myfinderの技術や周辺的活動のblog

2008年12月6日土曜日

Postfixのスパム対策

かの国からのスパムが頻繁にくるので、対策を行なった。
行なった対策は選択的SMTP拒絶方式というもの。
この対策は設定ファイルだけででき、多少の運用負担を受け入れられるのであれば効果的な方式なので導入することにしました。

リンク先に概要と詳細な説明があるので、今回は自分のサーバでやったことを書いておきます。

・/etc/postfix/main.cfへの設定追記

smtpd_client_restrictions =
permit_mynetworks,
check_client_access regexp:/etc/postfix/white_list,
check_client_access regexp:/etc/postfix/rejections

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
check_helo_access regexp:/etc/postfix/helo_restrictions

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

・/etc/postfix/white_listの作成

#
# To use this file, add following lines into the /etc/postfix/main.cf file:
#
# smtpd_client_restrictions =
# permit_mynetworks,
# check_client_access regexp:/etc/postfix/white_list
# check_client_access regexp:/etc/postfix/rejections
#
# where "white_list" is the name of this file.
#
# *** WHITE LIST ***
#
# When you find a legitimate mail relay server which is rejected by the
# rejection specification written in the /etc/postfix/rejections file, write
# down here a permission specification taking a leaf from the following
# examples.
#
#/^223-123-45-67\.example\.net$/ OK
#/^223\.123\.45\.67$/ OK
#
# Practical examples:
#
# mc1-s3.bay6.hotmail.com, etc.
/\.hotmail\.com$/ OK
#
# web10902.mail.bbt.yahoo.co.jp
/\.yahoo\.co\.jp$/ OK
#
# web35509.mail.mud.yahoo.com
/\.yahoo\.com$/ OK
#
# mail.google.com
/\.google\.com$/ OK
#
# n2.59-106-41-68.mixi.jp, etc.
/\.mixi\.jp$/ OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
/\.softbank\.ne\.jp$/ OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
/\.i\.softbank\.jp$/ OK
#
# imt1omta04-s0.ezweb.ne.jp, etc.
/\.ezweb\.ne\.jp$/ OK
#
# .docomo.ne.jp, etc.
/\.docomo\.ne\.jp$/ OK

・/etc/postfix/rejectionsの作成

#
# To use this file, add following lines into the /etc/postfix/main.cf file:
#
# smtpd_client_restrictions =
# permit_mynetworks,
# check_client_access regexp:/etc/postfix/white_list
# check_client_access regexp:/etc/postfix/rejections
#
# where "rejections" is the name of this file.
#
# *** BLACK LIST ***
#
# When you find a UCE sender's FQDN which is not rejected by the generic
# protection rules specified below, insert here a denial specification taking
# a leaf from the following practical examples. You should specify a subdomain
# name or a substring together with the domain name if possible so that you can
# avoid rejecting legitimate mail relay servers in the same domain.
#
#
# xxx-xxx-xxx-xxx.dynamic.hinet.net
/\.dynamic\.hinet\.net$/ 450 domain check, be patient
#
# *** GENERIC PROTECTION ***
#
# [rule 0]
/^unknown$/ 450 reverse lookup failure, be patient
#
# [rule 1]
# ex: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net
# ex: a12a190.neo.rr.com
/^[^.]*[0-9][^0-9.]+[0-9]/ 450 S25R check, be patient
#
# [rule 2]
# ex: pcp04083532pcs.levtwn01.pa.comcast.net
/^[^.]*[0-9]{5}/ 450 S25R check, be patient
#
# [rule 3]
# ex: 398pkj.cm.chello.no
# ex: host.101.169.23.62.rev.coltfrance.com
/^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/ 450 S25R check, be patient
#
# [rule 4]
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/ 450 S25R check, be patient
#
# [rule 5]
# ex: d5.GtokyoFL27.vectant.ne.jp
/^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./ 450 S25R check, be patient
#
# [rule 6]
# ex: dhcp0339.vpm.resnet.group.upenn.edu
# ex: dialupM107.ptld.uswest.net
# ex: PPPbf708.tokyo-ip.dti.ne.jp
# ex: dsl411.rbh-brktel.pppoe.execulink.com
# ex: adsl-1415.camtel.net
# ex: xdsl-5790.lubin.dialog.net.pl
/^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9]/ 450 S25R check, be patient

・/etc/postfix/helo_restrictionsの作成

# Illegal HELO command blocking specification
# Provided that your mail server's IP address is 223.12.34.56 and its
# acceptable domain name is "example.com", specify as follows:
#
#/^223\.12\.34\.56$/ REJECT
#/^(.+\.)?example\.com$/ REJECT


設定変更と追加が終わったら文法チェックを行なって、Postfixを再起動すればOK
必要に応じて、450を返したアクセスをチェックするシェルスクリプトを用いて、スパムとみなさないネットワークなどの追加メンテナンスを行なうこと。
メールサーバのログをtailしながら送信すると、リアルタイムにホスト名とかネットワークがとれるので、それでやるといいです。

1 件のコメント:

匿名 さんのコメント...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!