app-MAIL-temp/docs/enforce-spf.md

Some email services like Gmail, Proton Mail, etc don't have a strict SPF record (`-all`) to support the "classic" email forwarding
that is usually used for group mailing list. In this scenario, an email is sent to a group is forwarded as-is,
breaking therefore the SPF.

A malicious hacker could use this security fail to impersonate your alias via the reverse-alias. This rarely happens
as the reverse-alias is generated randomly and is unique for each sender.

However if you want to prevent this kind of attack, you can enforce the SPF policy even if your mailbox uses a "soft" policy.

1) Install `postfix-pcre`

```bash
apt install -y postfix-pcre
```

2) Add `/etc/postfix/body_checks.pcre` file with the following content

```
/^X-SimpleLogin-Client-IP:/    IGNORE
```

3) Add `/etc/postfix/client_headers.pcre` with the following content

```
/^([0-9a-f:.]+)$/ prepend X-SimpleLogin-Client-IP: $1
```

4) Add the following lines to your Postfix config file at `/etc/postfix/main.cf`

```
body_checks = pcre:/etc/postfix/body_checks.pcre
smtpd_client_restrictions = pcre:/etc/postfix/client_headers.pcre
```

5) Enable `ENFORCE_SPF` in your SimpleLogin config file

```
ENFORCE_SPF=true
```

6) Restart Postfix

```bash
systemctl restart postfix
```

7) Restart SimpleLogin mail handler

```bash
sudo docker restart sl-email
```
use Proton Mail instead of Protonmail (#1336) 2022-10-06 17:43:01 +02:00			Some email services like Gmail, Proton Mail, etc don't have a strict SPF record (`-all`) to support the "classic" email forwarding
Update pre-commit (#1138) * Update pre-commit * Upgrade djlint, remove flake8 and add pylint * Reformat with new djlint version * Run pre-commit on CI * Use only python3.10 on CI * Reformat files with pre-commit * Run pre-commit against all files * Reformat * Added global excludes * Added pre-commit to the contributing file * Set python 3.9 as default * Set language version to python3 Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> Co-authored-by: Carlos Quintana <carlos.quintana@proton.ch> 2022-07-04 16:01:04 +02:00			`that is usually used for group mailing list. In this scenario, an email is sent to a group is forwarded as-is,`
Add enforce-spf doc 2020-05-09 14:52:04 +02:00			`breaking therefore the SPF.`

			`A malicious hacker could use this security fail to impersonate your alias via the reverse-alias. This rarely happens`
			`as the reverse-alias is generated randomly and is unique for each sender.`
Update pre-commit (#1138) * Update pre-commit * Upgrade djlint, remove flake8 and add pylint * Reformat with new djlint version * Run pre-commit on CI * Use only python3.10 on CI * Reformat files with pre-commit * Run pre-commit against all files * Reformat * Added global excludes * Added pre-commit to the contributing file * Set python 3.9 as default * Set language version to python3 Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> Co-authored-by: Carlos Quintana <carlos.quintana@proton.ch> 2022-07-04 16:01:04 +02:00
Add enforce-spf doc 2020-05-09 14:52:04 +02:00			`However if you want to prevent this kind of attack, you can enforce the SPF policy even if your mailbox uses a "soft" policy.`

			1) Install `postfix-pcre`

			```bash
			`apt install -y postfix-pcre`
Update pre-commit (#1138) * Update pre-commit * Upgrade djlint, remove flake8 and add pylint * Reformat with new djlint version * Run pre-commit on CI * Use only python3.10 on CI * Reformat files with pre-commit * Run pre-commit against all files * Reformat * Added global excludes * Added pre-commit to the contributing file * Set python 3.9 as default * Set language version to python3 Co-authored-by: Adrià Casajús <adria.casajus@proton.ch> Co-authored-by: Carlos Quintana <carlos.quintana@proton.ch> 2022-07-04 16:01:04 +02:00			```

Fix enforce-spf.md 2020-05-09 17:26:39 +02:00			2) Add `/etc/postfix/body_checks.pcre` file with the following content
Add enforce-spf doc 2020-05-09 14:52:04 +02:00
			```
			`/^X-SimpleLogin-Client-IP:/ IGNORE`
			```

Fix enforce-spf.md 2020-05-09 17:26:39 +02:00			3) Add `/etc/postfix/client_headers.pcre` with the following content
Add enforce-spf doc 2020-05-09 14:52:04 +02:00
			```
			`/^([0-9a-f:.]+)$/ prepend X-SimpleLogin-Client-IP: $1`
			```

			4) Add the following lines to your Postfix config file at `/etc/postfix/main.cf`

			```
Fix enforce-spf.md 2020-05-09 17:26:39 +02:00			`body_checks = pcre:/etc/postfix/body_checks.pcre`
Add enforce-spf doc 2020-05-09 14:52:04 +02:00			`smtpd_client_restrictions = pcre:/etc/postfix/client_headers.pcre`
			```

			5) Enable `ENFORCE_SPF` in your SimpleLogin config file

			```
			`ENFORCE_SPF=true`
			```

			`6) Restart Postfix`

			```bash
			`systemctl restart postfix`
			```

			`7) Restart SimpleLogin mail handler`

			```bash
			`sudo docker restart sl-email`
			```