Add enforce-spf doc
This commit is contained in:
parent
acf628f8f2
commit
a3a8a13840
|
@ -559,6 +559,7 @@ Below are pointers to different topics:
|
|||
- [UFW - uncomplicated firewall](docs/ufw.md)
|
||||
- [SES - Amazon Simple Email Service](docs/ses.md)
|
||||
- [Upgrade existing SimpleLogin installation](docs/upgrade.md)
|
||||
- [Enforce SPF](docs/enforce-spf.md)
|
||||
|
||||
## Contributing
|
||||
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
Some email services like Gmail, Protonmail, etc don't have a strict SPF record (`-all`) to support the "classic" email forwarding
|
||||
that is usually used for group mailing list. In this scenario, an email is sent to a group is forwarded as-is,
|
||||
breaking therefore the SPF.
|
||||
|
||||
A malicious hacker could use this security fail to impersonate your alias via the reverse-alias. This rarely happens
|
||||
as the reverse-alias is generated randomly and is unique for each sender.
|
||||
|
||||
However if you want to prevent this kind of attack, you can enforce the SPF policy even if your mailbox uses a "soft" policy.
|
||||
|
||||
1) Install `postfix-pcre`
|
||||
|
||||
```bash
|
||||
apt install -y postfix-pcre
|
||||
```
|
||||
|
||||
2) Add `pcre:/etc/postfix/body_checks` file with the following content
|
||||
|
||||
```
|
||||
/^X-SimpleLogin-Client-IP:/ IGNORE
|
||||
```
|
||||
|
||||
3) Add `pcre:/etc/postfix/client_headers.pcre` with the following content
|
||||
|
||||
```
|
||||
/^([0-9a-f:.]+)$/ prepend X-SimpleLogin-Client-IP: $1
|
||||
```
|
||||
|
||||
4) Add the following lines to your Postfix config file at `/etc/postfix/main.cf`
|
||||
|
||||
```
|
||||
body_checks = pcre:/etc/postfix/body_checks
|
||||
smtpd_client_restrictions = pcre:/etc/postfix/client_headers.pcre
|
||||
```
|
||||
|
||||
5) Enable `ENFORCE_SPF` in your SimpleLogin config file
|
||||
|
||||
```
|
||||
ENFORCE_SPF=true
|
||||
```
|
||||
|
||||
6) Restart Postfix
|
||||
|
||||
```bash
|
||||
systemctl restart postfix
|
||||
```
|
||||
|
||||
7) Restart SimpleLogin mail handler
|
||||
|
||||
```bash
|
||||
sudo docker restart sl-email
|
||||
```
|
Loading…
Reference in New Issue