Send Policy Framework設定


SPAM対策の一つである「SPF(Sender Policy Framework)」の設定を行います。 

■SPFとは
「SPF」とは、ざっくり言うとドメインを偽装しているかしていないか確かめる仕組みです。
以下の図で簡単に説明します。



①メールを送るクライアントが利用しているメールサーバにメールを送信する。
②①で受信したメールを相手のメールサーバにリレーする。
③相手側のメールサーバが受信した時に、envelope Fromに記述されているドメインのSPFレコード(TXTレコード)をDNSに問い合わせる。
④問い合わせたSPFレコード(TXTレコード)のIPと送信したメールサーバのIP(DNSに送信元ホストのドメインを引きに行く)を比較する。
⑤比較後、偽装していなければメールを受信する。偽装していた場合でも、設定によっては破棄もできるし受信も出来る。

この仕組みを実装するには、DNSにメール送信サーバのSPFレコード(TXTレコード)が登録されていないと意味がありません。
また、受信側もSPFレコードを問い合わせる仕組みを導入する必要があります。

SPFレコード(TXTレコード)が登録されていないと比較しようが無いのです。

まず、DNSにSPFレコード(TXTレコード)を登録して、「SPF」の設定を行っていきます。

(1)DNSに「SPFレコード」を追加する。

設定例(ここでの限定子は全て「softfail」になっている)
@       IN      TXT     "v=spf1 ip4:192.168.0.16 ~all

@       IN      TXT     "v=spf1 ip4:192.168.0.0/24 ~all"

         IN      TXT     "v=spf1 ip4:include:mail1.com  ~all"

その他の設定内容や機構(all、ip4、ip6など)や限定子(-、~など)については以下URL参照のこと。 
http://ja.wikipedia.org/wiki/Sender_Policy_Framework

(2)「SPFレコード」が登録されたか確認する。(ここでは、mail1.comを例にする)
[root@mail1 ~]# dig mail1.com txt
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> mail1.com txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30625
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mail1.com.                     IN      TXT

;; ANSWER SECTION:
mail1.com.              86400   IN      TXT     "v=spf1 ip4:192.168.0.16  ~all" ← # 登録したSPFレコード

;; AUTHORITY SECTION:
mail1.com.              86400   IN      NS      dns.local.

;; ADDITIONAL SECTION:
dns.local.              86400   IN      A       192.168.0.15

;; Query time: 1 msec
;; SERVER: 192.168.0.15#53(192.168.0.15)
;; WHEN: Sun May 16 12:40:16 2010
;; MSG SIZE  rcvd: 108

以下の例では、yahooのSPFレコードを確認した結果です。
[root@mail1 ~]# dig yahoo.co.jp txt
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> yahoo.co.jp txt
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9322
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;yahoo.co.jp.                   IN      TXT

;; ANSWER SECTION:
yahoo.co.jp.            900     IN      TXT     "v=spf1 include:spf.yahoo.co.jp ~all" ← # YahooのSPFレコード

;; AUTHORITY SECTION:
yahoo.co.jp.            843     IN      NS      ns04.ops.ogk.yahoo.co.jp.
yahoo.co.jp.            843     IN      NS      dnsg01.yahoo.co.jp.

;; ADDITIONAL SECTION:
ns04.ops.ogk.yahoo.co.jp. 538   IN      A       124.83.218.185
dnsg01.yahoo.co.jp.     521     IN      A       211.14.12.10

;; Query time: 9 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun May 16 12:43:42 2010
;; MSG SIZE  rcvd: 157


(3)「Postfix」に「SPF」の設定をする。(ここでは、ホスト名mail2.comを受信サーバとして例にする)

まず、「Postfix-Policyd-spf-perl」をダウンロードする。
http://www.openspf.org/Software
)最新版は上記URLで確認すること。
[root@mail2 ~]# wget http://launchpad.net/postfix-policyd-spf-perl/trunk/2.007/+download/postfix-policyd-spf-perl-2.007.tar.gz

