這邊的SPF說的不是防曬係數
SPF (Sender Policy Framework ),是針對偽造寄件網域的解決方案
網域管理者可以在DNS上面設定該網域發信合法的ip有哪些
SPF格式
http://www.openspf.org/SPF_Record_Syntax
協助產生SPF紀錄
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx
[寄信端設定]
DNS設定該網域可以寄信的ip有哪些,
假設該網域僅允許兩個ip可以寄信 10.1.1.100及10.2.1.100
則新增一筆TXT紀錄
@ IN TXT "v=spf1 ip4:10.1.1.100 ip4:10.2.1.100 ?all"
我們找個DNS有設定spf的網域來看看會比較清楚
可以用dig指令查詢,除了以下ip,如果是帶cisco.com網域寄信的話,皆是偽造寄信網域的郵件
[root@mail] ~# dig -t txt cisco.com
; <<>> DiG 9.6.2-P2 <<>> -t txt cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cisco.com. IN TXT
;; ANSWER SECTION:
cisco.com. 86400 IN TXT "v=spf1 ip4:171.68.0.0/14 ip4:64.100.0.0/14 ip4:64.104.0.0/16 ip4:72.163.7.160/27 ip4:72.163.197.0/24 ip4:128.107.0.0/16 ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/24 ip4:173.36.130.0/24 ip4:204.15.81.0/26 ip4:216.206.186.129/25" " ip4:208.90.57.0/26 mx:res.cisco.com ~all"
;; Query time: 229 msec
;; SERVER: 168.95.1.1#53(168.95.1.1)
;; WHEN: Sun Feb 10 14:38:36 2013
;; MSG SIZE rcvd: 321
實際在FreeBSD上測試看看
[收信端設定]
安裝postfix-policyd-spf-perl
# cd /usr/ports/mail/postfix-policyd-spf-perl
# make install
# vi /usr/local/etc/postfix/master.cf
spf_policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/sbin/postfix-policyd-spf-perl
# vi /usr/local/etc/postfix/main.cf
smtpd_recipient_restrictions =
...
...
,check_policy_service unix:private/spf_policy
.....
.....
# /usr/local/etc/rc.d/postfix restart
[看一下收到信的maillog]
從合法ip寄信進來的header
Received-SPF: pass (for-example.com: 10.2.1.100 is authorized to use 'ethan@for-example.com' in 'mfrom' identity (mechanism 'ip4:10.2.1.100' matched)) receiver=mail.sunnybank.com.tw; identity=mailfrom; envelope-from="ethan@for-example.com"; helo=0; client-ip=10.2.1.100
從非法ip寄信進來的header
Received-SPF: neutral (for-example.com: Domain does not state whether sender is authorized to use 'ethan@for-example.com' in 'mfrom' identity (mechanism '?all' matched)) receiver=mail.sunnybank.com.tw; identity=mailfrom; envelope-from="ethan@for-example.com"; helo=0; client-ip=192.168.6.18
除了以上幾個指定的方式外,也提供了redirect及include的設定方式
如果要知道最終的主機來源,可以透過遞迴的方式來查詢
以gmail為例,查詢方式如下
% dig -t txt gmail.com
gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com"
% dig -t txt _spf.google.com
_spf.google.com. 300 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
dig -t txt _netblocks.google.com
_netblocks.google.com. 3600 IN TXT "v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:173.194.0.0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
留言列表