taRgrey(S25R+tarpitting+greylisting)
スパムメール送信元の特徴(・動的IPアドレスであることが多い、・大量のサーバーへメールを送るため応答が遅い、または拒否するサーバーへの送信はあきらめる)
milter-greylistインストール
[root@falcon21 ~]# yum -y install milter-greylist
milter-greylist設定
[root@falcon21 ~]# vi /etc/mail/greylist.conf
9 socket "/run/milter-greylist/milter-greylist.sock" 600
35 # 内部ネットワークアドレス
36 list "my network" addr { \
37 127.0.0.1/8 \
38 #10.0.0.0/8 \
39 192.168.0.0/24 \
40 192.168.1.0/24 \
41 #172.16.0.0/12 \
42 192.168.2.0/24 \
43 }
150 #racl greylist list "grey users" delay 30m autowhite 3d
151 #racl whitelist default
152 racl whitelist tarpit 125s ← 追加(応答を125秒遅延させて接続が継続している場合は受信)
153 #racl greylist default ← 追加(125秒の遅延応答を待たずに切断後再接続してきた場合は一旦、受信拒否して再送要求)
milter-greylist起動
[root@falcon21 ~]# systemctl start milter-greylist
[root@falcon21 ~]# systemctl enable milter-greylist
Created symlink from /etc/systemd/system/multi-user.target.wants/milter-greylist.service to /usr/lib/systemd/system/milter-greylist.service.
[root@falcon21 ~]# systemctl status milter-greylist -l
● milter-greylist.service - Grey listing filter for sendmail
Loaded: loaded (/usr/lib/systemd/system/milter-greylist.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since 水 2019-11-13 20:01:34 JST; 8s ago
Process: 26674 ExecStart=/usr/sbin/milter-greylist -D (code=exited, status=65)
Main PID: 26674 (code=exited, status=65)
11月 13 20:01:34 falcon21.space systemd[1]: milter-greylist.service: main process exited, code=exited, status=65/n/a
11月 13 20:01:34 falcon21.space systemd[1]: Unit milter-greylist.service entered failed state.
11月 13 20:01:34 falcon21.space systemd[1]: milter-greylist.service failed.
11月 13 20:01:34 falcon21.space systemd[1]: milter-greylist.service holdoff time over, scheduling restart.
11月 13 20:01:34 falcon21.space systemd[1]: Stopped Grey listing filter for sendmail.
11月 13 20:01:34 falcon21.space systemd[1]: start request repeated too quickly for milter-greylist.service
11月 13 20:01:34 falcon21.space systemd[1]: Failed to start Grey listing filter for sendmail.
11月 13 20:01:34 falcon21.space systemd[1]: Unit milter-greylist.service entered failed state.
11月 13 20:01:34 falcon21.space systemd[1]: milter-greylist.service failed.
Postfix設定
[root@falcon21 ~]# vi /etc/postfix/main.cf
最終行に追加
716 milter_command_timeout = 150
milter-managerインストール
milter-manager_reposリポジトリ追加
[root@falcon21 ~]# curl -s https://packagecloud.io/install/repositories/milter-manager/repos/script.rpm.sh | bash
[root@falcon21 ~]# yum -y install milter-manager
インストール:
milter-manager.x86_64 0:2.1.5-1.el7
依存性を更新しました:
libmilter-client.x86_64 0:2.1.5-1.el7 libmilter-client-devel.x86_64 0:2.1.5-1.el7
libmilter-core.x86_64 0:2.1.5-1.el7 libmilter-core-devel.x86_64 0:2.1.5-1.el7
libmilter-server.x86_64 0:2.1.5-1.el7 libmilter-server-devel.x86_64 0:2.1.5-1.el7
milter-manager-libs.x86_64 0:2.1.5-1.el7 ruby-milter-client.x86_64 0:2.1.5-1.el7
ruby-milter-core.x86_64 0:2.1.5-1.el7 ruby-milter-server.x86_64 0:2.1.5-1.el7
完了しました!
New leaves:
milter-manager.x86_64
milter-manager起動
[root@falcon21 ~]# systemctl start milter-manager
[root@falcon21 ~]# systemctl enable milter-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/milter-manager.service to /usr/lib/systemd/system/milter-manager.service.
[root@falcon21 ~]# systemctl status milter-manager
● milter-manager.service - milter-manager server daemon
Loaded: loaded (/usr/lib/systemd/system/milter-manager.service; enabled; vendor preset: disabled)
Active: active (running) since 水 2019-11-13 20:22:07 JST; 1min 22s ago
Main PID: 32529 (milter-manager)
CGroup: /system.slice/milter-manager.service
├─32523 /usr/sbin/milter-manager --daemon --pid-file /var/run/milter-manager/milter-manager....
└─32529 /usr/sbin/milter-manager --daemon --pid-file /var/run/milter-manager/milter-manager....
11月 13 20:22:05 falcon21.space systemd[1]: Starting milter-manager server daemon...
11月 13 20:22:07 falcon21.space systemd[1]: PID file /var/run/milter-manager/milter-manager.pid no...art.
11月 13 20:22:07 falcon21.space systemd[1]: Started milter-manager server daemon.
Hint: Some lines were ellipsized, use -l to show in full.
Postfix・milter-manager連携設定
[root@falcon21 ~]# vi /etc/postfix/main.cf
最終行に追加
717 milter_protocol = 6
718 milter_default_action = tempfail
719 milter_mail_macros = {auth_author} {auth_type} {auth_authen}
720 smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
milter-managerグループにpostfixユーザーを追加
[root@falcon21 ~]# usermod -G milter-manager -a postfix
Postfix設定反映
[root@falcon21 ~]# systemctl reload postfix
milter-manager・milter-greylist連携設定
grmilterグループにmilter-managerユーザーを追加
[root@falcon21 ~]# usermod -G grmilter -a milter-manager
mailグループにmilter-managerユーザーを追加
[root@falcon21 ~]# usermod -G mail -a milter-manager
milter-manager再起動
root@falcon21 ~]# systemctl restart milter-manager
milter-manager設定確認
[root@falcon21 ~]# milter-manager --show-config|less
:
:
:
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
milter.description = "Grey listing filter for sendmail"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
milter.applicable_conditions = [
# default
"Sendmail Compatible",
# default
"Stress Notify",
# default
"Trust",
# default
"Remote Network",
# default
"S25R", ← milter-greylist適用条件にS25Rが設定されている※
# default
"Unauthenticated",
]
-----------------------
S25Rはmilter-greylist側に設定するのではなく、 milter-managerから初期提供されているmilterの組み込み適用条件のS25R(/etc/milter-manager/applicable-conditions/s25r.conf)を利用する=milter-manager側にてS25Rを実施して該当する場合(接続元IPアドレスが動的IPアドレスの可能性がある場合)のみ、milter-greylistに制御を渡す。milter-greylist側ではtarpitting(遅延応答)とgreylisting(再送要求)を行う。