(4)ダウンロードした「postfix-policyd-spf-perl-2.007.tar.gz」を解凍する。
[root@mail2 ~]# tar zxvf postfix-policyd-spf-perl-2.007.tar.gz

(5)解凍後、「postfix-policyd-spf-perl」を「/usr/local/lib」直下にコピーする。
[root@mail2 ~]# cd postfix-policyd-spf-perl-2.007
[root@mail2 postfix-policyd-spf-perl-2.007]# cp postfix-policyd-spf-perl /usr/local/lib

(6)「CPAN」で「SPF」に必要な「Perlモジュール」をインストールする。 

「CPAN」は標準でFTPでモジュールをダウンロードします。
もし、FTPが使用できない環境の場合は、HTTPにてダウンロードする必要があります。
FTPが使えない、Proxyを通さないといけない環境の場合は、以下URLを参照のこと。
http://www.kurobuti.com/linux_server/?page_id=422

「SPF」に必要なモジュールは以下の通りです。

■ExtUtils::MakeMaker
■Module::Build
■NetAddr::IP
■Net::IP
■Digest::SHA1
■Digest::HMAC_MD5
■Net::DNS
■version
■Net::DNS::Resolver::Programmable
■Error
■Mail::SPF

上記モジュールをインストールするため「CPAN」の設定を行う。
[root@mail2 ~]# perl -MCPAN -e shell
/usr/lib/perl5/5.8.8/CPAN/Config.pm initialized.


CPAN is the world-wide archive of perl resources. It consists of about
100 sites that all replicate the same contents all around the globe.
Many countries have at least one CPAN site already. The resources
found on CPAN are easily accessible with the CPAN.pm module. If you
want to use CPAN.pm, you have to configure it properly.

If you do not want to enter a dialog now, you can answer 'no' to this
question and I'll try to autoconfigure. (Note: you can revisit this
dialog anytime later by typing 'o conf init' at the cpan prompt.)

Are you ready for manual configuration? [yes] # Enter


The following questions are intended to help you with the
configuration. The CPAN module needs a directory of its own to cache
important index files and maybe keep a temporary mirror of CPAN files.
This may be a site-wide directory or a personal directory.



First of all, I'd like to create this directory. Where?

CPAN build and cache directory? [/root/.cpan] # Enter


If you want, I can keep the source files after a build in the cpan
home directory. If you choose so then future builds will take the
files from there. If you don't want to keep them, answer 0 to the
next question.



How big should the disk cache be for keeping the build directories
with all the intermediate files?

Cache size for build directory (in MB)? [10] # Enter


By default, each time the CPAN module is started, cache scanning
is performed to keep the cache size in sync. To prevent from this,
disable the cache scanning with 'never'.

Perform cache scanning (atstart or never)? [atstart]Enter


To considerably speed up the initial CPAN shell startup, it is
possible to use Storable to create a cache of metadata. If Storable
is not available, the normal index mechanism will be used.

Cache metadata (yes/no)? [yes] # Enter


The next option deals with the charset your terminal supports. In
general CPAN is English speaking territory, thus the charset does not
matter much, but some of the aliens out there who upload their
software to CPAN bear names that are outside the ASCII range. If your
terminal supports UTF-8, you say no to the next question, if it
supports ISO-8859-1 (also known as LATIN1) then you say yes, and if it
supports neither nor, your answer does not matter, you will not be
able to read the names of some authors anyway. If you answer no, names
will be output in UTF-8.

Your terminal expects ISO-8859-1 (yes/no)? [yes] # Enter


If you have one of the readline packages (Term::ReadLine::Perl,
Term::ReadLine::Gnu, possibly others) installed, the interactive CPAN
shell will have history support. The next two questions deal with the
filename of the history file and with its size. If you do not want to
set this variable, please hit SPACE RETURN to the following question.

File to save your history? [/root/.cpan/histfile] # Enter
Number of lines to save? [100] # Enter


The CPAN module can detect when a module that which you are trying to
build depends on prerequisites. If this happens, it can build the
prerequisites for you automatically ('follow'), ask you for
confirmation ('ask'), or just ignore them ('ignore'). Please set your
policy to one of the three values.

