PPoossttffiixx SSMMTTPP ݥꥷѾ

-------------------------------------------------------------------------------

PPoossttffiixx SSMMTTPP ݥꥷѾŪŪ

Postfix SMTP Фˤ SMTP ץȥξ̤ǥ᡼ݤ
դ뤿Υᥫ˥बĤȤ߹ޤƤޤС 2.1 
ǡPostfix ϥݥꥷη Postfix γưФ˰Ѿ뤳Ȥ
Ǥ褦ˤʤޤ

ΥݥꥷѾᥫ˥ȤȡΥɥȤκǸ˼褦ʡä
٤ Perl ñ greylist ݥꥷǤޤݥꥷѾ
ۤȤƤϡhttp://spf.pobox.com/ ˤ Meng Wong ˤ SPF ݥꥷ
ФޤɤΥݥꥷ Postfix ɤ
examples/smtpd-policy ǥ쥯ȥ˴ޤޤƤޤ

ݥꥷѾ Postfix ˥ݥꥷɲäΤ˸߹ޤƤˡǤ
Ԥ Perl ǿǽȯΤϡƱȤ C ɤǤȤ
äȴñǤѥեޥ󥹤ΰ㤤׵θĶʳǤ
ΩʤǤ礦

ΥɥȤϰʲ򥫥Сޤ:

  * ݥꥷץȥε
  * ݥꥷ饤/Ф
  * : greylist ݥꥷ
  * ˤ٤ɥᥤ󤫤Υ᡼ greylisting 
  * ᡼뤹٤Ƥ greylisting 
  *  greylist 
  * Perl greylist Ф

ݥꥷץȥε

Postfix ݥꥷѾץȥ˥ץǤ饤Ȥ׵
name=value °Ԥʬ䤵줿¤ӤǤꡢԤǽޤФα
name=value °1ĤǤꡢԤǽޤ

Postfix SMTP Ф SMTPD ݥꥷѾ׵Ƥ°
ޤ:

    request=smtpd_access_policy
    protocol_state=RCPT
    protocol_name=SMTP
    helo_name=some.domain.tld
    queue_id=8045F2AB23
    sender=foo@bar.tld
    recipient=bar@foo.tld
    client_address=1.2.3.4
    client_name=another.domain.tld
    instance=123.456.7
    sasl_method=plain
    sasl_username=you
    sasl_sender=
    ccert_subject=solaris9.porcupine.org
    ccert_issuer=Wietse Venema
    ccert_fingerprint=C2:9D:F4:87:71:73:73:D9:18:E7:C2:F3:C1:DA:6E:04
    size=12345
    [empty line]

:

  * "request" °ɬܤǤǤϡ׵᥿פ "smtpd_access_policy"
    Ǥ

  * °ϽƱǤݥꥷФϵˤʤ°̵뤹٤Ǥ

  * Ʊ°̾2ٰʾȡФϺǽͤݻ뤫⤷ޤ󤷡
    Ǹ°ͤݻ뤫⤷ޤ

  * °ͤʤȡ饤ȤϤ°ʤͤˤ
    ("name=") °ޤ

  * 饤ȥɥ쥹 1.2.3.4 ȤΥɥåȤǶڤ줿IPv4
    4Ĥοޤ 1:2:3::4:5:6 Τ褦ʷIPv6ɥ쥹Ǥ

  * °̾ "="  nullԤޤꡢ°ͤ null ԤޤǤ
    ޤ

  * "instance" °ͤƱå˴ؤ̤׵ϢŤΤ
    Ȥޤ

  * "size" °ͤˤϥ饤Ȥ MAIL FROM ޥɤǻꤷå
     (ꤵƤʤХ) ޤPostfix 2.2ʹߤǤϡ
    饤Ȥ END-OF-DATA ޥɤä˼ºݤΥå
    ʤޤ

  * "sasl_*" ° (Postfix 2.2ʹ) ϥ饤ȤSASLǧڤ줿ˡ
    ؤ򼨤ޤ

  * "ccsert_*" ° (Postfix 2.2ʹ) ϥ饤ȤTLSǧڤ줿ˡ
    ؤ򼨤ޤ

ʲ SMTPD ݥꥷѾ׵ͭǤ:

  * ץȥ̾ ESMTP ޤ SMTP Ǥ

  * ץȥ֤ CONNECT, EHLO, HELO, MAIL, RCPT, DATA, END-OF-MESSAGE,
    VRFY ޤ ETRN Ǥ; Postfix SMTPФOK/REJECT/HOLD/¾
    ꤹSMTPץȥξ̤Ǥ

