION:
desgrange.net.    600  IN  TXT  "v=spf1 a mx ~all"
(…)

The value v=spf1 a mx ~all means that A and MX IPs are allowed to send emails and that all other IPs should not.

tumgreyspf

In order to add greylisting and SPF to postfix, I decided to install tumgreyspf. The name is quite explicit, it does both greylisting and SPF.

Installation:

$ sudo apt-get install tumgreyspf

Tell postfix how to start tumgreyspf in /etc/postfix/master.cf by adding:

(…)
tumgreyspf unix -       n       n       -       -       spawn
  user=tumgreyspf argv=/usr/bin/tumgreyspf

Tell postfix when to ask tumgreyspf to perform a check, set smtpd_sender_restrictions in /etc/postfix/main.cf to something looking like that:

(…)
smtpd_sender_restrictions =
    permit_sasl_authenticated,
    reject_unauth_destination,
    check_policy_service unix:private/tumgreyspf
(…)

And now restart postfix (reload should be enough):

$ sudo /etc/init.d/postfix restart

Misc

After some tests, I found that tumgreyspf does not reject emails when SPF returns softfail but only fail and permerror.

If you configure your DNS like I did, which seems to be a quite common configuration, you may want to consider softfail has a reason to reject an email.

To change that, change line 122 of /usr/bin/tumgreyspf to the following (it's written in python, so be careful not to change indentation):

if spfResult == 'Fail' or spfResult == 'Permerror' or spfResult == 'Softfail':

Mail Stories posts

Comments Add one by sending me an email.

  • From Laurent ·
    I have been using this configuration for a year now, still no spam in my inbox :-).
  • From Laurent ·

    In newer version of tumgreyspf, to reject emails on softfail change line 282 of /usr/bin/tumgreyspf to the following:

    if spfResult == 'Fail' or spfResult == 'Softfail':