Архивы по Категориям: postfix

Увеличиваем размер аттача в postfix

[cc]
postconf | grep message_size_limit
postconf -e message_size_limit=52428800
[/cce]

 

устанавливаем поддержку sieve для dovecot

ставим необходимые пакеты
[cce]

root@mx1/var/spool/mail> pkg_info | grep sieve
dovecot-managesieve-0.11.13 Dovecot ManageSieve Server daemon
dovecot-sieve-1.2+0.1.19 A Sieve plugin for the Dovecot ‘deliver’ LDA
roundcube-sieverules-1.16 Roundcube webmail sieve plugin
root@mx1/var/spool/mail>
[/cce]

правим конфиг dovecot.conf
[cce]

root@mx1/var/spool/mail> cd /usr/local/etc
root@mx1/usr/local/etc> vim dovecot.conf
[/cce]

добавляем – исправляем
[cce]

protocols = pop3 pop3s imap imaps managesieve

protocol managesieve {
login_executable = /usr/local/libexec/dovecot/managesieve-login
mail_executable = /usr/local/libexec/dovecot/managesieve
managesieve_max_line_length = 65536
managesieve_logout_format = bytes=%i/%o
managesieve_implementation_string = dovecot
mail_debug=yes
}

protocol lda {

# Address to use when sending rejection mails.
postmaster_address = postmaster@site.com

# Hostname to use in various parts of sent mails, eg. in Message-Id.
# Default is the system’s real hostname.
hostname = mx1.site.com

mail_plugin_dir = /usr/local/lib/dovecot/lda
mail_plugins = sieve

# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
#mail_plugin_dir = /usr/local/lib/dovecot/lda

# Binary to use for sending mails.
#sendmail_path = /usr/lib/sendmail
#sendmail_path = /usr/sbin/sendmail

# UNIX socket path to master authentication server to find users.
#auth_socket_path = /var/run/dovecot/auth-master

}

plugin {

quota = maildir
quota_rule = *:storage=1GB
# 10% of 1GB = 100MB
quota_rule2 = Trash:storage=10%%
# 20% of 1GB = 200MB
quota_rule3 = Spam:storage=20%%

sieve_dir = /var/spool/mail
sieve = /var/spool/mail/%u.sieve
}

[/cce]

перезапускам dovecot и смотрим …

[cce]

root@mx1/usr/local/etc> sockstat | grep 2000
dovecot managesiev 96181 4 tcp4 *:2000 *:*
dovecot managesiev 66644 4 tcp4 *:2000 *:*
dovecot managesiev 11738 4 tcp4 *:2000 *:*
root dovecot 45144 10 tcp4 *:2000 *:*
root@mx1/usr/local/etc>

[/cce]

все класс.

для редактирования правил я использую плагин для roundcube

[cce]

root@mx1/usr/local/etc> pkg_info | grep round
roundcube-0.7.2,1 Fully skinnable XHTML/CSS webmail written in PHP
roundcube-sieverules-1.16 Roundcube webmail sieve plugin
root@mx1/usr/local/etc>
[/cce]

плагин очень удобный и повзволяет без напряга строить разообразные правила.

 

 

 

Проверка входящей почты с поддержкой DKIM в Spamassasin

Как подписывать исходящую почту в Postfix используя DKIMProxy я написал чуть ниже. Теперь приступим к входящей. Как на пишет автор DKIMProxy нет смысла использовать его для проверки входящей почты если вы используете SpamAssasin т.к. алгоритмы используются одинаковые.