Policy on building prerequisites (follow, ask or ignore)? [ask] # Enter


The CPAN module will need a few external programs to work properly.
Please correct me, if I guess the wrong path for a program. Don't
panic if you do not have some of them, just press ENTER for those. To
disable the use of a download program, you can type a space followed
by ENTER.

Where is your gzip program? [/bin/gzip] # Enter
Where is your tar program? [/bin/tar] # Enter
Where is your unzip program? [/usr/bin/unzip] # Enter
Where is your make program? [/usr/bin/make] # Enter
Warning: links not found in PATH
Where is your links program? [] # Enter
Where is your wget program? [/usr/bin/wget] # Enter
Warning: ncftpget not found in PATH
Where is your ncftpget program? [] # Enter
Warning: ncftp not found in PATH
Where is your ncftp program? [] # Enter
Where is your ftp program? [/usr/kerberos/bin/ftp] # Enter
Where is your gpg program? [/usr/bin/gpg] # Enter
What is your favorite pager program? [/usr/bin/less] # Enter
What is your favorite shell? [/bin/bash] # Enter


Every Makefile.PL is run by perl in a separate process. Likewise we
run 'make' and 'make install' in processes. If you have any
parameters (e.g. PREFIX, LIB, UNINST or the like) you want to pass
to the calls, please specify them here.

If you don't understand this question, just press ENTER.
Parameters for the 'perl Makefile.PL' command?
Typical frequently used settings:

    PREFIX=~/perl       non-root users (please see manual for more hints)

Your choice:  []Enter
Parameters for the 'make' command?
Typical frequently used setting:

    -j3              dual processor system

Your choice:  [] # Enter
Parameters for the 'make install' command?
Typical frequently used setting:

    UNINST=1         to always uninstall potentially conflicting files

Your choice:  [] # Enter


Sometimes you may wish to leave the processes run by CPAN alone
without caring about them. As sometimes the Makefile.PL contains
question you're expected to answer, you can set a timer that will
kill a 'perl Makefile.PL' process after the specified time in seconds.

If you set this value to 0, these processes will wait forever. This is
the default and recommended setting.

Timeout for inactivity during Makefile.PL? [0] # Enter


If you're accessing the net via proxies, you can specify them in the
CPAN configuration or via environment variables. The variable in
the $CPAN::Config takes precedence.

Your ftp_proxy? # Enter
Your http_proxy? # Enter
Your no_proxy? # Enter
You have no /root/.cpan/sources/MIRRORED.BY
  I'm trying to fetch one
LWP not available
CPAN: Net::FTP loaded ok
Fetching with Net::FTP:
  ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY


Now we need to know where your favorite CPAN sites are located. Push
a few sites onto the array (just in case the first on the array won't
work). If you are mirroring CPAN to your local workstation, specify a
file: URL.

First, pick a nearby continent and country (you can pick several of
each, separated by spaces, or none if you just want to keep your
existing selections). Then, you will be presented with a list of URLs
of CPAN mirrors in the countries you selected, along with previously
selected URLs. Select some of those URLs, or just keep the old list.
Finally, you will be prompted for any extra URLs -- file:, ftp:, or
http: -- that host a CPAN mirror.

(1) Africa
(2) Asia
(3) Australasia
(4) Central America
(5) Europe
(6) North America
(7) Oceania
(8) South America
Select your continent (or several nearby continents) [] 2 ← # Asiaを選択
Sorry! since you don't have any existing picks, you must make a
geographic selection.

(1) China
(2) Hong Kong
(3) India
(4) Indonesia
(5) Japan
(6) Republic of Korea
(7) Russia
(8) Singapore
(9) Taiwan
(10) Thailand
(11) Turkey
Select your country (or several nearby countries) [] 5 ← # 日本を選択
Sorry! since you don't have any existing picks, you must make a
geographic selection.

