app-MAIL-temp/docs/enforce-spf.md

52 lines
1.3 KiB
Markdown
Raw Normal View History

Some email services like Gmail, Protonmail, etc don't have a strict SPF record (`-all`) to support the "classic" email forwarding
that is usually used for group mailing list. In this scenario, an email is sent to a group is forwarded as-is,
2020-05-09 14:52:04 +02:00
breaking therefore the SPF.
A malicious hacker could use this security fail to impersonate your alias via the reverse-alias. This rarely happens
as the reverse-alias is generated randomly and is unique for each sender.
2020-05-09 14:52:04 +02:00
However if you want to prevent this kind of attack, you can enforce the SPF policy even if your mailbox uses a "soft" policy.
1) Install `postfix-pcre`
```bash
apt install -y postfix-pcre
```
2020-05-09 17:26:39 +02:00
2) Add `/etc/postfix/body_checks.pcre` file with the following content
2020-05-09 14:52:04 +02:00
```
/^X-SimpleLogin-Client-IP:/ IGNORE
```
2020-05-09 17:26:39 +02:00
3) Add `/etc/postfix/client_headers.pcre` with the following content
2020-05-09 14:52:04 +02:00
```
/^([0-9a-f:.]+)$/ prepend X-SimpleLogin-Client-IP: $1
```
4) Add the following lines to your Postfix config file at `/etc/postfix/main.cf`
```
2020-05-09 17:26:39 +02:00
body_checks = pcre:/etc/postfix/body_checks.pcre
2020-05-09 14:52:04 +02:00
smtpd_client_restrictions = pcre:/etc/postfix/client_headers.pcre
```
5) Enable `ENFORCE_SPF` in your SimpleLogin config file
```
ENFORCE_SPF=true
```
6) Restart Postfix
```bash
systemctl restart postfix
```
7) Restart SimpleLogin mail handler
```bash
sudo docker restart sl-email
```