приступим.
включаем поддержку DKIM плагина в Spamassasin и пересобираем его.


root@mx1/usr/ports> portupgrade -f mail/p5-Mail-SpamAssassin

подключаем плагин
root@mx1/usr/ports> vim /usr/local/etc/mail/spamassassin/v312.pre
[cc]

# DKIM – perform DKIM verification
#
# Mail::DKIM module required for use, see INSTALL for more information.
#
# Note that if C<Mail::DKIM> version 0.20 or later is installed, this
# renders the DomainKeys plugin redundant.
#
loadplugin Mail::SpamAssassin::Plugin::DKIM
[/cc]

добавляем правила в
root@mx1/usr/local/etc/mail/spamassassin> cat local.cf
[cc]

score DKIM_VERIFIED -0.1
score DKIM_SIGNED 0
score DKIM_POLICY_SIGNALL 0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING 0
score USER_IN_DKIM_WHITELIST -8.0
score USER_IN_DEF_DKIM_WL -1.5
score ENV_AND_HDR_DKIM_MATCH -0.1
whitelist_from_dkim *@ebay.com
whitelist_from_dkim *@*.ebay.com
whitelist_from_dkim *@ebay.co.uk
whitelist_from_dkim *@*.ebay.co.uk
whitelist_from_dkim *@ebay.at
whitelist_from_dkim *@ebay.ca
whitelist_from_dkim *@ebay.de
whitelist_from_dkim *@ebay.fr
whitelist_from_dkim *@*.paypal.com
whitelist_from_dkim *@paypal.com
whitelist_from_dkim *@* paypal.com
whitelist_from_dkim *@*.paypal.be
whitelist_from_dkim *@cern.ch
whitelist_from_dkim *@amazon.com
whitelist_from_dkim *@springer.delivery.net
whitelist_from_dkim *@cisco.com
whitelist_from_dkim *@alert.bankofamerica.com
whitelist_from_dkim *@bankofamerica.com
whitelist_from_dkim *@cnn.com
whitelist_from_dkim *@*.cnn.com
whitelist_from_dkim *@skype.net
whitelist_from_dkim service@youtube.com
whitelist_from_dkim *@welcome.skype.com
whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com
whitelist_from_dkim *@cc.yahoo-inc.com
whitelist_from_dkim rcapotenoy@yahoo.com
whitelist_from_dkim googlealerts-noreply@google.com
def_whitelist_from_dkim *@google.com
def_whitelist_from_dkim *@googlemail.com
def_whitelist_from_dkim *@* googlegroups.com
def_whitelist_from_dkim *@* yahoogroups.com
def_whitelist_from_dkim *@* yahoogroups.co.uk
def_whitelist_from_dkim *@* yahoogroupes.fr
def_whitelist_from_dkim *@yousendit.com
def_whitelist_from_dkim *@meetup.com
def_whitelist_from_dkim dailyhoroscope@astrology.com

[/cc]

Так же использовались материалы ОТСЮДА

 набор основан на статье 

После перезапуска spamassasin-a я начал получать отлупы
[cc]

root@mx1/usr/local/etc> mal | grep spam
Apr 6 13:28:32 mx1 spamd[12883]: spamd: connection from localhost [127.0.0.1] at port 36358
Apr 6 13:28:32 mx1 spamd[12883]: spamd: processing message <354811333708110@web61.yandex.ru> for nobody:65534
Apr 6 13:28:32 mx1 spamd[12883]: spamd: clean message (0.3/4.0) for nobody:65534 in 0.2 seconds, 2290 bytes.
Apr 6 13:28:32 mx1 spamd[12883]: spamd: result: . 0 – BAYES_20,FREEMAIL_FROM,FREEMAIL_REPLY,T_DKIM_INVALID scantime=0.2,size=2290,user=nobody,uid=65534,required_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=36358,mid=<354811333708110@web61.yandex.ru>,bayes=0.132386,autolearn=no
Apr 6 13:28:32 mx1 postfix/pipe[17988]: 31D292285C: to=<vvs@vs.kiev.ua>, relay=spam, delay=0.51, delays=0.26/0.01/0/0.25, dsn=2.0.0, status=sent (delivered via spam service)

 

