迷惑メール対策にpostgreyを導入してみました。
CentOS 7ではepel repositoryをインストールすればyumで簡単にインストールできます。
Postgrey – Postfix Greylisting Policy Server
https://postgrey.schweikert.ch/
Postfix + postgrey を使ったグレイリスティングでスパム対策をしてみる
http://server-setting.info/centos/postfix-postgrey-spam-setting.html
動作としては初めてのメールサーバからの要求はグレイリストに登録して、受信拒否(code=450)します。通常はその後再送してくるので、その時に受信処理が行われます。
スパムメールの送信者は殆ど再送しないのでブロックできるとのことですが、相手が再送するまで受信できないので「送ったよ~」「届かないよ~」が発生します。
事前に分かればホワイトリストに追加しておけばいいのですが。
ただ稀にまともなドメインのようでも再送しないメールサーバがあったりするので、そうなるとホワイトリストに登録しない限り受信できません。
ちなみにPostfix 2.10.1(yum)のデフォルトでは300秒で再送されます。
環境
・CentOS Linux release 7.3.1611 (Core)
・Kernel 3.10.0-514.16.1.el7.x86_64
・Postfix 2.10.1
・Postgrey 1.34
- インストール
- 設定ファイル
- main.cfの設定
- ポート10023で待受設定(2017/05/06追記)
- postgreyの起動
- postfixの再起動
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# yum -y install epel-release # yum info postgrey Available Packages Name : postgrey Arch : noarch Version : 1.34 Release : 12.el7 Size : 47 k Repo : epel/x86_64 Summary : Postfix Greylisting Policy Server URL : http://postgrey.schweikert.ch/ License : GPLv2+ Description : Postgrey is a Postfix policy server implementing greylisting. When a request : for delivery of a mail is received by Postfix via SMTP, the triplet CLIENT_IP / : SENDER / RECIPIENT is built. If it is the first time that this triplet is : seen, or if the triplet was first seen less than 5 minutes, then the mail gets : rejected with a temporary error. Hopefully spammers or viruses will not try : again later, as it is however required per RFC. # yum -y install postgrey (snip) Installed: postgrey.noarch 0:1.34-12.el7 Dependency Installed: perl-BerkeleyDB.x86_64 0:0.51-4.el7 perl-Digest-HMAC.noarch 0:1.03-5.el7 perl-Digest-MD5.x86_64 0:2.52-3.el7 perl-IO-Multiplex.noarch 0:1.13-6.el7 perl-Net-DNS.x86_64 0:0.72-6.el7 perl-Net-Server.noarch 0:2.007-2.el7 perl-Sys-Syslog.x86_64 0:0.33-3.el7 Complete! |
yumでインストールすると設定ファイルは/etc/postfixにインストールされます。
1 2 3 4 |
# ls -l /etc/postfix/ -rw-r--r-- 1 root root 8343 May 5 2011 postgrey_whitelist_clients -rw-r--r-- 1 root root 59 Feb 7 2014 postgrey_whitelist_clients.local -rw-r--r-- 1 root root 188 May 5 2011 postgrey_whitelist_recipients |
・postgrey_whitelist_clients
ホワイトリストのデフォルト設定。海外のドメインが殆どです。個人的には空にしてもいいかも。
・postgrey_whitelist_clients.local
サイトのホワイトリスト。ここに前もってpostgreyのチェックを行わないドメインを登録します。
・postgrey_whitelist_recipients
受信許可アドレスのホワイトリスト。ここに記載してあるアドレス宛はpostgreyのチェックを行わない。
postgreyを経由するようにmain.cfを設定します。
1 2 3 4 5 |
smtpd_recipient_restrictions = permit_mynetworks, .................. reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 |
reject_unauth_destinationの後にcheck_policy_service inet:127.0.0.1:10023を追記します。これはpostgreyがデフォルトでポート10023で動作しています。
/etc/sysconfig/postgreyに明示的に待ち受けポート10023を追加します。
1 2 3 |
# vi /etc/sysconfig/postgrey # cat /etc/sysconfig/postgrey POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=60" |
postgreyの自動起動設定と起動です。
1 2 3 4 5 6 |
# systemctl enable postgrey Created symlink from /etc/systemd/system/multi-user.target.wants/postgrey.service to /usr/lib/systemd/system/postgrey.service. # systemctl start postgrey # netstat -at --numeric-port | grep 10023 tcp 0 0 localhost:10023 0.0.0.0:* LISTEN |
postfixの再起動します。
1 |
# systemctl restart postfix |
これでメールログにpostgreyが記録されれば動作しています。
postfix/smtpd[2962]: NOQUEUE: reject: RCPT from unknown[xxx.xxx.xxx.xxx]: 450 4.2.0
: Recipient address rejected: Greylisted,……
postgeryのポート変更などオプション設定は/etc/sysconfig/postgreyに記述します。
1 2 |
# cat /etc/sysconfig/postgrey POSTGREY_OPTS="--delay=60" |
デフォルトでは–delay=60が記載されています。
これは拒否後に60秒経過してから再送してきたメールを受信することになります。ちなみにpostgreyでのデフォルトは5分です。
Greylisting HOWTO
https://wiki.centos.org/HowTos/postgrey
By default, the amount of time by which Postgrey will reject new messages is set to 5 minutes but we can change this using the –delay switch. There is a trade off in that the longer the time the more chance of rejecting spam but also the longer legitimate mail will be delayed for the first time. It might be worth initially setting this value to 1 minute (60 seconds) and subsequently increasing the value once Postgrey has built a database of regular mail contacts for your server. Setting your delay to values larger than 300 Seconds ( 5 Minutes ) is really not recommended. To manually set the delay (in seconds), we need to create the Postgrey configuration file at /etc/sysconfig/postgrey and append the –delay switch as shown below (see ‘man postgrey’ for a full list of options):
