11epaper.gotop.com.tw/pdf/a141.pdfwhitelist 11.4.1 smtp smtp ip open relay internet open relay open...
TRANSCRIPT
Unsolicited Bulk Email UBE
Unsolicited Commercial Email UCE spam
spamming
spammer
Postfix
11.1
...
...
...
139
Internet
relay server
scatter-shot
DNS MX
11.2Internet
Denial-of-Service attack
reject
open relay
open relay
140
11.3 Open RelayInternet
Open Relay Open Relay
SMTP Sendmail 8
Open Relay
Open Relay
SMTP Postfix
Open Relay
Open
Relay
Postfix
11.4Open Relay
f a l s e - p o s i t i v e
identification
141
whitelist
11.4.1SMTP SMTP
IP
Open Relay
Internet
Open Relay Open Relay
IP
IP
DNS-based
Internet
DNS-based DNS-based B lack l i s t s
DNSBL Realtime Blacklists RBL
Open Relay DNS
MTA server MTA
server
Open Relay
DoS
DNSBL
142
RBL DNS
IP RBL PTR MTA
RBL IP
RBL nospam.example . com
192.168.254.31 NoSpam
DNS PTR 31.254.168.192.nospam.example.com
192.168.254.31 Post f ix Pos t f ix IP
nospam.example.com PTR IP
Postfix
DNSBL
Open Relay
DNSBL
11.4.2
Our Rates Have Never Been Lower!!
lowest mortgage rate
11.4.3
143
viagra HTML
viagra vi<!--oxo-->agra
HTML
v1agra vi@gra
...
11.5
1. SMTP
2.
IMAP POP
3.
MUA MDA
Postfix Postfix
Spamassassin
144
MTA
MDA MUA
MTA MDA MUA
Pos t f i x
Postfix
Postfix
11.6 Postfix Postfix UBE
UBE Postfix
Postfix
restriction OK
REJECT
IP
DUNNO
Postfix SMTP
Postf ix
regular express ion
Postfix
Postfix
Postfix
145
11.7
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_data_restrictions
SMTP
Postfix
11-1 SMTP header_checks
body_checks 11.9
SMTP
11.7.1 SMTP 11-1 SMTP 11-1
SMTP client socket Postfix
socket Postfix IP 11-1
IP Postfix smtpd_client_restrictions
IP
146
11-1 SMTP
1. post x/smtpd[866062]: connect from mail.ora.com[10.143.23.45]2. post x/smtpd[866062]: D694B20DD5B: client=[10.143.23.45]3. post x/cleanup[864868]: D694B20DD5B: \
message-id=<[email protected]>4. post x/qmgr[861396]: D694B20DD5B: from=<[email protected]>, \
size=486, nrcpt=1 (queue active)5. post x/local[864857]: D694B20DD5B: to=<[email protected]>, \
relay=local, delay=98, status=sent (mailbox)6. post x/smtpd[866062]: disconnect from mail.ora.com[10.143.23.45]
HELO Postfix
smtpd_helo_restrictions
MAIL FROM RCPT
TO
smtpd_sender_restrictions smtpd_recipient_restrictions
DATA
header header_check
body check_body 11.9
Postfix MDA
Postfix SMTP
4xx 5xx
11.7.2Postfix UBE
main.cf UBE
Postfix
smtpd_client_restrictions =smtpd_helo_restrictions =smtpd_sender_restrictions =smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination
147
smtpd_helo_restrictions
Postfix
Postfix
Postfix access map
11-1 Postfix UBE
check_helo_access
smtpd_helo_restrictions smptd_sender_restrictions
Postfix
11-1
type:mapname
type:mapname
type:mapname
type:mapname
148
11-1
permit_ reject_
check_*_access type:mapname mapname
access table Postfix
key-value
11.7.3
11-1 reject_ permit_
Pos t f i x OK
REJECT DUNNO Postfix
REJECT
Postfix OK
REJECT
OK
REJECT
DUNNO Postfix
REJECT Postfix
RCPT TO Postfix HELO
OK RCPT TO REJECT
Postfix SMTP client
REJECT
REJECT RCPT TO Postfix
149
REJECT
REJECT main.cf smtpd_delay_reject
no
smtpd_delay_reject = no
Postfix server SMTP client
Postfix
Postfix
soft_bounce = yes
soft_bounce 5xx 4xx SMTP
client 5xx
5xx
4xx SMTP
client soft_bounce
SMTP client
soft_bounce
soft_bounce
warn_if_reject
REJECT WARN SMTP client
Postfix
soft_bounce
warn_if_reject
warn_if_reject
smtpd_recipient_restrictions =permit_mynetworksreject_unauth_destinationwarn_if_reject reject_invalid_hostnamereject_unknown_recipient_domainreject_non_fqdn_recipient
150
HELO Postfix
smtpd_recipient_restrictions =permit_mynetworksreject_unauth_destinationreject_invalid_hostnamereject_unknown_sender_domain
reject_unauth_destination
reject_invalid_hostname mynetworks
mynetworks_style permit_mynetworks OK
smtpd_recipient_restrictions
permit_mynetworks OK REJECT
DUNNO Postfix reject_unauth_destination
Pos t f i x mydestination
reject_unauth_destination REJECT DUNNO
DUNNO Postfix reject_invalid_hostname HELO
REJECT