Apr 6 13:29:41 mx1 spamd[12883]: spamd: connection from localhost [127.0.0.1] at port 37366
Apr 6 13:29:41 mx1 spamd[12883]: spamd: processing message <CAD9QK=MsE2p_1jM+wQjgpKn0QzVL4D8iA5zHWeXhF6v3PwD_+g@mail.gmail.com> for nobody:65534
Apr 6 13:29:42 mx1 spamd[12883]: spamd: clean message (-100.7/4.0) for nobody:65534 in 0.3 seconds, 2193 bytes.
Apr 6 13:29:42 mx1 spamd[12883]: spamd: result: . -100 – BAYES_20,FREEMAIL_FROM,T_DKIM_INVALID,USER_IN_WHITELIST scantime=0.3,size=2193,user=nobody,uid=65534,required_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=37366,mid=<CAD9QK=MsE2p_1jM+wQjgpKn0QzVL4D8iA5zHWeXhF6v3PwD_+g@mail.gmail.com>,bayes=0.179468,autolearn=ham
Apr 6 13:29:42 mx1 postfix/pipe[17988]: A74652285C: to=<vvs@vs.kiev.ua>, relay=spam, delay=0.75, delays=0.44/0/0/0.31, dsn=2.0.0, status=sent (delivered via spam service)

[/cc]

при изучении ошибки первое на что обратил внимание
[cc]

root@mx1~> spamassassin -t -D dkim <0.msg

апр 6 13:45:20.086 [25122] warn: config: created user preferences file: /home/vvs/.spamassassin/user_prefs
апр 6 13:45:21.232 [25122] info: config: failed to parse line, skipping, in “/usr/local/etc/mail/spamassassin/local.cf”: use_dcc 0
апр 6 13:45:25.060 [25122] dbg: dkim: signature verification disabled, DNS resolving not available
Return-Path: <vit.slipchenko@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx1.sat-expert.com
X-Spam-Level:
X-Spam-Status: No, score=-100.0 required=4.0 tests=FREEMAIL_FROM,
T_DKIM_INVALID,USER_IN_WHITELIST autolearn=ham version=3.3.2
Delivered-To: vvs@vs.kiev.ua
Received: by mx1.sat-expert.com (Postfix, from userid 65534)
id 9169822976; Fri, 6 Apr 2012 13:43:54 +0300 (EEST)
Received: from mail-ob0-f176.google.com (mail-ob0-f176.google.com [209.85.214.176])
(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
(No client certificate requested)
by mx1.sat-expert.com (Postfix) with ESMTPS id C058122886
for <vvs@vs.kiev.ua>; Fri, 6 Apr 2012 13:43:53 +0300 (EEST)
Received: by obbuo19 with SMTP id uo19so4042811obb.35
for <vvs@vs.kiev.ua>; Fri, 06 Apr 2012 03:43:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:date:message-id:subject:from:to
[/cc]
апр 6 13:45:25.060 [25122] dbg: dkim: signature verification disabled, DNS resolving not available

root@mx1/usr/ports> pkg_info | grep DNS
p5-Net-DNS-0.68 Perl5 interface to the DNS resolver, and dynamic updates
p5-Net-DNS-Resolver-Programmable-0.003 Programmable DNS resolver for off-line testing
правим
root@mx1~> vim /usr/local/etc/mail/spamassassin/local.cf

добавляем
dns_available yes

и вуаля!

[cc]