(1) ftp://ftp.dti.ad.jp/pub/lang/CPAN/
(2) ftp://ftp.jaist.ac.jp/pub/CPAN/
(3) ftp://ftp.kddilabs.jp/CPAN/
(4) ftp://ftp.nara.wide.ad.jp/pub/CPAN/
(5) ftp://ftp.riken.jp/lang/CPAN/
(6) ftp://ftp.ring.gr.jp/pub/lang/perl/CPAN/
(7) ftp://ftp.u-aizu.ac.jp/pub/CPAN
(8) ftp://ftp.yz.yamagata-u.ac.jp/pub/lang/cpan/
Select as many URLs as you like (by number),
put them on one line, separated by blanks, e.g. '1 4 5' [] 5 ← # ダウンロード先は理研を選択

Enter another URL or RETURN to quit: [] # Enter
New set of picks:
  ftp://ftp.riken.jp/lang/CPAN/


commit: wrote /usr/lib/perl5/5.8.8/CPAN/Config.pm
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.7602)
ReadLine support available (try 'install Bundle::CPAN')

cpan>

ここでは、デフォルトで設定しています。
各自環境に合わせて設定して下さい。

次にモジュールをインストールします。
cpan> install ExtUtils::MakeMaker
cpan> install Module::Build
cpan> install NetAddr::IP
cpan> install Net::IP
cpan> install Digest::SHA1
cpan> install Digest::HMAC_MD5
cpan> install Net::DNS
cpan> install version
cpan> install Net::DNS::Resolver::Programmable
cpan> install Error
cpan> install Mail::SPF

各モジュールをインストールする時に関連モジュールをインストールするか聞いてくるので「yes(デフォルト)」を選択してください。

「Mail::SPF」インストール時に以下のようなメッセージが表示される場合
Running install for module Mail::SPF
Running make for J/JM/JMEHNLE/mail-spf/Mail-SPF-v2.007.tar.gz
  Is already unwrapped into directory /root/.cpan/build/Mail-SPF-v2.007
  Makefile.PL returned status 65280
Running make test
  Make had some problems, maybe interrupted? Won't test
Running make install
  Make had some problems, maybe interrupted? Won't install

この場合は、「CPAN」でインストールできないので、手動でインストールします。 

手動で「Mail::SPF」をインストールする方法
[root@mail2 ~]# cd .cpan/build/Mail-SPF-v2.007/
[root@mail2 Mail-SPF-v2.007]# ./Build test
t/00.00-class-misc.t .......... ok
t/00.01-class-util.t .......... ok
t/00.02-class-request.t ....... ok
t/00.03-class-result.t ........ ok
t/00.04-class-server.t ........ ok
t/00.05-class-macrostring.t ... ok
t/00.99-class-misc.t .......... ok
t/10.00-rfc4408.t ............. skipped: Mail::SPF::Test required for testing Mail::SPF's RFC compliance
t/10.01-rfc4406.t ............. skipped: Mail::SPF::Test required for testing Mail::SPF's RFC compliance
t/90-author-pod-validation.t .. skipped: Test::Pod 1.00 required for testing POD validity
All tests successful.
Files=10, Tests=132, 0 wallclock secs ( 0.05 usr 0.03 sys + 0.60 cusr 0.10 csys = 0.78 CPU)
Result: PASS
[root@mail2 Mail-SPF-v2.007]# ./Build install
Building Mail-SPF
Installing /usr/share/man/man1/spfquery.1
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mod.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/MacroString.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Server.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Term.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Request.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Util.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/SenderIPAddrMech.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Result.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Record.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Exception.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Base.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/v2/Record.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mod/Exp.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mod/Redirect.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/MX.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/Include.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/PTR.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/All.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/IP6.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/A.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/Exists.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/Mech/IP4.pm
Installing /usr/lib/perl5/site_perl/5.8.8/Mail/SPF/v1/Record.pm
Installing /usr/share/man/man3/Mail::SPF::Term.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::A.3pm
Installing /usr/share/man/man3/Mail::SPF::Mod::Redirect.3pm
Installing /usr/share/man/man3/Mail::SPF::v2::Record.3pm
Installing /usr/share/man/man3/Mail::SPF::v1::Record.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::All.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::PTR.3pm
Installing /usr/share/man/man3/Mail::SPF::Result.3pm
Installing /usr/share/man/man3/Mail::SPF::MacroString.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::Exists.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::IP4.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::Include.3pm
Installing /usr/share/man/man3/Mail::SPF::Server.3pm
Installing /usr/share/man/man3/Mail::SPF::Mod.3pm
Installing /usr/share/man/man3/Mail::SPF::SenderIPAddrMech.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::IP6.3pm
Installing /usr/share/man/man3/Mail::SPF::Request.3pm
Installing /usr/share/man/man3/Mail::SPF::Mod::Exp.3pm
Installing /usr/share/man/man3/Mail::SPF::Base.3pm
Installing /usr/share/man/man3/Mail::SPF::Util.3pm
Installing /usr/share/man/man3/Mail::SPF.3pm
Installing /usr/share/man/man3/Mail::SPF::Record.3pm
Installing /usr/share/man/man3/Mail::SPF::Mech::MX.3pm
Installing /usr/sbin/spfd
Installing /usr/bin/spfquery
Writing /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Mail/SPF/.packlist

