SPF and SRS

From Qmail-LDAP Wiki

Contents 1 Purpose 2 Usage 2.1 SPF 3 SRS 4 Download and Configuration 4.1 Configuring the SPF 4.2 Configuring the SRS 5 Links

Purpose

SPF means Sender Policy Framework and it is a technology used to atempt controlling forged e-mail. SPF can be used by domain owners to:

• tell everyone which mail sources are legitimate for their domain and which ones aren't.
• accept mails from domains which follow SPF rules.

But SPF "breaks" email forwarding. So, SRS (Sender Rewriting Scheme) fixes that, rewriting the sender address. It is necessary add a SRS domain in your DNS to handle bounce messages.

This patch implements SPF+SRS, adapted from Christophe Saout's SPF code and Marcelo Coelho's SRS code for qmail.

Usage

This patch introduces the following config files:

SPF

• control/spfbehavior: SPF behavior. Default: 0
• control/rules: local rules that must be applied before the real SPF rules for a domain that fails. Example: include:spf.trusted-forwarder.org
• control/spfguess: rules that must be applied when a domain doesn't publish SPF Rules. Example: a/24 mx/24 ptr.
• control/spfexp: your own explanation about SPF when a mail is rejected. Example: 550 the expanded SPF explanation (#5.7.1)

SRS

• control/srs_secrets: the domain used in rewritten addresses. Example: srs.foo-bar.org.
• control/srs_secrets: a random string use to generate and to check SRS address. Example: foobar123.
• control/srs_maxage: the maximum permitted age (in days) of a rewritten address. Example: 7.
• control/srs_hashlength: the hash length to generate in a rewritten address. Example: 4.
• control/srs_hashmin: the hash length required when check an address. Example: 4.
• control/srs_separator: the separator that appears immediately after SRS[01] in a rewritten address. Example: =
• control/srs_alwaysrewrite: skip control/rcpthosts check and perform SRS rewriting for all forwarding, even when it is not required. Default: 0.

Download and Configuration

Download: http://www.cisc.usp.br/wiki/images/d/d6/Qldap_spfsrs.zip

• Apply the qmail-ldap patch.
• Go to qmail-1.03 directory and apply the patch: patch -p1 < /path/to/qldap-spf+srs.patch

ATTENTION: SRS requires libsrs2 library.

Configuring the SPF

• Create the control/spfbehavior: echo 1 > /var/qmail/control/spfbehavior.

Configuring the SRS

• Create the control/srs_domain: echo srs.foo-bar.org > /var/qmail/control/srs_domain
• Create the control/srs_secrets: echo foobar123 > /var/qmail/control/srs_secrets
• Add the SRS domain created in the control/rcpthosts: echo srs.foo-bar.org >> /var/qmail/control/rcpthosts
• Add the alias to handle the srs.foo-bar.org: echo "|/var/qmail/bin/srsfilter" > /var/qmail/alias/.qmail-srs-default

ATTENTION: It is necessary to create a MX record for srs.foo-bar.org pointing to your server to deal with bounce messages.

Links

• SPF
• SRS
• Christophe Saout's SPF code for qmail
• Marcelo Coelho's SRS code for qmail
• libsrs2 library

--Rogerio Kondo 18:00, March 18th, 2010