root@mx1~> spamassassin -t -D dkim <0.msg
апр 6 14:09:50.511 [43456] dbg: dkim: using Mail::DKIM version 0.39
апр 6 14:09:50.514 [43456] dbg: dkim: performing public key lookup and signature verification
апр 6 14:09:50.536 [43456] dbg: dkim: DKIM, i=@gmail.com, d=gmail.com, s=20120113, a=rsa-sha256, c=relaxed/relaxed, pass, matches author domain
апр 6 14:09:50.536 [43456] dbg: dkim: signature verification result: PASS
апр 6 14:09:50.536 [43456] dbg: dkim: adsp not retrieved, author domain signature is valid
апр 6 14:09:50.536 [43456] dbg: dkim: adsp result: – (valid a. d. signature), author domain ‘gmail.com’
апр 6 14:09:50.540 [43456] dbg: dkim: VALID signature by gmail.com, author vit.slipchenko@gmail.com, no valid matches
апр 6 14:09:50.540 [43456] dbg: dkim: author vit.slipchenko@gmail.com, not in any dkim whitelist
Return-Path: <vit.slipchenko@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mx1.sat-expert.com
X-Spam-Level:
X-Spam-Status: No, score=-100.3 required=4.0 tests=DKIM_VALID,DKIM_VALID_AU,
DKIM_VERIFIED,FREEMAIL_FROM,USER_IN_WHITELIST autolearn=unavailable
version=3.3.2
Delivered-To: vvs@vs.kiev.ua
[/cc]

тестим посылая себе письма с gmail или mail.ru

[cc]

Apr 6 14:14:47 mx1 spamd[43345]: spamd: connection from localhost [127.0.0.1] at port 64524
Apr 6 14:14:47 mx1 spamd[43345]: spamd: processing message <CAD9QK=P8i6D0wqrGcyETjd+qw5tp5V5yDitz24n9aHQ=qxg2OA@mail.gmail.com> for nobody:65534
Apr 6 14:14:48 mx1 spamd[43345]: spamd: clean message (-101.4/4.0) for nobody:65534 in 0.6 seconds, 2970 bytes.
Apr 6 14:14:48 mx1 spamd[43345]: spamd: result: . -101 – BAYES_05,DKIM_VALID,DKIM_VALID_AU,DKIM_VERIFIED,FREEMAIL_FROM,USER_IN_WHITELIST scantime=0.6,size=2970,user=nobody,uid=65534,required_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=64524,mid=<CAD9QK=P8i6D0wqrGcyETjd+qw5tp5V5yDitz24n9aHQ=qxg2OA@mail.gmail.com>,bayes=0.012649,autolearn=ham
Apr 6 14:14:48 mx1 postfix/pipe[45899]: AE98E22886: to=<vvs@vs.kiev.ua>, relay=spam, delay=1.3, delays=0.69/0.01/0/0.62, dsn=2.0.0, status=sent (delivered via spam service)

 

Apr 6 14:16:14 mx1 spamd[43345]: spamd: connection from localhost [127.0.0.1] at port 65364
Apr 6 14:16:14 mx1 spamd[43345]: spamd: processing message <329631333710973@web19.yandex.ru> for nobody:65534
Apr 6 14:16:14 mx1 spamd[43345]: spamd: clean message (0.1/4.0) for nobody:65534 in 0.4 seconds, 2296 bytes.
Apr 6 14:16:14 mx1 spamd[43345]: spamd: result: . 0 – BAYES_20,DKIM_VALID,DKIM_VERIFIED,FREEMAIL_FROM,FREEMAIL_REPLY scantime=0.4,size=2296,user=nobody,uid=65534,required_score=4.0,rhost=localhost,raddr=127.0.0.1,rport=65364,mid=<329631333710973@web19.yandex.ru>,bayes=0.160122,autolearn=no
Apr 6 14:16:14 mx1 postfix/pipe[45899]: 2F79622886: to=<vvs@vs.kiev.ua>, relay=spam, delay=0.61, delays=0.24/0/0/0.37, dsn=2.0.0, status=sent (delivered via spam service)

[/cc]

на этом разборки с DKIM считаем законченными.