ݥꥷФ Postfix SMTPD access(5) ơ֥ǵ뤤줫 action 
ޤ:

    action=defer_if_permit Service temporarily unavailable
    [empty line]

ˤꡢPostfix SMTP Ф׵򹱵Ū˵ݤͳĤʤ
ϡ Postfix SMTP Ф׵ 450 Ū顼ɤ "Service
temporarily unavailable" ȤʸդƵݤ褦ˤʤޤ

꤬ä硢ݥꥷФϱ֤ƤϤޤ˥Ф
ٹ˵Ͽ³ڤʤФޤPostfix ϤФ餯Ƥ
׵ƻԤޤ

ݥꥷ饤//Ф

Postfix ǥݥꥷѾ륯饤Ȥ TCP åȤ⤷ UNIX ɥᥤ
åȤ³Ǥޤ:

    inet:127.0.0.1:9998
    unix:/some/where/policy
    unix:private/policy

ǽǤϡݥꥷФ 127.0.0.1 Υݡ 9998  TCP åȤ
listen 褦˻ꤷƤޤ2ܤǤ UNIX ɥᥤ󥽥åȤ
ѥ̾ꤷƤޤ3ܤǤ Postfix 塼ǥ쥯ȥ꤫
ѥ̾ꤷƤޤ; Postfix master ǡˤäƸƤФݥꥷ
ФФƤϤȤäƤ

"policy" Ȥ̾ UNIX ɥᥤ󥽥åȤ listen Postfix spawn(8)
ǡ椫ưݥꥷФˤϡΤ褦ʤΤȤޤ:

     1 /etc/postfix/master.cf:
     2     policy  unix  -       n       n       -       -       spawn
     3       user=nobody argv=/some/where/policy-server
     4
     5 /etc/postfix/main.cf:
     6     smtpd_recipient_restrictions =
     7         ...
     8         reject_unauth_destination
     9         check_policy_service unix:private/policy
    10         ...
    11     policy_time_limit = 3600

:

  * 2, 11: Postfix spawn(8) ǡϥǥեȤ1000ø˻ҥץ
    kill ޤ SMTP 饤Ȥ SMTP Хץ³Ƥ
    ư³ݥꥷǡˤûޤǥեȤλ¤Ū
    "policy_time_limit" ꤹ뤳ȤǾ񤭤ޤѥ᡼̾
    master.cf ȥ̾ ("policy")  "_time_limit" եå
    ĤʤΤǤ

  * 8, 9: "check_policy_service" ɬ "reject_unauth_destination" 
    ָˡ׻ꤷƤʤȥƥबץ졼ˤʤä
    ޤޤ

  * Solaris  UNIX ɥᥤ󥽥åȤϿꤷƻȤȤǤޤ
    TCP åȤȤäƤ:

     1 /etc/postfix/master.cf:
     2     127.0.0.1:9998  unix  -       n       n       -       -       spawn
     3       user=nobody argv=/some/where/policy-server
     4
     5 /etc/postfix/main.cf:
     6     smtpd_recipient_restrictions =
     7         ...
     8         reject_unauth_destination
     9         check_policy_service inet:127.0.0.1:9998
    10         ...
    11     127.0.0.1:9998_time_limit = 3600

饤¦ΥݥꥷѾץȥ椹¾ѥ᡼:

  * smtpd_policy_service_max_idle (ǥե: 300s): Postfix SMTP Ф
    ȤƤʤݥꥷ饤³ĤޤǤλ֡

  * smtpd_policy_service_max_ttl (ǥե: 1000s): Postfix SMTP Ф
    ƥ֤ʥݥꥷ饤³ĤޤǤλ֡

  * smtpd_policy_service_timeout (ǥե: 100s): ݥꥷФؤ³
    ݥꥷФؤޤϥݥꥷФμˤ¡

:: ggrreeyylliisstt ݥꥷ

Greylisting  http://www.greylisting.org/ ˤƤ褦ʡ
᡼ФɱˡǤΥǥͭ̾ˤʤ1ǯʾ postfix-users
᡼󥰥ꥹȤǵޤ

