932
edits
Changes
→Investigation 2:: - Initial content for investigation 2
</ol>
==Investigation 2: Configuring Postfix to Check SPF Records==Perform the following steps as root on your VM3<ol> <li>Now that you know your email server is restricting incoming (and relayed) mail based on some simple checks, we can add in some information from DNS to improve these checks. For example, we can lookup the DNS records for the domain that seems to be sending us email and check if the ip address of the machine sending us mail matches on of the MX records.</li> <li>To see what is not being caught by the restrictions so far, use nc to send an email to your server claiming to be from root@pcallagh.ops.*The email goes through because that domain has a properly configured MX record, even though your ip address doesn’t match it.*Sender Policy Framework (SPF) will fix that. </li> <li>First we will add the sender policy framework to our mail server:*Install the pypolicyd-spf package*Add spf as a spawnable process. To do so, add the following line to /etc/postfix/master.cf:<source>policyd-spf unix – n n – 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf</source>*Finally, add an spf check to the recipient restrictions in /etc/postfix/main.cf:<source>check_policy_service unix:private/policyd-spf</source> </li> <li>Now try to send another email to your server, again claiming to be from root@pcallagh.ops.*This time it will get blocked, because your server looks up the DNS record and finds out that you are not actually the mail server for that domain. </li></ol>
==Investigation 3: ==
==Completing the Lab ==