 

 

поддержка DKIM в Postfix

root@mx1/usr/ports/mail/dkimproxy>
make install

dkimproxy_out_enable=”YES” -> rc.conf

root@mx1/usr/local/etc> cp dkimproxy_out.conf.example dkimproxy_out.conf

root@mx1/usr/local/etc> mkdir dkim-keys
root@mx1/usr/local/etc/dkim-keys> openssl genrsa -out privatedkim.key 1024
root@mx1/usr/local/etc/dkim-keys> openssl rsa -in privatedkim.key -pubout -out publicdkim.key

root@mx1/usr/local/etc> vim dkimproxy_out.conf
[cc]

# specify what address/port DKIMproxy should listen on
listen 127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay 127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain vs.kiev.ua

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile /usr/local/etc/dkim-keys/private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector selector1

# control how many processes DKIMproxy uses
# – more information on these options (and others) can be found by
# running `perldoc Net::Server::PreFork’.
#min_servers 5
#min_spare_servers 2
root@mx1/usr/local/etc>
[/cc]

root@mx1/usr/local/etc> chown dkimproxy:dkimproxy dkim-keys/
root@mx1/usr/local/etc> cd dkim-keys/
root@mx1/usr/local/etc/dkim-keys> chown dkimproxy:dkimproxy *
root@mx1/usr/local/etc/dkim-keys> ls -l
total 32
-rw-r–r– 1 dkimproxy dkimproxy 891 5 апр 12:57 privatedkim.key
-rw-r–r– 1 dkimproxy dkimproxy 272 5 апр 12:58 publicdkim.key
root@mx1/usr/local/etc/dkim-keys>

root@mx1/usr/local/etc/dkim-keys> ln -sf privatedkim.key private.key
root@mx1/usr/local/etc/dkim-keys> ln -sf publicdkim.key public.key

root@mx1/usr/local/etc> cat /etc/namedb/master/vs.kiev.ua
[cc]

vs.kiev.ua. IN TXT “v=spf1 +mx -all”
vs.kiev.ua. IN SPF “v=spf1 +mx -all”
_domainkey 3600 IN TXT “t=y; o=~;”
selector1._domainkey 3600 IN TXT “g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAUR6no9naRaTxiuvh0WV5a1XGQpZgjBuOntdbsoz0WiM5QU6nJDWlEfLrz3lqpPqd/3Tr23eQBUj7hvOQ+IOWOA605ISlc9ct3dF62wsX2fQ9+TMUWNB+ktDRkNNpRSIcZ/FBj4P/CpwScjka7O6Wjv2UnUaQMrZSIOygQzdLMwIDAQAB;”

root@mx1/usr/local/etc>
[/cc]

root@mx1/usr/local/etc> vim /usr/local/etc/postfix/master.cf
[cc]

#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n – n – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

#
# specify the location of the DKIM signing proxy
# Note: we allow “4” simultaneous deliveries here; high-volume sites may
# want a number higher than 4.
# Note: the smtp_discard_ehlo_keywords option requires Postfix 2.2 or
# better. Leave it off if your version does not support it.
#
dksign unix – – n – 4 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime,starttls

#
# service for accepting messages FROM the DKIM signing proxy
#
127.0.0.1:10028 inet n – n – 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

[/cc]

Не забываем открыть в fw 583 порт ! и поменять настройки mail.app что SMTP сервер слушает на 583 порту.

Наслаждаемся!

 

 

Включаем SPF в Postfix

может и с опозданием но все же …
добавляем записи в NS
[cc]
vs.kiev.ua. IN TXT “v=spf1 +mx -all”
vs.kiev.ua. IN SPF “v=spf1 +mx -all”
[/cc]

добавляем пользователя от которого будет работать policyd-spf

[cc lang=bash]
pw group add spf -g 1111
pw user add spf -g spf -s /sbin/nologin -u 1111
[/cc]

