之前因為公司的MAIL SERVER遭受退信攻擊
USER收到非常大量的退信,由於Anti-SPAM的機制目前沒有比較完整的處理方式
所以我跟工程師討論之後,提出在現有SPF/DKIM以外,是不是可以在mail header加入一個特定的tag
當收到退信,而這封退信的header中沒有包含我設定的tag,那就可以確定這是SPAM,直接丟掉就好
可惜的是,現在用的SPAM Gateway沒有這樣的功能,只能直接把account 加入拒收退信名單(有點鴕鳥心態..)
不過有個稽核的機制可以搭配使用,如果我能夠在postfix 中,對於寄出的信件加入tag,那這個稽核機制就可以在信件進來的時候進行檢查
假如是退信而且header中包含有tag,就是正常的退信,否則就直接丟掉
OK,那就要先來研究怎麼在postfix中,在header加入tag,其實方法很簡單
而且這個方法之前在還沒有建置郵件過濾軟體時,就有用來過濾含有病毒的附件
只要在postfix的 main.cf 加入
header_checks = pcre:/etc/postfix/header_checks
然後修改 /etc/postfix/header_checks 內容如下
/^From:.*@abc.org.*/i PREPEND tag: sendfromabcorg/^From:.*@123.com.cn.*/i PREPEND tag: sendfrom123comcn
語法是正規化表示式,其實我也不太懂,大概的意思是找到From:xxxxx@abc.org 的那一行,在前面加入 tag:sendfromabcorg
當然 tag要改成什麼可以自行定義,不同的DOMAIN要分開來寫
好了之後,產生db 然後重起postfix
postmap -f /etc/postfix/header_checks
service postfix restart
接著寄出信件測試看看,底下這是我寄到微軟Office 365的信箱的郵件標頭,可以看到微軟自己也加了很多header進去,然後前面提到的SPF & DKIM也都有生效了。
Received: from HK2PR01MB0785.apcprd01.prod.exchangelabs.com (10.165.54.151) by
KL1PR01MB0789.apcprd01.prod.exchangelabs.com (10.165.16.151) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9 via Mailbox
Transport; Wed, 14 Dec 2016 05:35:00 +0000
Received: from SG2PR01CA0069.apcprd01.prod.exchangelabs.com (10.165.10.37) by
HK2PR01MB0785.apcprd01.prod.exchangelabs.com (10.165.54.151) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9; Wed, 14 Dec
2016 05:34:58 +0000
Received: from HK2APC01FT052.eop-APC01.prod.protection.outlook.com
(2a01:111:f400:7ebc::203) by SG2PR01CA0069.outlook.office365.com
(2a01:111:e400:79a7::37) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.9 via Frontend
Transport; Wed, 14 Dec 2016 05:34:58 +0000
Authentication-Results: spf=pass (sender IP is 123.123.123.123)
smtp.mailfrom=abc.org; def.us; dkim=pass (signature was verified)
header.d=abc.org;def.us; dmarc=bestguesspass action=none
header.from=abc.org;def.us; dkim=pass (signature was verified)
header.d=abc.org;
Received-SPF: Pass (protection.outlook.com: domain of abc.org designates
123.123.123.123 as permitted sender) receiver=protection.outlook.com;
client-ip=123.123.123.123; helo=iredmail.abc.org;
Received: from iredmail.abc.org (123.123.123.123) by
HK2APC01FT052.mail.protection.outlook.com (10.152.248.244) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.761.6 via Frontend
Transport; Wed, 14 Dec 2016 05:34:56 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:;UpperCasedChecksum:;SizeAsReceived:1619;Count:17
Received: from iredmail.abc.org (localhost [127.0.0.1])
by iredmail.abc.org (Postfix) with ESMTP id 55E6441D4A
for <mc@def.us>; Wed, 14 Dec 2016 13:30:51 +0800 (CST)
Authentication-Results: iredmail.abc.org (amavisd-new);
dkim=pass (1024-bit key) reason=”pass (just generated, assumed good)”
header.d=abc.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=abc.org; h=
user-agent:message-id:subject:subject:to:from:from:date:date
:content-transfer-encoding:content-type:content-type
:mime-version; s=dkim; t=1481693448; x=1482557449; bh=t1I5qi5Iyz
