app-MAIL-temp/docs/enforce-spf.md

52 lines
1.3 KiB
Markdown
Raw Normal View History

2020-05-09 14:52:04 +02:00
Some email services like Gmail, Protonmail, etc don't have a strict SPF record (`-all`) to support the "classic" email forwarding
that is usually used for group mailing list. In this scenario, an email is sent to a group is forwarded as-is,
breaking therefore the SPF.
A malicious hacker could use this security fail to impersonate your alias via the reverse-alias. This rarely happens
as the reverse-alias is generated randomly and is unique for each sender.
However if you want to prevent this kind of attack, you can enforce the SPF policy even if your mailbox uses a "soft" policy.
1) Install `postfix-pcre`
```bash
apt install -y postfix-pcre
```
2020-05-09 17:26:39 +02:00
2) Add `/etc/postfix/body_checks.pcre` file with the following content
2020-05-09 14:52:04 +02:00
```
/^X-SimpleLogin-Client-IP:/ IGNORE
```
2020-05-09 17:26:39 +02:00
3) Add `/etc/postfix/client_headers.pcre` with the following content
2020-05-09 14:52:04 +02:00
```
/^([0-9a-f:.]+)$/ prepend X-SimpleLogin-Client-IP: $1
```
4) Add the following lines to your Postfix config file at `/etc/postfix/main.cf`
```
2020-05-09 17:26:39 +02:00
body_checks = pcre:/etc/postfix/body_checks.pcre
2020-05-09 14:52:04 +02:00
smtpd_client_restrictions = pcre:/etc/postfix/client_headers.pcre
```
5) Enable `ENFORCE_SPF` in your SimpleLogin config file
```
ENFORCE_SPF=true
```
6) Restart Postfix
```bash
systemctl restart postfix
```
7) Restart SimpleLogin mail handler
```bash
sudo docker restart sl-email
```