ставим порт
portinstall mail/postfix-policyd-spf-perl

дальше чуть правим  postfix-policyd-spf-perl чтоб он корректно работал c sqlgrey который я использую для грейлиста Источник ТУТ

root@mx1/usr/local/sbin> vi postfix-policyd-spf-perl

В подпрограмме sender_policy_framework находим строки

    # Reject on HELO fail.  Defer on HELO temperror if message would otherwise
    # be accepted.  Use the HELO result and return for null sender.
    if ($helo_result->is_code('fail')) {
        syslog(
            info => "%s: SPF %s: HELO/EHLO: %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "550 $helo_authority_exp";
    }
    elsif ($helo_result->is_code('temperror')) {
        syslog(
            info => "%s: SPF %s: HELO/EHLO: %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp";
    }
    elsif ($attr->{sender} eq '') {
        syslog(
            info => "%s: SPF %s: HELO/EHLO (Null Sender): %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "PREPEND $helo_spf_header"
            unless $cache->{added_spf_header}++;
    }

и приводим их к следующему виду

    # Reject on HELO fail.  Defer on HELO temperror if message would otherwise
    # be accepted.  Use the HELO result and return for null sender.
    if ($helo_result->is_code('fail')) {
        syslog(
            info => "%s: SPF %s: HELO/EHLO: %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "550 $helo_authority_exp";
    }
    elsif ($helo_result->is_code('temperror')) {
        syslog(
            info => "%s: SPF %s: HELO/EHLO: %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp";
    }
    elsif ($attr->{sender} eq '' && $helo_result->is_code('pass')) {
        syslog(
            info => "%s: SPF %s: HELO/EHLO (Null Sender): %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return 'OK';
    }
    elsif ($attr->{sender} eq '') {
        syslog(
            info => "%s: SPF %s: HELO/EHLO (Null Sender): %s",
            $attr->{queue_id}, $helo_result, $attr->{helo_name}
        );
        return "DUNNO"
    }

Эти строки связаны с spf-проверкой заголовка helo. В оригинальной версии, если не произошло spf-отказа (fail) и все нормально работает, то при пустом отправителе, вне зависимочти от статуса (нет spf-записи, pass, softfail или neutral) в заголовки письма добавляется запись типа Received-SPF: pass (mail.domain.ru: xxx.xxx.xxx.xxx is authorized to use бла-бла-бла бла-бла-бла… и письмо проходит дальше. А дальше стоит грейлистинг…

В поправленом варианте, при пустом отправителе, если helo прошло spf-проверку — статус OK, письмо на доставку, если не прошло — мариноваться в грейлистинг.

[cc lang=perl]

# Same approach as HELO….
# syslog(
# info => “%s: SPF %s: Envelope-from: %s”,
# $attr->{queue_id}, $mfrom_result, $attr->{sender}
# );
# if ($mfrom_result->is_code(‘fail’)) {
# return “550 $mfrom_authority_exp”;
# }
# elsif ($mfrom_result->is_code(‘temperror’)) {
# return “DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp”;
# }
# else {
# return “PREPEND $mfrom_spf_header”
# unless $cache->{added_spf_header}++;
# }
#
# return;

#http://hoarywolf.livejournal.com/12525.html

# Same approach as HELO….
syslog(
info => “%s: SPF %s: Envelope-from: %s”,
$attr->{queue_id}, $mfrom_result, $attr->{sender}
);
if ($mfrom_result->is_code(‘fail’)) {
return “550 $mfrom_authority_exp”;
}
elsif ($mfrom_result->is_code(‘temperror’)) {
return “DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp”;
}
elsif ($mfrom_result->is_code(‘pass’)) {
return ‘OK’;
}

return;

[/cc]

Тут тоже все просто. Проверка по отправителю. Вместо добавления аналогичного заголовка и отправки в грейлистинг всех, кто не fail, измененная версия прошедшим проверку — статус OK, письмо на доставку, остальных мариноваться в грейлистинг. Fail изменения не затронули, они все также идут нафиг.

1. Add the following to /etc/postfix/master.cf:

[cc]
spf-policy unix – n n – 0 spawn
user=spf argv=/usr/local/sbin/postfix-policyd-spf-perl
[/cc]

The user nobody is fine if you have no other daemons running as nobody.
Otherwise, you should use a dedicated user and group for this policy
service.

