postfix

• Biglobe is OP25B because there are regulations, to set via the relay server of Biglobe. Thus SASL to transmit authentication.
• SPF perform the source domain authentication in.
• S25R , Greylisting , Tarpitting prevent access from suspicious server approach.
• Because you do not want to do in the form of a patch to Postfix, the Debian package, plug-ins, the measures to be carried out in the setting change.

Biglobe relay

• Installation of SASL module.

   #aptitude install libsasl2-modules sasl2-bin
  

• Relays Biglobe relay server, configured to use SASL at that time.
  main.cf

   # BIGLOBE transfer server relayhost = [#####. Biglobe.ne.jp]
  
   # To enable SASL authentication in the Postfix SMTP client.
   smtp_sasl_auth_enable = yes
  
   # Specify the SMTP client lookup tables smtp_sasl_password_maps = hash: / etc / postfix / isp_passwd
  
   # Since the SMTP server-side SASL mechanism and the home server-side SASL mechanism of the ISP might fail to # authentication it's a mismatch, to fix the mechanism to be used in the following.
   smtp_sasl_mechanism_filter = cram-md5, login, plain
  

• Describe the setting of the password to be used for transmission.
  isp_passwd

   [#####. Biglobe.ne.jp] ***** @ bma.biglobe.ne.jp:*******
  

   #postmap isp_passwd
  

• Complete the setting of the relay to restart

Setting of SMTP AUTH

• Installation of the necessary modules

   #aptitude install libsasl2-modules sasl2-bin
  

• Additional authentication user

   # Saslpasswd2 -u [domain name] -c [user name]
  

• Set to read in Postfix

   #chgrp postfix / etc / sasldb2
   #chmod 640 / etc / sasldb2
   #ln / etc / sasldb2 / var / spool / postfix / etc
  

• Postfix configuration of
  main.cf

   smtpd_sasl_auth_enable = yes
   smtpd_sasl_local_domain = example.com
   smtpd_sasl_security_options = noanonymous, noplaintext
  
   smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_destination
  

• Completion SMTP AUTH settings restart

Access regulations from suspicious server

• Set the number of allowable error to prevent the account survey of brute force. 70 seconds of the response delay in the more than five times the error. Cut at 8 times error.
  main.cf

   smtpd_soft_error_limit = 5
   smtpd_hard_error_limit = 8
   smtpd_error_sleep_time = 70
  
   smtpd_delay_reject = yes
  

• Install the policy server for Greylisting.

   # Apt-get install postgrey
  

  main.cf

   smtpd_restriction_classes = check_greylist
   check_greylist = check_policy_service inet: 60000
  

• At the time of the RCPT command, things get caught in the S25R will prompt the retransmission Greylisting. Things that have been retransmitted, multiplied by the response delay in further Tarpitting.
  The methodological, screen out method in Tarpitting in addition to Rgrey.
  main.cf

   # RCPT check (Greylisting) & Terpit
   smtpd_recipient_restrictions =
                   permit_mynetworks
                   reject_unauth_destination
                   check_client_access regexp: / etc / postfix / check_client_fqdn_greylist ? ? 1
                   check_client_access regexp: / etc / postfix / check_client_fqdn_tarpit ? ? 2
                   check_recipient_access hash: / etc / postfix / recipient_restrictions
  

  check_client_fqdn_greylist

   / ^ Unknown $ / check_greylist
   /^[^\.]*[0-9][^0-9\.]+[0-9]/ Check_greylist
   /^[^\.]*[0-9]{5}/ Check_greylist
   /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[az]/ Check_greylist
   /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ Check_greylist
   /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ Check_greylist
   /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
  

  check_client_fqdn_tarpit

   / ^ Unknown $ / sleep 70
   /^[^\.]*[0-9][^0-9\.]+[0-9]/ Sleep 70
   /^[^\.]*[0-9]{5}/ Sleep 70
   /^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[az]/ Sleep 70
   /^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ Sleep 70
   /^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ Sleep 70
   /^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ sleep 70
  

• The check_client_fqdn_greylist and check_client_fqdn_tarpit to postmap, complete if you restart Postfix.
• taRgrey If you find the things that implement in Postfix, the place that you want to migrate to over there. There is only a patch is now?

Sent in SPF original domain authentication

• To get the script to perform the SPF. SPF Project get the postfix-policyd-spf from the page.
• Installation since the script uses the Perl of Mail :: SPF :: Query library.

   apt-get install libmail-spf-perl libmail-spf-query-perl
  

• It registered as a service to use a script in Postfix.
  master.cf

   policy unix - nn - - spawn user = nobody argv = / usr / bin / perl [location of the script that was placed above]
  

• Set to perform a check of SPF at the time of connection.
  main.cf

   # Connection check
   smtpd_client_restrictions =
                   permit_mynetworks
                   reject_rbl_client spamcop.net
                   reject_rbl_client all.rbl.jp
                   check_policy_service unix: private / policy ? ?
                   check_client_access hash: / etc / postfix / client_restrictions
  

• Server Received-SPF is when you have new mail: completion if so as to grant the header.