DUNNO Postfix reject_unknown_sender_domain
MAIL FROM DNS
REJECT REJECT Postfix
MDA
11.7.3
check_*_access IP
Postfix
permit_mynetworks mynetworks
mynetworks_style
151
Postfix SMTP
SMTP
DNS
DNS
DNS
DNS
DNS
RBL DNS MTA
Postfix RBL client
reject permit
warn_if_reject
access map
Post f ix
key-value IP
... OK REJECT
check_client_access maptype:mapname
check_client_access IP
Postfix DNS IP
PTR
check_helo_access maptype:mapname
check_helo_access
HELO Postfix
152
check_recipient_access maptype:mapname
check_recipient_access
RCPT TO
Postfix
check_sender_access maptype:mapname
check_sender_access
MAIL FROM
Postfix
check_sender_access check_recipient_access
[email protected] example.com
user@
user1@example .com
[email protected] example.com
[email protected] [email protected]
user@
check_client_access check_helo_access IP
IP 192.168.143.23
10 10.12 10.12.154
Postfix
OK
Postfix
REJECTREJECT message-text
Pos t f i x
access_map_reject_code check_*_access
maps_rbl_reject_code reject_maps_rbl
554
DUNNO
Postfix
153
FILTER transport:nexthop
transport table
transport nexthop
HOLDHOLD message-text
hold queue Postfix
MDA
DISCARDDISCARD message-text
Postfix
Postfix
DISCARD
Internet
4xx message-text
400 ~ 499
5xx message-text
500 ~ 599
regular express
Postfix IP
11.9
smtpd_client_restrictions = check_client_access hash:/etc/post x/client_access
smtpd_sender_restrictions =check_sender_access hash:/etc/post x/sender_access
smtpd_recipient_restrictions =permit_mynetworksreject_unauth_destinationreject_invalid_hostnamereject_unknown_sender
154
4xx
5xx
5xx
4xx
4xx
MX
MX
SMTP
client_access
10.157 REJECT192.168.76.23 REJECTcurrentmail.com REJECT
sender_access
[email protected] REJECTmarketing@ REJECTspecials.digital-letter.com REJECT
postmap Postfix
# postmap /etc/postfix/client_access# postmap /etc/postfix/sender_access
11-1 Postfix
155
permit_auth_destination
Postf ix Posfix
mydestination inet_interfaces virtual_alias_maps
virtual_mailbox_maps relay_domain
[email protected]@example.net
permit_auth_destination DUNNO
REJECT Postfix
permit_mynetworks
IP mynetworks
UBE
Postfix server
reject_unauth_destination
Pos t f i x Pos f ix
mydestination inet_interfaces virtual_alias_maps
virtual_mailbox_maps relay_domain
[email protected]@example.net
relay_domains_reject_code 554
11-1 SMTP
OK
reject_invalid_hostname
HELO
invalid_hostname_reject_code 501
reject_non_fqdn_hostname
HELO RFC FQDN
non_fqdn_reject_code 504
FQDN Windows
156
reject_non_fqdn_recipient
RCPT TO RFC
FQDN non_fqdn_reject_code
504 FQDN
reject_non_fqdn_sender
MAIL FROM RFC
FQDN non_fqdn_reject_code
504
reject_unauth_pipelining
Pipelining
SMTP pipelining
MUA MTA
pipelining Postfix
reject_unauth_pipelining SMTP client
DNS
DNS DNS
DNS Internet email
DNS
DNS
DNS
DNS
reject_unknown_client
SMTP client socket Postfix server socket
IP reject_unknown_client Postfix
DNS IP PTR IP DNS
DNS Postifx
DNS IP IP socket
IP Pos t f i x
unknown_client_reject_code 450
reject_unknown_client
DNS Internet IP
PTR
157
reject_unknown_hostname
HELO A MX
unknown_hostname_reject_code 450
HELO FQDN
reject_unknown_recipient_domain
RCPT TO DNS A MX
unknown_address_reject_code
450
reject_unknown_sender_domain
MAIL FROM DNS A
MX unknown_address_reject_code
450
MAIL FROM
MAIL FROM
unknown_*_reject_code
450 Postfix
Postfix DNS DNS server
DNS server Postfix 450
Real-Time Blacklist RBL
SMTP server DNS
DNS DNSBL DNSBL
Postfix
DNSBL DNSBL
reject_rbl_client rblprovider.domain
IP 1.2.3.4 4.3.2.1 RBL
dnsbl.example.com 4.3.2.1.dnsbl.example.com
DNS A IP
Postfix
158
reject_rhsbl_client rblprovider.domain
rblprovider.domain A
reject_rhsbl_sender rblprovider.domain
rblprovider.domain
A
DNSBL DNSBL
DNS
RBL
Postfix
permit
Postfix
reject
Postfix
defer
11.7.4HELO
smtpd_helo_restrictions
smtpd_helo_restrictions = check_helo_access hash:/etc/post x/helo_accessreject_invalid_hostname
helo_access
greatdeals.example.com REJECToreillynet.com OK
Postfix HELO
Postfix
159
HELO example
check_helo_access Pos t f i x