以下超意訳
時間が長いほどスパムの拒否率は向上するけど、正規のメールの到着がその分遅延することになります。
最初は1分ぐらいにして、データベースが充実してきたら値を大きくするのが最善かもしれませんが、ただ5分以上にするのはお勧めしません。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 |
POSTGREY(8) Postgrey Policy Server for Postfix POSTGREY(8) NAME postgrey - Postfix Greylisting Policy Server SYNOPSIS postgrey [options...] -h, --help display this help and exit --version output version information and exit -v, --verbose increase verbosity level --syslog-facility Syslog facility to use (default mail) -q, --quiet decrease verbosity level -u, --unix=PATH listen on unix socket PATH -i, --inet=[HOST:]PORT listen on PORT, localhost if HOST is not specified -d, --daemonize run in the background --pidfile=PATH put daemon pid into this file --user=USER run as USER (default: postgrey) --group=GROUP run as group GROUP (default: postgrey) --dbdir=PATH put db files in PATH (default: /var/spool/postfix/postgrey) --delay=N greylist for N seconds (default: 300) --max-age=N delete entries older than N days since the last time that they have been seen (default: 35) --retry-window=N allow only N days for the first retrial (default: 2) append 'h' if you want to specify it in hours --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT) --greylist-text=TXT response when a mail is greylisted (default: Greylisted + help url, see below) --lookup-by-subnet strip the last 8 bits from IP addresses (default) --lookup-by-host do not strip the last 8 bits from IP addresses --privacy store data using one-way hash functions --hostname=NAME set the hostname (default: `hostname`) --exim don't reuse a socket for more than one query (exim compatible) --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients --auto-whitelist-clients=N whitelist host after first successful delivery N is the minimal count of mails before a client is whitelisted (turned on by default with value 5) specify N=0 to disable. --listen-queue-size=N allow for N waiting connections to our socket --x-greylist-header=TXT header when a mail was delayed by greylisting default: X-Greylist: delayed <seconds> seconds by postgrey-<version> at <server>; <date> Note that the --whitelist-x options can be specified multiple times, and that per default /etc/postfix/postgrey_whitelist_clients.local is also read, so that you can put there local entries. DESCRIPTION Postgrey is a Postfix policy server implementing greylisting. When a request for delivery of a mail is received by Postfix via SMTP, the triplet "CLIENT_IP" / "SENDER" / "RECIPIENT" is built. If it is the first time that this triplet is seen, or if the triplet was first seen less than delay seconds (300 is the default), then the mail gets rejected with a temporary error. Hopefully spammers or viruses will not try again later, as it is however required per RFC. Note that you shouldn't use the --lookup-by-host option unless you know what you are doing: there are a lot of mail servers that use a pool of addresses to send emails, so that they can change IP every time they try again. That's why without this option postgrey will strip the last byte of the IP address when doing lookups in the database. Installation o Create a "postgrey" user and the directory where to put the database dbdir (default: "/var/spool/postfix/postgrey") o Write an init script to start postgrey at boot and start it. Like this for example: postgrey --inet=10023 -d contrib/postgrey.init in the postgrey source distribution includes a LSB-compliant init script by Adrian von Bidder for the Debian system. o Put something like this in /etc/main.cf: smtpd_recipient_restrictions = permit_mynetworks ... reject_unauth_destination check_policy_service inet:127.0.0.1:10023 o Install the provided postgrey_whitelist_clients and postgrey_whitelist_recipients in /etc/postfix. o