Tag Archives: Linux How to

Unix Similar multi-user operating systems based on the Linux kernel and essentially on GNU software. Like CentOS, Debian, Ubuntu Fedora.

How to use Sender Policy Framework on Debian Server

Sender Policy Framework (SPF) is a service deployed to avoid being identified as a spam sender.

postfix-policyd-spf is a fully functional engine for SPF verification under Postfix. The daemon includes a variety of mechanisms and policy options to meet a wide variety of system requirements. postfix-policyd-spf-perl was implemented on Perl, further available on Python there is postfix-policyd-spf-python, the Python SPF module (spf) is used. As a Postfix module, it supports RFC 7208 of the Sender Policy Framework (SPF).

How to use Sender Policy Framework on Debian Server

Additional information is stored in the DNS (Domain Name System) in the form of an SPF record. This TXT-based SPF record contains specific information about authorized mail servers, Mail Transfer Agent (MTA).

How to install Postfix policyd-spf

The installation on Debian 10 and Debian 11 starts as root as follows:

$ apt install postfix-policyd-spf-python

If the Perl module is preferred, the Perl SPF-Milter can be installed as root as follows.

$ apt install postfix-policyd-spf-perl

After postfix-policyd-spf-python, or postfix-policyd-spf-perl is installed, we edit the configuration file of the postfix master process.

$ vi /etc/postfix/master.cf

To launch the Postfix statement with the Python SPF policy checker, add the following lines to the end of the master.cf file.

policyd-spf  unix  -       n       n       -       0       spawn
   user=policyd-spf argv=/usr/bin/policyd-spf

Use the SPF policy verification on the Perl implementation is as follows.

policyd-spf  unix  -       n       n       -       0       spawn
   user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl

Save and close the file. Next, edit the Postfix main configuration file.

$ vi /etc/postfix/main.cf

Add the following lines to the end of the main.cf file. The first line specifies the timeout setting for the Postfix Policy Agent. The following lines restrict incoming emails by checking the SPF record and rejecting unauthorized emails.

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_policy_service unix:private/policyd-spf

Note! if check_policy_service is not the last line below the section smtpd_recipient_restrictions, then there must be a comma (,) at the end of the line. No comma on the last entry.

Save and close the file.

  Ensure that the user id policyd-spf exist by run id policyd-spf, if not exist, the system account is created as follows.

$ useradd -r -M policyd-spf -s /usr/sbin/nologin

Then restart the Postfix using systemctl.

$ systemctl restart postfix

The next time receive an email by a domain with an SPF record in DNS, you can see the results of the SPF verification in the RAW email header. The following header indicates that the sender sent the email from an authorized host.

policyd-spf[733750]: prepend Received-SPF: Pass

The output appers when using Postfix Policy-SPF with Perl.

postfix/policy-spf[735983]: Policy action=PREPEND Received-SPF: pass

Verify Python and SPF

When using postfix-policyd-spf-python, Python must be available on the server, as well as the Python SPF module. The verification can be carried out as follows.

$ python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44)
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> help('modules')

If Python is installed on the system, the help('modules') command displays multiple modules in columns. The spf and spf_engine module is required. The Python module can be added as follows.

pip install pypolicyd-spf

Verify SPF Record

To verify the SPF TXT Record for a specific domain, run the lookup command out from linux terminal.

$ dig TXT mydomain.net +short
 "v=spf1 a mx ~all"

Using windows then run this command in the command prompt (cmd).

C:\> nslookup -type=TXT mydomain.net
 "v=spf1 a mx ~all"

Block IP address using Linux Firewall

DDoS and suspicious attacks from source IP addresses can exhaust services and system resources. This tutorial show the commands to block IP addresses on common Linux kernel firewalls

Fire up a terminal and log on to the server by using SSH and then complete the steps for firewalld in the first chapter. The second chapter shows the commands for UFW, and the third shows using iptables.

firewalld commands

firewalld is on RHEL 7 and later, CentOS 7, Fedora 18 and later.

To ensure that firewalld is running on your server, run the following command. If firewalld is not running, go to the iptables chapter.

$ sudo systemctl status firewalld

Run the following command to block the IP address and to add the rule to the permanent set:

$ sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.xxx' reject"

Run the following command to reload the firewalld rules:

$ sudo firewall-cmd --reload

Run the following command to list and verify the new rule:

$ sudo firewall-cmd --list-all

Run the following command to remove a blocked IP address.

$ sudo firewall-cmd --remove-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.xxx' reject"

Run the following command to verify the firewalld is running.

$ firewall-cmd --state

Uncomplicated Firewall (UFW)

ufw is available on Debian 6 and later, Ubuntu 8.04 LTS and later.

To ensure that ufw is running on your server, run the following command. If ufw is not running, go to the iptables chapter.

$ sudo systemctl status ufw

Run the following command to block the IP address:

$ sudo ufw deny from xxx.xxx.xxx.xxx to any

Run the following command to list and verify the new rule:

$ sudo ufw status

Run the following command to remove a blocked IP address.

$ sudo ufw delete 7

Run the following command to show numbered list of firewall rules.

$ ufw status numbered

iptables chains

iptables is commonly pre-installed on all Linux distributions.

Run the following command to block the IP address:

$ sudo iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

Run the following command to save the settings. The settings persist after the server reboots.

$ sudo service iptables save

Run the following command to list and verify the new rule:

$ sudo iptables -vnL

Run the following command to delete a iptables chain.

$ sudo iptables -D INPUT 7

Run the following command to show numbered list of iptables chains.

$ sudo iptables -L --line-numbers