helo_access example
reject_invalid_hostname example
Postfix
HELO greatdeals.example.com
Postfix check_helo_access helo_access
greatdeals.example.com REJECT Postfix
HELO oreillynet.com
Postfix check_helo_access helo_access
oreillynet.com OK Postfix smtpd_helo_restrictions
smtpd_sender_restrictions
HELO mail.ora.com
Postfix check_helo_access helo_access
mail.ora.com reject_invalid_hostname
mail.ora.com Pos t f i x
smtpd_sender_restrictions
11.8 SMTP SMTP SMTP client/server
Postfix SMTP
smtpd_helo_required
SMTP cl ient HELO EHLO SMTP RFC SMTP
clients server HELO EHLO
Postfix SMTP
smtpd_helo_required = yes Postfix
SMTP RFC Postfix
strict_rfc821_envelopes = yes
Postfix
HELO/EHLO
SMTP
160
11.9Postfix Postfix
header_checks
mime_header_checks MIME
nested_header_checks
body_checks
Spamassassin http://spamassassin.org Postfix
pa t t e r n
action
Postfix
Postfix
11.9.1mime_header_checks nested_header_checks
header_checks
regexp
Posix pcre Perl
header_checks = regexp:/etc/post x/header_checksbody_checks = regexp:/etc/post x/body_checks
/
/match pattern/ REJECT
161
header_checks
/free mortgage quote/ REJECT/repair your credit/ REJECT My credit is very good./take advantage now/ REJECT
Subject: Postfix
My credit is very good.
11.9.2
Postfix
REJECT message-text
message-text
WARN message-text
message-text
WARN
IGNORE
SMTP
HOLD message-text
hold queue
DISCARD message
Postfix
5xx
DISCARD
DISCARD 4xx 5xx
DISCARD
162
FILTER transport:nexthop
Postfix
11.9.3
Postfix
body_checks
Postfix
line_length_limit
2048 header_size_limit 100 K
Pos t f i x
body_checks_size_limit 50 KB Postfix
Postfix
header_checks
/name ?="?.*\.(bat|scr|com|dll|exe|hta|pif|vbs)"?/ REJECT
Postfix Windows
Windows
PC
body_checks
163
/increase your sales by/ REJECT/in compliance (with|of) strict/ REJECT/lowest rates.*\!/ REJECT/[:alpha:]<!--.*-->[:alpha:]/ REJECT Suspicious embedded HTML comments
lowest rates
.* ! We have our lowest rates in
40 years! HTML VIA<!--ooxx-
>GRA
HTML
postmap msg.txt
postmap
$ postmap -q - regexp:/etc/postfix/body_checks < msg.txtopportunity. increase your sales by 500%. Consider REJECT
postmap
smtpd_*_restrictions
header_checks body_checks
...
MTA MDA procmail maildrop
Postfix Postfix
11.10
Postfix
Postfix restriction class
164
Postfix
1. restriction class
11-1
2.
3. smtp_*_restrictions
check_*_access
check_client_access check_sender_access
check_recipient_access
11.10.1
spamlover spamhater
smtpd_restriction_classes
smtpd_restriction_classes = spamlover, spamhater
smtpd_*_restrictions
spamhater
spamhater =reject_invalid_hostnamereject_non_fqdn_hostnamereject_unknown_sender_domainreject_rbl_client nospam.example.com
spamlover permit
spamlover = permit
165
Postfix
per_user_ube
## per_user_ube#[email protected] [email protected] spamlover
Postfix
smtpd_recipient_restrictions =permit_mynetworksreject_unauth_destinationcheck_recipient_access hash:/etc/post x/per_user_ube
[email protected] Postfix
check_recipient_access
abe la rd@example . com spamha te r
spamhater spamhater REJECT Postfix
Postfix spamlover
11.11Postfix
11-2
11-2 main.cf
smtpd_restriction_classes =spamloverspamhater
spamhater =reject_invalid_hostnamereject_non_fqdn_hostnamereject_unknown_sender_domainreject_rbl_client nospam.example.com
166
spamlover = permit
smtpd_helo_required = yessmtpd_client_restrictions =
check_client_access hash:/etc/post x/client_access
smtpd_helo_restrictions =reject_invalid_hostnamecheck_helo_access hash:/etc/post x/helo_access
smtpd_sender_restrictions =reject_non_fqdn_senderreject_unknown_sender_domaincheck_sender_access hash:/etc/post x/sender_access
smtpd_recipient_restrictions =permit_mynetworksreject_unauth_destinationreject_non_fqdn_recipientreject_unknown_recipient_domain
smtpd_data_restrictions =reject_unauth_pipelining
header_checks = /etc/post x/header_checksbody_checks = /etc/post x/body_checks
IP
check_helo_access
check_sender_access
hotmail.com aol.com ...
MAIL FROM HELO
167
Republic
of Maldives
168