Put in /etc/postfix/postgrey_whitelist_recipients users that do not want greylisting. Whitelists Whitelists allow you to specify client addresses or recipient address, for which no greylisting should be done. Per default postgrey will read the following files: /etc/postfix/postgrey_whitelist_clients /etc/postfix/postgrey_whitelist_clients.local /etc/postfix/postgrey_whitelist_recipients You can specify alternative paths with the --whitelist-x options. Postgrey whitelists follow similar syntax rules as Postfix access tables. The following can be specified for recipient addresses: domain.addr "domain.addr" domain and subdomains. name@ "name@.*" and extended addresses "name+blabla@.*". name@domain.addr "name@domain.addr" and extended addresses. /regexp/ anything that matches "regexp" (the full address is matched). The following can be specified for client addresses: domain.addr "domain.addr" domain and subdomains. IP1.IP2.IP3.IP4 IP address IP1.IP2.IP3.IP4. You can also leave off one number, in which case only the first specified numbers will be checked. IP1.IP2.IP3.IP4/MASK CIDR-syle network. Example: 192.168.1.0/24 /regexp/ anything that matches "regexp" (the full address is matched). Auto-whitelisting clients With the option --auto-whitelist-clients a client IP address will be automatically whitelisted if the following conditions are met: o At least 5 successfull attempts of delivering a mail (after greylisting was done). That number can be changed by specifying a number after the --auto-whitelist-clients argument. Only one attempt per hour counts. o The client was last seen before --max-age days (35 per default). Greylist Action To set the action to be returned to postfix when a message fails postgrey's tests and should be deferred, use the --greylist-action=ACTION option. By default, postgrey returns DEFER_IF_PERMIT, which causes postfix to check the rest of the restrictions and defer the message only if it would otherwise be accepted. A delay action of 451 causes postfix to always defer the message with an SMTP reply code of 451 (temp fail). See the postfix manual page access(5) for a discussion of the actions allowed. Greylist Text When a message is greylisted, an error message like this will be sent at the SMTP-level: Greylisted, see http://postgrey.schweikert.ch/help/example.com.html Usually no user should see that error message and the idea of that URL is to provide some help to system administrators seeing that message or users of broken mail clients which try to send mails directly and get a greylisting error. Note that the default help-URL contains the original recipient domain (example.com), so that domain-specific help can be presented to the user (on the default page it is said to contact postmaster@example.com) You can change the text (and URL) with the --greylist-text parameter. The following special variables will be replaced in the text: %s How many seconds left until the greylisting is over (300). %r Mail-domain of the recipient (example.com). Greylist Header When a message is greylisted, an additional header can be prepended to the header section of the mail: X-Greylist: delayed %t seconds by postgrey-%v at %h; %d You can change the text with the --x-greylist-header parameter. The following special variables will be replaced in the text: %t How many seconds the mail has been delayed due to greylisting. %v The version of postgrey. %d The date. %h The host. Privacy The --privacy option enable the use of a SHA1 hash function to store IPs and emails in the greylisting database. This will defeat straight forward attempts to retrieve mail user behaviours. SEE ALSO See <http://www.greylisting.org/> for a description of what greylisting is and <http://www.postfix.org/SMTPD_POLICY_README.html> for a description of how Postfix policy servers work. COPYRIGHT Copyright (c) 2004-2007 by ETH Zurich. All rights reserved. Copyright (c) 2007 by Open Systems AG. All rights reserved. LICENSE This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. AUTHOR David Schweikert <david@schweikert.ch> perl v5.16.3 2014-02-07 POSTGREY(8) |