Ville Walveranta a écrit : > Here's an idea.. maybe it's useful for someone, so I post it here. > > I'm setting up a local mail server to cache remote service's mail for > faster access on the LAN. The remote server has an up-to-date SPF > record that is updated whenever the sending IP ranges change. I want > to limit unauthenticated mail reception to the sending servers of the > remote mail system. I use the following in main.cf: > > smtpd_client_restrictions = > permit_mynetworks > permit_sasl_authenticated > check_client_access > cidr:$config_directory/tables/client_access_maps.cidr > reject > > To automatically keep the client_access_maps.cird up-to-date I run the > following as a cron-job.. perhaps every hour. The SPF record changes > rarely, but obviously when it does, the mail would not be accepted on > the local server without an update. On the other hand, I assume when > the sending ranges change, the SPF records are updated well in advance > so there is plenty of time for the local system to pick up the change. > > The following is "concept"; I don't have the script yet ready, but > it'll be easy to write with your favorite scripting language: > > ------- > 1. get your remote sender's current SPF record: > > dig yourremotesender.com txt > tempfile > > 2. parse the result in tempfile with regex: > > /.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?"v=spf1\s+?([^)]+?)\s+?.all"/ > > (dot matches newline) > > 3. explode the result > > 4. remove "ip4:" from the front of each segment if present > > 5. mogrify to format > <ip> OK > <ip>/cidr OK > > .. and save to a temp file. > > 6. compare the checksum of the temp file to the currently active > client_access_maps.cidr; if different.. > > 7. copy the tempfile to ../postfix/tables/client_access_maps.cidr > > 8. execute `postfix reload'
so you would block mail from me? if you want to jump the SPF wagon, it is a good idea to go for "generalized SPF" (GSPF): also allow hosts that match the sender domain (host.example.com can send mail on behalf on *...@example.com). if this is not acceptable, resolve smtp.example.com, mail.example.com, mx.example.com, ... but you may also need things like smtp-1.example.com, ... all that said, if you whitelist IPs or blocks, please submit them to DNSWL.