2. Add “spf-policy_time_limit = 3600” to main.cf.

3. Configure the Postfix policy service in /usr/local/etc/postfix/main.cf:

smtpd_recipient_restrictions =

reject_unauth_destination

check_policy_service unix:private/spf-policy

NOTE: Specify check_policy_service AFTER reject_unauth_destination or your
system may become an open relay.

4. Restart Postfix.

 


получаем почту с gmail.com посредством fetchmail с поддержкой ssl

[cce lang=bash]
cd /etc/ssl/certs
wget -O Equifax_Secure_Certificate_Authority.pem \ https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer –no-check-certificat

root@mx1/etc/ssl/certs> ls -l
total 8
lrwxrwxrwx 1 root wheel 11 Jan 27 2011 40e371fd.0 -> dovecot.pem
-rw-r–r– 1 root wheel 1143 May 21 2011 Equifax_Secure_Certificate_Authority.pem
-rw-r–r– 1 root wheel 1216 Jul 24 2009 dovecot.pem

openssl x509 -in Equifax_Secure_Certificate_Authority.pem -fingerprint -subject -issuer -serial -hash -noout

SHA1 Fingerprint=D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
serial=35DEF4CF
594f1775

c_rehash .

file 578d5c04.*
578d5c04.0: symbolic link to `Equifax_Secure_Certificate_Authority.pem’
root@mx1/etc/ssl/certs> ls -l
total 8
lrwxr-xr-x 1 root wheel 11 Jan 20 10:49 40e371fd.0 -> dovecot.pem
lrwxr-xr-x 1 root wheel 40 Jan 20 10:49 578d5c04.0 -> Equifax_Secure_Certificate_Authority.pem
-rw-r–r– 1 root wheel 1143 May 21 2011 Equifax_Secure_Certificate_Authority.pem
-rw-r–r– 1 root wheel 1216 Jul 24 2009 dovecot.pem
root@mx1/etc/ssl/certs>

[/cce]

c сертификатом закончили. теперь настраиваем для нужного пользователя .fetchmailrc

[cce lang=bash]

vvs@mx1~> ls -l .fetchmailrc
-rwx—— 1 vvs vvs 1426 Jan 20 10:54 .fetchmailrc
vvs@mx1~>

vvs@mx1~> cat .fetchmailrc
poll imap.gmail.com protocol IMAP
user “xxxx@gmail.com” is vvs@vs.kiev.ua here
password ‘XXXX’
options keep ssl sslfingerprint ’93:2E:0F:BA:58:EA:CD:CB:04:33:97:9D:23:2A:0A:77′ sslcertck sslcertpath /etc/ssl/certs
folder ‘Inbox’
fetchlimit 1
keep
ssl

[/cce]

проверяем

[cce lang = bash]

$fetchmail -v

vvs@mx1~> fetchmail -v
fetchmail: 6.3.20 querying imap.gmail.com (protocol IMAP) at Fri, 20 Jan 2012 11:01:27 +0200 (EET): poll started
Trying to connect to 173.194.66.108/993…connected.
fetchmail: Server certificate:
fetchmail: Issuer Organization: Google Inc
fetchmail: Issuer CommonName: Google Internet Authority
fetchmail: Subject CommonName: imap.gmail.com
fetchmail: imap.gmail.com key fingerprint: 93:2E:0F:BA:58:EA:CD:CB:04:33:97:9D:23:2A:0A:77
fetchmail: imap.gmail.com fingerprints match.
fetchmail: IMAP< * OK Gimap ready for requests from 188.40.73.210 g72if1216268wen.91
fetchmail: IMAP> A0001 CAPABILITY

[/cce]

ну и так делаее. сертификат прошел.

добавляем в crontab

[cce lang=bash]
#crontab -e -u vvs

*/3 * * * * /usr/local/bin/fetchmail -s
[/cce]