- Previous thread: matching IP ranges in headers
- Next thread: slow link
- Threads sorted by date: postfix 200906
Ville Walveranta a écrit :
> Here's an idea.. maybe it's useful for someone, so I post it here.
>
> I'm setting up a local mail server to cache remote service's mail for
> faster access on the LAN. The remote server has an up-to-date SPF
> record that is updated whenever the sending IP ranges change. I want
> to limit unauthenticated mail reception to the sending servers of the
> remote mail system. I use the following in main.cf:
>
> smtpd_client_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access
> cidr:$config_directory/tables/client_access_maps.cidr
> reject
>
> To automatically keep the client_access_maps.cird up-to-date I run the
> following as a cron-job.. perhaps every hour. The SPF record changes
> rarely, but obviously when it does, the mail would not be accepted on
> the local server without an update. On the other hand, I assume when
> the sending ranges change, the SPF records are updated well in advance
> so there is plenty of time for the local system to pick up the change.
>
> The following is "concept"; I don't have the script yet ready, but
> it'll be easy to write with your favorite scripting language:
>
> -------
> 1. get your remote sender's current SPF record:
>
> dig yourremotesender.com txt > tempfile
>
> 2. parse the result in tempfile with regex:
>
> /.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?"v=spf1\s+?([^)]+?)\s+?.all"/
>
> (dot matches newline)
>
> 3. explode the result
>
> 4. remove "ip4:" from the front of each segment if present
>
> 5. mogrify to format
> OK
> /cidr OK
>
> .. and save to a temp file.
>
> 6. compare the checksum of the temp file to the currently active
> client_access_maps.cidr; if different..
>
> 7. copy the tempfile to ../postfix/tables/client_access_maps.cidr
>
> 8. execute `postfix reload'
so you would block mail from me? if you want to jump the SPF wagon, it
is a good idea to go for "generalized SPF" (GSPF): also allow hosts that
match the sender domain (host.example.com can send mail on behalf on
*@example.com). if this is not acceptable, resolve smtp.example.com,
mail.example.com, mx.example.com, ... but you may also need things like
smtp-1.example.com, ...
all that said, if you whitelist IPs or blocks, please submit them to DNSWL.
> Here's an idea.. maybe it's useful for someone, so I post it here.
>
> I'm setting up a local mail server to cache remote service's mail for
> faster access on the LAN. The remote server has an up-to-date SPF
> record that is updated whenever the sending IP ranges change. I want
> to limit unauthenticated mail reception to the sending servers of the
> remote mail system. I use the following in main.cf:
>
> smtpd_client_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> check_client_access
> cidr:$config_directory/tables/client_access_maps.cidr
> reject
>
> To automatically keep the client_access_maps.cird up-to-date I run the
> following as a cron-job.. perhaps every hour. The SPF record changes
> rarely, but obviously when it does, the mail would not be accepted on
> the local server without an update. On the other hand, I assume when
> the sending ranges change, the SPF records are updated well in advance
> so there is plenty of time for the local system to pick up the change.
>
> The following is "concept"; I don't have the script yet ready, but
> it'll be easy to write with your favorite scripting language:
>
> -------
> 1. get your remote sender's current SPF record:
>
> dig yourremotesender.com txt > tempfile
>
> 2. parse the result in tempfile with regex:
>
> /.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?"v=spf1\s+?([^)]+?)\s+?.all"/
>
> (dot matches newline)
>
> 3. explode the result
>
> 4. remove "ip4:" from the front of each segment if present
>
> 5. mogrify to format
> OK
> /cidr OK
>
> .. and save to a temp file.
>
> 6. compare the checksum of the temp file to the currently active
> client_access_maps.cidr; if different..
>
> 7. copy the tempfile to ../postfix/tables/client_access_maps.cidr
>
> 8. execute `postfix reload'
so you would block mail from me? if you want to jump the SPF wagon, it
is a good idea to go for "generalized SPF" (GSPF): also allow hosts that
match the sender domain (host.example.com can send mail on behalf on
*@example.com). if this is not acceptable, resolve smtp.example.com,
mail.example.com, mx.example.com, ... but you may also need things like
smtp-1.example.com, ...
all that said, if you whitelist IPs or blocks, please submit them to DNSWL.
Conversations: Tip: Restricting mail reception using a remote service's SPF records
- Tip: Restricting mail reception using a remote service's SPF records by Ville Walveranta on 2009-06-25T07:47:47+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Barney Desmond on 2009-06-25T09:54:48+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Ville Walveranta on 2009-06-25T10:48:50+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Ville Walveranta on 2009-06-25T20:34:23+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by J.P. Trosclair on 2009-06-25T20:40:21+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Roderick A. Anderson on 2009-06-25T20:41:33+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Gerardo Herzig on 2009-06-25T20:42:15+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Ville Walveranta on 2009-06-25T20:50:46+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by LuKreme on 2009-06-26T01:19:09+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by mouss on 2009-06-26T22:18:11+00:00
- Re: Tip: Restricting mail reception using a remote service's SPF records by Ville Walveranta on 2009-06-27T05:46:29+00:00
Related Threads
- X with neither KDE nor Gnome - fedora
- Please I want to entrust this to your able hands - debian
- Startup scripts of Debian Lenny don't perform file system check while on battery power - debian
- Tomcat 6.x security-constraint redirection problem... please help! - tomcat
- Dara P Maginnis/IR/AIB is out of the office. - tomcat
- Is it possible to install exe via ruby code ? - ruby
- [lto][patch] Remove more dead code. Fix bootstrap - gcc
- [Python-Dev] Should ftplib use UTF-8 instead of latin-1 encoding? - python
- [PATCH] Fix PR38851, missing DSE of zero-sized stores - gcc
- Problem with version GLIBC_2.0 not defined in file libc.so.6 - redhat
- Help translating C# socket code equivalent Ruby socket code - ruby
- startx resets kbdrate of the Linux console - debian