Postfix Spam Ayarları Tufan KARADERE TÜBİTAK - ULAKBİM Sistem Yöneticisi tufan@ulakbim.gov.tr TÜBİTAK - ULAKBİM

Spam Engelleme Tam otomatize bir yol yok Politika Tepki Kara liste oluşturma Third-party yazılımlar MTA’da yapılabilecekler (Postfix Ayarları)

Postfix Ayarları Filtreler main.cf SASL + TLS Header Body Genel Kontroller Kısıtlamalar İstemci Helo Gönderici Alıcı SASL + TLS

Filtreler - Header header_checks = regexp:/etc/postfix/maps/header_checks /^HEADER: .*içerik/ EYLEM BİLGİ EYLEM: IGNORE: Satırı siler WARN: Sadece log’a ekler HOLD: Queue’da bekletir DISCARD: Göndericiye bilgi vermeden siler REJECT: Dağıtılmasını engeller Örnekler: /^From:.*edu.tr/ REJECT Blacklisted site /name=[^>]*\.(pif|scr|exe)/ REJECT Invalid attachments /^Subject:.*I.*love.*you/ REJECT Suspicious subject

Filtreler - Body body_checks = regexp:/etc/postfix/maps/header_checks /içerik/ EYLEM BİLGİ EYLEM: IGNORE: Satırı siler WARN: Sadece log’a ekler HOLD: Queue’da bekletir DISCARD: Göndericiye bilgi vermeden siler REJECT: Dağıtılmasını engeller Örnekler: /viagra/ REJECT Forbidden content /enlarge your/ REJECT No need, thanks /www.tanitimreklamvesaire.com/ REJECT Invalid site name in body

main.cf Genel kontroller Kara listelerin kullanımı Kısıtlamalar İstemci Helo Gönderici Alıcı

Genel Kontroller strict_rfc821_envelopes = yes disable_vrfy_command = yes relay_domains = hash:/etc/postfix/relay_domains smtpd_helo_required = yes mynetworks = 10.10.10.0/24

Kara listeler maps_rbl_domains = blackholes.mail-abuse.org dialups.mail-abuse.org relays.mail-abuse.org

Kısıtlamalar smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions

SMTP helo Client Server sender mail from: recipient rcpt to:

smtpd_client_restrictions check_client_access hash:dosyaismi permit_mynetworks ($mynetworks) reject_unknown_client (PTR, A) smtpd_helo_restrictions check_helo_access hash:dosyaismi reject_invalid_hostname (syntax) reject_unknown_hostname (A, MX) permit_naked_ip_address (IP) reject_non_fqdn_hostname (RFC)

smtpd_sender_restrictions check_sender_access hash:dosyaismi reject_unknown_sender_domain (A, MX) reject_non_fqdn_sender (FQDN) smtpd_recipient_restrictions check_recipient_access hash:dosyaismi permit_auth_destination ($relay_domains, $mydestination) reject_unauth_destination reject_non_fqdn_recipient (FQDN) reject_unknown_recipient_domain (A, MX)

Örnek smtpd_delay_reject = yes disable_vrfy_command = yes smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, #reject_unknown_client, #reject_invalid_hostname, #reject_non_fqdn_hostname, #reject_unknown_hostname, #reject_non_fqdn_sender, #reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access dbm:/etc/postfix/checks_sender, check_helo_access dbm:/etc/postfix/checks_helo

check_*_access hash:dosyaismi dosyaismi (helo): ulakbim.gov.tr REJECT You are not in ulakbim.gov.tr ulak.net.tr REJECT You are not in ulak.net.tr dosyaismi (sender): daltons.org REJECT Blacklisted site parkorman.com.tr REJECT Blacklisted site cihanakin978@hotmail.com REJECT Blacklisted iktibas.net REJECT Blacklisted site sektorelrehber.com REJECT Blacklisted site

Dış network erişim izni Dış network göndericisinin kimliği İki problem: Dış network erişim izni Dış network göndericisinin kimliği From: user@relay.server To: recipient@server Relay Server Server Client (Dış Network) gönderici alıcı

Problem: Dış network göndericisinin kimliği Server Client From: user@server To: recipient@server Server Client (Dış Network) gönderici alıcı

SASL + TLS Basit kimlik doğrulama ve güvenlik katmanı (Simple Authentication and Security Layer) Cyrus-Sasl: http://asg.web.cmu.edu/sasl/ Carnegie Mellon University: http://asg.web.cmu.edu/sasl/sasl-library.html TLS Patch, Lutz Janicke: http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/

Postfix SASL + TLS #TLS smtpd_use_tls = yes #smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/newreq.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom #SASL smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,

http://spamlinks. net/ http://www. postfix. org http://asg. web. cmu http://spamlinks.net/ http://www.postfix.org http://asg.web.cmu.edu/sasl/ http://asg.web.cmu.edu/sasl/sasl-library.html http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/ Teşekkürler