(7)モジュールがインストールされたか確認する。
[root@mail2 ~]# perl -MMail::SPF -e ""
[root@mail2 ~]# perl -MNetAddr::IP -e ""

何も表示されなければ問題ない。

(8)「postfix-policyd-spf-perl」を実行してエラーが無いか確認する。
[root@mail2 ~]# /usr/local/lib/postfix-policyd-spf-perl

何も表示されなければ問題無い。【control+C】で抜ける。

(9)「Postfix」に「SPF」の設定をする。
[root@mail2 ~]# cd /etc/postfix/
[root@mail2 postfix]# vi main.cf
---------最終行に追加---------
smtpd_recipient_restrictions =
                                permit_mynetworks
                                reject_unauth_destination
                                check_policy_service unix:private/policy
policy_timelimit = 3600
[root@mail2 postfix]# vi master.cf
----------最終行に追加----------
policy  unix    -       n       n       -       0       spawn
  user=nobody argv=/usr/local/lib/postfix-policyd-spf-perl

(10)「SPF」でドメインの偽装が疑われた場合受信拒否にする。
[root@mail2 postfix]# vi main.cf
----------最終行に追加----------
header_checks = regexp:/etc/postfix/header_checks

[root@mail2 postfix]# vi header_checks
/^Received-SPF: softfail/i REJECT

ただ、上のような設定だと以下のURLに書かれているようなことが起こる。
http://www.kurobuti.com/blog/?p=3995
この解決は以下のURL参照のこと(ただし、完璧ではない)
http://www.kurobuti.com/blog/?p=4030

(11)「Postfix」を再起動する。
[root@mail2 ~]# /etc/rc.d/init.d/postfix reload
 postfix を再読み込み中:                                    [  OK  ]

(12)動作確認(ここではホスト名mail1.comからホスト名mail2.comにメールを送信する)

送信元のIPとSPFレコードが一致した場合(mail2.comのログ)
May 22 15:27:35 mail2 postfix/smtpd[3377]: connect from mail1.com[192.168.0.16]
May 22 15:27:35 mail2 postfix/policy-spf[3381]: : SPF pass (Mechanism 'ip4:192.168.0.16' matched): Envelope-from: root@mail1.com
May 22 15:27:35 mail2 postfix/policy-spf[3381]: handler sender_policy_framework: is decisive.
May 22 15:27:35 mail2 postfix/policy-spf[3381]: : Policy action=PREPEND Received-SPF: pass (mail1.com: 192.168.0.16 is authorized to use 'root@mail1.com' in 'mfrom' identity (mechanism 'ip4:192.168.0.16' matched)) receiver=mail2.com; identity=mailfrom; envelope-from="root@mail1.com"; helo=mail.mail1.com; client-ip=192.168.0.16
May 22 15:27:35 mail2 postfix/smtpd[3377]: 71F02609CE: client=mail1.com[192.168.0.16]
May 22 15:27:35 mail2 postfix/cleanup[3382]: 71F02609CE: message-id=<20100516065119.C3EDB9629@mail.mail1.com>
May 22 15:27:35 mail2 postfix/qmgr[3350]: 71F02609CE: from=<root@mail1.com>, size=718, nrcpt=1 (queue active)
May 22 15:27:35 mail2 postfix/smtpd[3377]: disconnect from mail1.com[192.168.0.16]
May 22 15:27:35 mail2 postfix/local[3383]: 71F02609CE: to=<test@mail2.com>, relay=local, delay=0.02, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May 22 15:27:35 mail2 postfix/qmgr[3350]: 71F02609CE: removed