cB1IzeIAdCFQ+GnzUuHHMeCINT2eeH7dQ=; b=S789EtkuZDA2JbKpApkW+Spe3L
epmjIgdyA7AigMyYfAzK5DD2fbiIZ41o0dPYhO7+KNo8KA/P2ncUPdGLHqPAGmWC
rqfHf+lNSGVAUf5nJ6+eOYqmLyBFwh8EBC3gsH4P7OXo99HEemTc7ehhBNSfBnvQ
NcqEPVvrugB7xjc0c=
X-Virus-Scanned: amavisd-new at iredmail.abc.org
Received: from iredmail.abc.org ([127.0.0.1])
by iredmail.abc.org (iredmail.abc.org [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id q6WPshsekkVi for <mc@def.us>;
Wed, 14 Dec 2016 13:30:48 +0800 (CST)
Received: from iredmail.abc.org (localhost [127.0.0.1])
by iredmail.abc.org (Postfix) with ESMTPSA id E302341995
for <mc@def.us>; Wed, 14 Dec 2016 13:30:47 +0800 (CST)
MIME-Version: 1.0
Content-Type: text/plain; charset=”US-ASCII”; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 14 Dec 2016 13:30:47 +0800
tag: sendfromabcorg
From: mc@abc.org
To: mc@def.org
Subject: DKIM and SPF Test
Message-ID: <cec6f4052e6853c945fbe7b1401dac7e@abc.org>
X-Sender: mc@abc.org
X-Sender: mc@abc.org
User-Agent: Roundcube Webmail
X-IncomingHeaderCount: 17
Return-Path: mc@abc.org
X-MS-Exchange-Organization-Network-Message-Id: 9edc853e-86cc-4b50-2a64-08d423e2f07d
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 70116e8e-9694-4e77-924c-3e6cb9fdebb2:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: CIP:123.123.123.123;IPV:NLI;CTRY:TW;EFV:NLI;SFV:NSPM;SFS:(6009001)(8196002)(2990300002)(438002)(199003)(189002)(2160300002)(230700001)(47776003)(558084003)(450100001)(54356999)(3480700004)(108616004)(588024002)(3250700002)(77096006)(33646002)(38730400001)(50986999)(92566002)(50466002)(83506001)(76506005)(356003)(53416004)(956001)(305945005)(1096003)(106466001)(85782001)(8896002)(81166006)(81156014)(55920200001)(2361001)(8676002)(2810700001)(189998001)(2351001)(93046001)(23726003)(236004)(86362001)(5660300001)(626004)(6916009)(24736003)(4270600005)(110136003)(107886002)(7126002)(4001350100001)(36756003)(69596002)(7099028)(85772001);DIR:INB;SFP:;SCL:1;SRVR:HK2PR01MB0785;H:iredmail.abc.org;FPR:;SPF:Pass;PTR:60-251-177-4.HINET-IP.hinet.net;A:1;MX:1;LANG:en;
X-Microsoft-Exchange-Diagnostics: 1;HK2APC01FT052;1:ew53ZhRD979FZT1RtwHWaJXr6nX94/pSosUc5YYzEK4/2RDIfQ7vO01nm75BpbWWlbXDkn4y237jrnDXGZEtF2iGl3Tuw2RZWIM0W71t+8MJRDMwqVgoxfI3h5ER546fw+T97frvoCKtyJJmncj0U3r6Sk7Kgl2IU6hSMsrbdDcA8gFiHXDXKCyA+U7E2njAZCdc/9Yza3TSYeNSOACpHnam2CW7naXU6lHdXb2dfxkOWTwBAvGGSg2IeMZAJjOCNAH1jUN6jzp0RAceAUw1Bc19PZtHFgOleZPhDDNqf1mWQM6U17+TShIWR4ynIwPWsZ6fXitCyO7/VAu/vlweuvo2iHcB6u3EDzcKEXWKrT7sHWhcRpa8yJ6tZRNvMV0+4j1wTuDk2SIMQynqMz1l3wF0bx1eYqhADVFg9MtLALCGkg6OkijfbfLfhxybIEPVyGJBNz0siW45d4q19JfcaPMFGVeWTrtJOjjS8vFJ6JCGK2r+HMaHOEYLbZpXQvEmF8VkA4JPtABBdAl0dOxM3rGvCSpExF7qfYfbb/vaRPk=
X-MS-Office365-Filtering-Correlation-Id: 9edc853e-86cc-4b50-2a64-08d423e2f07d
X-DkimResult-Test: Passed
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(81800161)(8251501002)(3001016)(71701004)(71702072);SRVR:HK2PR01MB0785;
……………………
……………………….
底下省略數十行…
到這邊,在mail header加入tag的工作就完成了,剩下就要看那個NOPAM的稽核機制,能不能達成我要的功能了。