Postfix ĥ꡼ˤե examples/smtpd-policy/greylist.pl 
ñ㲽줿 greylist ݥꥷФޤΥФƤ
(饤ȡԡ) Ȥ߹碌Ф륿ॹפ¸ޤ
ǥեȤǤϡॹפ60ðʾв᤹ޤǥ᡼ϼդޤ
ϥ򤵤줿ԥɥ쥹ĥ󥯥᡼䡢
򤵤줿ץץͳ᡼ߤޤޤˤ
IP ɥ쥹Ѥ륹ѥޡΥ󥯥᡼ߤޤ

examples/smtpd-policy/greylist.pl  /usr/libexec/postfix ޤϥƥ
Ŭ˥ԡƤ

greylist.pl Perl ץȤˤϡtreylist ǡ١եξȡ
᡼뤬ޤǤٱ֤Ĺꤹɬפޤ
ǥեȤ:

    $database_name="/var/mta/greylist.db";
    $greylist_delay=60;

/var/mta ǥ쥯ȥ (⤷Ϥʤ򤷤)  "nobody" ⤷
ݥꥷӥФ master.cf ꤷ桼̾񤭹ɬפ
ޤ

:

    # mkdir /var/mta
    # chown nobody /var/mta

: /tmp  /var/tmp Τ褦ïǤ񤭹ǥ쥯ȥ greylist ǡ
١äꡢȤ̤ƤޤǽΤե륷ƥ
ǡ١ֺʤǤסPostfix ϥ᡼륭塼᡼ܥå
ݴɸѤ "ڡʤ" ֤ǤĤ뤳ȤǤޤgreylist
ǡ١Ĥ뤳ȤϤǤޤ󡣥ե뤬줿ǥե
ޤǥ᡼ǤʤʤäƤޤޤ

greylist.pl Perl ץȤ Postfix master ǡ沼ưȤ
Ǥޤ㤨С"nobody" 桼ȤƥץȤ餻ˤϡPostfix
ץΤߤǽ UNIX ɥᥤ󥽥åȤȤޤ:

    1 /etc/postfix/master.cf:
    2     policy  unix  -       n       n       -       -       spawn
    3       user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
    4
    5 /etc/postfix/main.cf:
    6      policy_time_limit = 3600

:

  * 3: 줾׵ξĹʥˤϡ"greylist.pl -v" 
    ꤷޤ

  * 2, 6: Postfix spawn(8) ǡϥǥեȤ1000ø˻ҥץ
    kill ޤ SMTP 饤Ȥ SMTP Хץ³Ƥ
    ư³ݥꥷǡˤûޤǥեȤλ¤Ū
    "policy_time_limit" ꤹ뤳ȤǾ񤭤ޤѥ᡼̾
    master.cf ȥ̾ ("policy")  "_time_limit" եå
    ĤʤΤǤ

Solaris Ǥϡ "ݥꥷ饤/" Ǿܺ٤
Ҥ٤Ƥ褦ˡunix: ΥåȤǤϤʤ inet: ΥåȤ
ȤʤФޤ

    1 /etc/postfix/master.cf:
    2     127.0.0.1:9998  unix  -       n       n       -       -       spawn
    3       user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
    4
    5 /etc/postfix/main.cf:
    6      127.0.0.1:9998_time_limit = 3600

ΥӥƤӽФˤϡ"check_policy_service inet:127.0.0.1:9998" 
ꤷޤ

ˤ٤ɥᥤΥ᡼ ggrreeyylliissttiinngg 

ˤ٤ΥɥᥤФ greylisting ͭˤΤŪ
Ǥ褯٤ MAIL FROM ɥᥤΥꥹȤ
http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in 
ޤ

     1 /etc/postfix/main.cf:
     2     smtpd_recipient_restrictions =
     3         reject_unlisted_recipient
     4         ...
     5         reject_unauth_destination
     6         check_sender_access hash:/etc/postfix/sender_access
     7         ...
     8     smtpd_restriction_classes = greylist
     9     greylist = check_policy_service unix:private/policy
    10
    11 /etc/postfix/sender_access:
    12     aol.com     greylist
    13     hotmail.com greylist
    14     bigfoot.com greylist
    15     ... ʤ ...

