Mail Story 3: SPF + Greylisting
In this third post about configuring your own mail server on Debian (first post, second post), I'm going to talk a bit about SPAM and show you 2 ways of reducing it.
There are a lot of ways of fighting spam with various degrees of effectiveness, simplicity, standards respectful, etc.
For instance, there are some stupid systems like SpamCop based on user submissions. If a user tell that he received a spam from a given IP, then the IP is temporarily marked as a SPAM sender and will be blocked by mail servers using SpamCop black list. So, when your email address is hosted by an ISP used by a lot of people, of course there are emails reported as junk, and your ISP is black listed. Several mails I sent were blocked by SpamCop. Junk emails are a pain, but being blocked is way much worse. So please, don't use system generating too many false positives.
Greylisting
Greylisting consist of sending a temporary error when an email is received, store information about this email (server IP, sender, recipient) and wait for a second attempt after a given amount of time. If the email is received again, it's allowed.
Usually spam senders send emails to a huge list of addresses, so when they received an error, they just try with the next email address. This is very simple and effective against that kind of spam. The bad news is that emails are often delayed (the sender server may try again 5, 10, 30… minutes later). By definition emails are not instantaneous, but usually it's quite fast, so it can be a bit slower with this solution.
SPF
SPF stands for Sender Policy Framework. It's a way to check if the sender if allowed to send mails. For instance, a domain owner can specify in its DNS a TXT record containing IPs allowed to send emails from that domain.
I strongly suggest that you add this record if you have a mail server. For example, if you dig
my domain name for TXT records you will get:
$ dig desgrange.net TXT
; <<>> DiG 9.5.0-P2 <<>> desgrange.net TXT
(…)
;; ANSWER SECTION:
desgrange.net. 600 IN TXT "v=spf1 a mx ~all"
(…)
The value v=spf1 a mx ~all
means that A
and MX
IPs are allowed to send emails and that all
other IPs should not.
tumgreyspf
In order to add greylisting and SPF to postfix, I decided to install tumgreyspf. The name is quite explicit, it does both greylisting and SPF.
Installation:
$ sudo apt-get install tumgreyspf
Tell postfix how to start tumgreyspf in /etc/postfix/master.cf
by adding:
(…)
tumgreyspf unix - n n - - spawn
user=tumgreyspf argv=/usr/bin/tumgreyspf
Tell postfix when to ask tumgreyspf to perform a check, set smtpd_sender_restrictions
in /etc/postfix/main.cf
to something looking like that:
(…)
smtpd_sender_restrictions =
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/tumgreyspf
(…)
And now restart postfix (reload should be enough):
$ sudo /etc/init.d/postfix restart
Misc
After some tests, I found that tumgreyspf does not reject emails when SPF returns softfail
but only fail
and permerror
.
If you configure your DNS like I did, which seems to be a quite common configuration, you may want to consider softfail
has a reason to reject an email.
To change that, change line 122 of /usr/bin/tumgreyspf
to the following (it's written in python, so be careful not to change indentation):
if spfResult == 'Fail' or spfResult == 'Permerror' or spfResult == 'Softfail':
Comments Add one by sending me an email.
In newer version of tumgreyspf, to reject emails on
softfail
change line 282 of/usr/bin/tumgreyspf
to the following: