Jun 052014

To help improve an email domains delivery rate, establish or maintain a reputation and raise the chances of successful delivery of email to the intended recipients inbox rather than their spam folder; organisations are advised to adopt Sender Policy Frmework (SPF) and DomainKeys Identified Mail (DKIM).

The Simple Mail Transfer Protocol (SMTP) permits any host to send email claiming to be from any source address. This is exploited by spammers who often use forged email addresses making it more difficult to trace a message back to its sender, and easier for spammers to hide their identity. It is also used in phishing techniques, where users can be duped into disclosing private information in response to an email allegedly sent by a legitimate organisation.

If a domain publishes SPF and DKIM records forged email is more likely to be caught by spam filters which check the relevant records. A domain using SPF and DKIM is less likely to be blacklisted by spam filters so legitimate email from the domain is more likely to be delivered to the intended recipient.

Sender Policy Framework (SPF)

Sender Policy Framework – http://www.openspf.org/ – is an email validation system designed to help prevent spam by verifying sender IP addresses. SPF allows administrators to specify which hosts are permitted to send email from a given domain by creating a specific TXT record in the Domain Name System (DNS). Mail transfer agents (MTA) use DNS to check that mail from a given domain is being sent by a host authorised by that domain’s administrators. Receivers verifying the SPF information in TXT records may reject messages from unauthorised sources before receiving the body of the message.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail – http://www.opendkim.org/ – is a method for associating a domain name with an email message. This association is set up by means of a digital signature which can be validated by recipients. Responsibility is claimed by a signer by adding a DKIM-Signature field to the message’s header. The verifier recovers the signer’s public key using the DNS, and then verifies that the signature matches the actual message’s content.

DNS-based Blackhole List (DNSBL)

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a list of IP addresses published through the Internet Domain Name System (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of hosts or networks linked to spamming; mail server software can be configured to reject messages which have been sent from a host listed on one or more such lists.

Policy Server (Postgrey)

Postgrey is a policy server implementing greylisting to filter spam on Postfix mail servers. The principle of greylisting works on the basis that spam is sent by spambots and other non RFC compliant MTAs. Postgrey will temporarily reject new mail with an error 450 “Recipient address rejected” for a set period of time and will log the client IP / Sender / Recipient in it’s database. If the sending server is RFC compliant, then it should resend the message at which point Postgrey will check it’s database for a match and accept the message. A typical spambot is likely to receive a large number of bounced or rejected mail so spammers typically do not resend messages when they are temporarily rejected.

Sender Policy Framework (SPF) Configuration

Add DNS TXT Record

Type: TXT
Hostname: [none - root record]
Content: v=spf1 a mx ~all

DomainKeys Identified Mail (OpenDKIM) Configuration

# yum install opendkim

Configure OpenDKIM

# nano /etc/opendkim.conf

AutoRestart Yes
AutoRestartRate 10/1h
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
Mode sv
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
SignatureAlgorithm rsa-sha256
Socket inet:[email protected]
PidFile /var/run/opendkim/opendkim.pid
UMask 022
UserID opendkim:opendkim
TemporaryDirectory /var/tmp

Setup Public / Private Keys

# mkdir /etc/opendkim/keys/mydomain.com
# opendkim-genkey -D /etc/opendkim/keys/mydomain.com/ -d mydomain.com -s default
# chown -R opendkim: /etc/opendkim/keys/mydomain.com
# mv /etc/opendkim/keys/mydomain.com/default.private /etc/opendkim/keys/mydomain.com/default

# nano /etc/opendkim/KeyTable

default._domainkey.mydomain.com mydomain.com:default:/etc/opendkim/keys/mydomain.com/default

# nano /etc/opendkim/SigningTable

*@mydomain.com default._domainkey.mydomain.com

# nano /etc/opendkim/TrustedHosts

Add DNS TXT Record

Source: /etc/opendkim/keys/mydomain.com/default.txt
Type: TXT
Hostname: default._domainkey
Content: v=DKIM1; k=rsa; p=RaNdOm0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyVqnIDySF328p92SRVAzIfJgBuzLCKFpmY60RUtDwzCkc+V1+hDJpdT/pTi9Hui+k2PV143OIqjwok7+4yg68po8Zp9gZ7JeVh/0M4UVCvLIyKG+rofGKAnzeY+pKhcHUL96Qtjt222hr+VO8vvyMcAd/A4T1AtdzTzja2vqhcwRaNdOm

MTA Configuration – Postfix

# nano /etc/postfix/main.cf

smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

DNS-based Blackhole List (DNSBL) Configuration – Postfix

# nano /etc/postfix/main.cf

smtpd_recipient_restrictions =
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl-1.uceprotect.net

The line reject_unauth_destination, is critically important as it tells postfix not to accept messages with recipients at domains that are not hosted locally or that we serve as a backup server for. Without this line, the server would be an open relay.

Policy Server (Postgrey) Configuration – Postfix

# yum install postgrey

# nano /etc/sysconfig/postgrey

OPTIONS="--unix=/var/spool/postfix/postgrey/socket --delay=60"

# nano /etc/postfix/main.cf

smtpd_recipient_restrictions =
check_policy_service unix:postgrey/socket,

The line reject_unauth_destination, is critically important as it tells postfix not to accept messages with recipients at domains that are not hosted locally or that we serve as a backup server for. Without this line, the server would be an open relay.

Source: http://en.wikipedia.org/wiki/Sender_Policy_Framework
Source: http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
Source: http://en.wikipedia.org/wiki/DNSBL
Source: http://www.rosehosting.com/blog/how-to-install-and-integrate-opendkim-with-postfix-on-a-centos-6-vps/
Source: http://wiki.centos.org/HowTos/postgrey
Source: http://wiki.centos.org/HowTos/postfix_restrictions

© 2011 Indimon Internet Services

Site last updated April 23, 2022 @ 10:45 am

Return to Top ▲Return to Top ▲