偽装疑惑がない場合は、「SPF pass」と出てくる。

送信元のIPとSPFレコードが一致しなかった場合(mail2.comのログ)
May 22 15:32:24 mail2 postfix/smtpd[3398]: connect from mail1.com[192.168.0.16]
May 22 15:32:24 mail2 postfix/policy-spf[3401]: : SPF softfail (Mechanism '~all' matched): Envelope-from: root@mail1.com
May 22 15:32:24 mail2 postfix/policy-spf[3401]: handler sender_policy_framework: is decisive.
May 22 15:32:24 mail2 postfix/policy-spf[3401]: : Policy action=PREPEND Received-SPF: softfail (mail1.com: Sender is not authorized by default to use 'root@mail1.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=mail2.com; identity=mailfrom; envelope-from="root@mail1.com"; helo=mail.mail1.com; client-ip=192.168.0.16
May 22 15:32:24 mail2 postfix/smtpd[3398]: 7D17B609CE: client=mail1.com[192.168.0.16]
May 22 15:32:24 mail2 postfix/cleanup[3402]: 7D17B609CE: reject: header Received-SPF: softfail (mail1.com: Sender is not authorized by default to use 'root@mail1.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matche from mail1.com[192.168.0.16]; from=<root@mail1.com> to=<test@mail2.com> proto=ESMTP helo=<mail.mail1.com>: 5.7.1 message content rejected
May 22 15:32:24 mail2 postfix/smtpd[3398]: disconnect from mail1.com[192.168.0.16]

偽装疑惑があった場合は、「SPF softfail」と出てくる。
また、ヘッダーチェックによりメール受信が拒否(rejected)される。

送信元のSPFレコードがDNSに登録されていなかった場合(mail2.comのログ)
May 22 15:35:11 mail2 postfix/smtpd[3408]: connect from mail1.com[192.168.0.16]
May 22 15:35:11 mail2 postfix/policy-spf[3411]: : SPF none (No applicable sender policy available): Envelope-from: root@mail1.com
May 22 15:35:11 mail2 postfix/policy-spf[3411]: handler sender_policy_framework: is decisive.
May 22 15:35:11 mail2 postfix/policy-spf[3411]: : Policy action=PREPEND Received-SPF: none (mail1.com: No applicable sender policy available) receiver=mail2.com; identity=mailfrom; envelope-from="root@mail1.com"; helo=mail.mail1.com; client-ip=192.168.0.16
May 22 15:35:11 mail2 postfix/smtpd[3408]: A5ECB609CE: client=mail1.com[192.168.0.16]
May 22 15:35:11 mail2 postfix/cleanup[3412]: A5ECB609CE: message-id=<20100516065855.CCA639629@mail.mail1.com>
May 22 15:35:11 mail2 postfix/qmgr[3350]: A5ECB609CE: from=<root@mail1.com>, size=646, nrcpt=1 (queue active)
May 22 15:35:11 mail2 postfix/smtpd[3408]: disconnect from mail1.com[192.168.0.16]
May 22 15:35:11 mail2 postfix/local[3413]: A5ECB609CE: to=<test@mail2.com>, relay=local, delay=0.17, delays=0.16/0.01/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
May 22 15:35:11 mail2 postfix/qmgr[3350]: A5ECB609CE: removed

SPFレコードが存在しない場合は、「SPF none」と出てくる。
SPFレコードと送信元のIPチェックが行えないので受信してしまう。その場合、他のスパム対策が必要です。

Comments are closed.