Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: frifri on September 05, 2017, 12:04:07 PM
-
Hi,
I want to fight spam accepted on SME with spoofed FROM-header, refering to my locally hosted domains :
FROM : vmservice@owndomainB.tld
Authentication-Results: *owndomainA.tld*; auth=none; spf=none smtp.mailfrom=*owndomainB.tld*; [b]dkim=none[/b]
Received: from Unknown (HELO [27.62.22.198]) (27.62.22.198)
by *owndomainA.tld* (qpsmtpd/0.96) with ESMTP ; Fri, 01 Sep 2017 21:13:05 +0200
Received-SPF: none (*owndomainB.tld*: [b]No applicable sender policy available)[/b] receiver=sme.owndomainA.tld; identity=mailfrom; envelope-from="vmservice@owndomainB.tld"; helo="[27.62.22.198]"; client-ip=27.62.22.198
DNS is resolved locally for both domains owndomainA.tld and owndomainB.tld.
So, is it possible to publish internal SPF-, DKIM- and DMARC-records ?
Thanks,
Frederik.
-
Yes, it's possible, eg for SPF, create the custom template /etc/e-smith/templates-custom/var/service/tinydns/root/data/85Spf with something like:
{
if (($qpsmtpd{RejectSpoofedLocalDomains} || 'disabled') eq 'enabled'){
$OUT .= "# SPF entries for local domains\n";
my $allowed = '';
foreach my $ip ( split /[;,]/, ($qpsmtpd{AllowedRemoteIP} || '')){
$allowed .= 'ip4\072'.$ip.' ';
}
foreach my $domain (get_domains()){
$OUT .= "'$domain:v=spf1 mx $allowed-all:3600\n";
$OUT .= ":$domain:99:\041v=spf1 mx $allowed-all:3600\n";
}
}
else{
$OUT .= "\n";
}
}
Now, if you want to reject spoofed From email:
db configuration setprop qpsmtpd RejectSpoofedLocalDomains enabled
# If you want to allow some external servers to send emails using your domain as sender, you can:
# db configuration setprop qpsmtpd AllowedRemoteIP 12.13.14.15,19.20.21.22
signal-event dns-update
-
Merci !
I looked also to this : https://anders.com/projects/sysadmin/djbdnsRecordBuilder/
And made the custom-template :
{
if (($qpsmtpd{RejectSpoofedLocalDomains} || 'disabled') eq 'enabled'){
$OUT .= "# SPF entries for local domains\n";
my $allowed = '';
foreach my $ip ( split /[;,]/, ($qpsmtpd{AllowedRemoteIP} || '')){
$allowed .= 'ip4\072'.$ip.' ';
}
foreach my $domain (get_domains()){
$OUT .= "'$domain:v=spf1 a mx $allowed-all:3600\n";
$OUT .= ":$domain:16:\071v=spf1 a mx $allowed-all:3600\n";
$OUT .= ":$domain:99:\071v=spf3 a mx $allowed-all:3600\n";
}
}
else{
$OUT .= "\n";
}
}
But now, how can i exclude some localdomains from this template that are resolved by internet-DNS-servers ?
Frederik
-
In the loop, just add a next if ($domain eq 'domain1.org'); for example
-
But now, how can i exclude some localdomains from this template that are resolved by internet-DNS-servers ?
You don't need to, since the records you are adding to tinydns won't ever be queried. dnscache will ask the Internet servers rather than the local tinydns server.
-
Right !, but it's ugly in the templated data-file.
F.
-
Shoudn't these SPF-records made by default in tinydns for domains that are resolved locally ?
Why accepting mails 'from' localdomains if the ip is external ?
-
There are cases where it's legitimate to have external server sending emails with your domain as sender (eg an external www hoster)
-
Yes, but thas is the exception we can solve whit the AllowedRemoteIP-key
-
I like the idea of RejectSpoofedLocalDomains, and have added this 85Spf template on my SME mailservers. I had to change the IP address of one yesterday, this template causes /var/service/tinydns/root/data file to fail rebuilding during expand-template or signal-event post-upgrade, which causes the server to fail dns resolution to itself both by itself and on the local network. Removing the 85Spf, expand-template /var/service/tinydns/root/data and signal-event post-upgrade; signal-event reboot brings the server back with internal dns host resolving on it's new IP address.
-
in that case, some error posted here or, better, a bug in bugzilla, could help everybody to add such a feature