:

  * 9: Solaris Ǥϡ ": greylist ݥꥷ" Ǿܺ٤
    Ҥ٤Ƥ褦ˡunix: ΥåȤǤϤʤ inet: ΥåȤ
    ȤʤФޤ

  * 6: "check_sender_access" ϳμ¤ "reject_unauth_destination" Ρָˡ
    ꤷƤʤȥƥबץ᡼졼ˤʤä
    ޤޤ

  * 3: Postfix 2.0 ʥåץåȥ꡼Ǥϡ"reject_unlisted_recipient"
     "check_recipient_maps" ȸƤФƤޤPostfix 2.1 ξη
    򤷤ޤ

  * 3: greylist ǡ١ϵΥɥ쥹Ǥ˱Ƥޤޤ
    ΤʤԤԤݤ褦¾¤ greylist ݸ
    ȤΩޤ

᡼뤹٤Ƥ ggrreeyylliissttiinngg 

ƤΥ᡼Ф greylisting ͭˤȡŪԥɥ쥹Ȥ
᡼󥰥ꥹȤŪ® greylist ǡ١ƤޤΤǡ
Τ褦ʥ᡼󥰥ꥹȤޤְ㤤ʤʤϤǤ

     1 /etc/postfix/main.cf:
     2     smtpd_recipient_restrictions =
     3         reject_unlisted_recipient
     4         ...
     5         reject_unauth_destination
     6         check_sender_access hash:/etc/postfix/sender_access
     7         check_policy_service unix:private/policy
     8         ...
     9
    10 /etc/postfix/sender_access:
    11     securityfocus.com OK
    12     ...

:

  * 7: Solaris Ǥϡ ": greylist ݥꥷ" Ǿܺ٤
    Ҥ٤Ƥ褦ˡunix: ΥåȤǤϤʤ inet: ΥåȤ
    ȤʤФޤ

  * 6-7: check_sender_access  check_policy_service ϳμ¤
    reject_unauth_destination Ρָˡ׻ꤷƤʤ
    ƥबץ᡼졼ˤʤäƤޤޤ

  * 3: greylist ǡ١ϵΥɥ쥹Ǥ˱Ƥޤޤ
    greylist äΤʤԤԤݤ褦¤Ƥ
    ȤΩޤ

 greylist 

greylist Фϥǡ١Υȥʤᡢgreylist ǡ١
֤Ĥ礭ʤäƤޤäƤȡgreylist ǡ١
ǽŪ˥ե륷ƥζȤ̤Ƥޤޤ

ơե륵ͤĶݤñˤΥե͡
ƤⰭƶϤޤ; Postfix ϼưŪ˿ե
ޤǰξ硢᡼1٤ޤƶΤˤϡ
οˤΥե͡⤷ϺƤ

PPeerrll ggrreeyylliisstt Ф

 greylist ݥꥷ Perl ֥롼ǤPostfix 
examples/smtpd-policy/greylist.pl ȤۤƤѤΥץݥꥷ
ФΰǤ

#
# greylist ֥ǡ١ greylist ֳִ֡/tmp  /var/tmp Τ褦
# ïǤ񤭹ǥ쥯ȥ greylist ֥ǡ١ֺäƤ
# ޤסgreylist ǡ١Ȥ̤Ƥޤե
# ƥˡֺäƤϤޤס
#
$database_name="/var/mta/greylist.db";
$greylist_delay=60;

#
# ǥ SMTPD access ݥꥷ롼󡣷̤ Postfix access ơ֥α¦ʬ
# ꤵΤƱ action Ǥ׵° %attr ϥå̤
# ޤ
#
sub smtpd_access_policy {
    my($key, $time_stamp, $now);

    # ưŪ˥ǡ١򳫤ޤ
    open_database() unless $database_obj;

    #  client/sender/recipient б륿ॹפ򸡺ޤ
    $key =
        lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"};
    $time_stamp = read_database($key);
    $now = time();

    # ׵ξ硢ǡ١ˤ client/sender/recipient äޤ
    if ($time_stamp == 0) {
        $time_stamp = $now;
        update_database($key, $time_stamp);
    }

    # result  Postfix access(5) ޥåפǵ뤤줫 action Ǥ
    #
    # ᡼˥٥դˤ ``PREPEND headername: headertext'' ֤ޤ
    #
    # ξ ``OK'' ǤϤʤ ``DUNNO'' ֤check_policy_service ¤
    # ¾¤³褦ˤޤ
    #
    # Ԥξ ``DEFER_IF_PERMIT optional text...'' ֤¾ access
    # ¤Ǥ֥åǤ褦ˤޤ
    #
    syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose;
    if ($now - $time_stamp > $greylist_delay) {
        return "dunno";
    } else {
        return "defer_if_permit Service temporarily unavailable";
    }
}

