Wiki Navigation

Spf / greylist

What is SPF

Spf stands for Sender Policy Framework. In a few words, it allows to declare the mail servers allowed to send mail for your domain. It is different from MX records in DNS servers. A MX record is used by a remote smtp service wanting to reach a server of your domain able to receive mails. Spf also uses DNS, but to declare outgoing mail servers. When a given smtp server receives mails that claims to be sent from your domain, SPF allows to verify it is not forged.

How does it works ? Simply said, you have to add a txt dns record to your domain, following SPF specification. By example, for bind :

yourdomain.com.	IN	TXT	"v=spf1 mx -all"

When a remote server using SPF will receive mail claming to be from yourdomain.com, SPF will query the DNS server of yourdomain.com, and get the text record. In this example, "v=spf1 mx -all" means that the smtp servers allowed to send mail from yourdomain.com are the servers recorded as MX records for yourdomain.com. Any other server will be trying to forge mails, and should be safely rejected.

Drawbacks :

Every domain has to declare a SPF text record for his domain, which is not the case for all domains.
SPF check is at least DNS query. It may be slow, but it is cacheable.
In case of DNS failure, what should the server do ? Accepting or rejecting mail is not always the adequate solution.

For more info, take a look at http://www.openspf.org/ or the rfc http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-02.txt

What is greylisting

Greylisting is a simple technique to lower the amount of spam received, for a low resource cost. When a client connects to a smtp server, the smtp server is at one momment able to termine if it is a mail client or a remote smtp server. In the last case, greylist will temporary reject mail (soft fail), but keep a track of the attempt. When the remote smtp connects back, if it is known to the greylist, mail is accepted. Most "zombie" sender and other tools used by spammers won't retry, whereas legitimate smtp server will retry later (smtp rfc says not reliable, that's to say retry later.

SPF/ Greylist plugin in Jsmtpd

There is an experimental plugin for Jsmtpd combining theses two methods to lower spam. The plugin first checks if there are SPF records allowing to prove identity. If the check is passed, mail is directly accepted. If it fails for one reason or another ( no spf records, spf misconfigured, etc...) the greylist delaying technique is used. No mails should be lost as long as remote smtp should retry to send mails. The major drawback is delayed delivery : you don't receive directly mail when using this plugin, the delay depends on the remote smtp server's retry delay.

More about this plugin

This plugin is a "silent" smtp extension, that's to say it does exposes any service for clients. Instead_{on each rcpt command, it will override the default behavior of the server in case of SPF test failure, and expose a greylist service instead.}

There is a problem in the core of the current release of Jsmtpd (0.5b) in the it handles silent smtp extensions, so you will have to take a package from the auto build system. You can grab one at http://www.taldius.net/luntbuild/luntbuild-login.jsp . The fix will be included in next release.

Also, not that this plugin is experimental. Use at your own risk (but should be okay anyway ;)

Source / bin

Checkout the source with a subersion client

svn checkout http://www.taldius.net/svn/jsmtpd-ro/trunk/Jsmtpd-spf/

Use ant to build it, it is also compiled on the svn.

Install

Make sure you have the correct version of Jsmtpd already running. Copy

dist/greylist-spf.jar
lib/spf.jar

to Jsmtpd's plugin directory.

Then, edit your etc/jsmtpd-plugin-config.xml to add the following element as child of smtpExtensions element, like this :

        <smtpExtensions>
		<smtpExtension name="Greylist SPF" class="org.jsmtpd.plugins.smtpExtensions.GreyList"/>	
	</smtpExtensions>

Restart Jsmtpd, and you're done.

Copyright notice

The plugin uses the SPF Java implementation, made by made by Mimecast (Contact: rfullerton-AT-mimecast.com) Project on sourceforge: https://sourceforge.net/projects/spfjava/ SPFJava Licence files are present in lib folder

Download in other formats:

Plain Text