Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 2nd September 2011, 14:57
hereinoz hereinoz is offline
Junior Member
 
Join Date: Feb 2009
Posts: 22
Thanks: 5
Thanked 1 Time in 1 Post
Default Effect of SPF with Postfix

Hi all,

I am considering enabling SPF in Postfix, but I have one question before I do, and that is:

If I enable SPF, as per Falko's excellent HowTo, and an incoming mail message comes from a domain which has no SPF records at all in its DNS, does that email get passed, or does it get failed and dropped?

Hope you can help,

Alan.
Reply With Quote
Sponsored Links
  #2  
Old 3rd September 2011, 11:24
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

That's what I found on http://www.google.com/support/a/bin/...y?answer=33786 :

Quote:
If your domain does not have an SPF record, some recipient domains may reject messages from your users because they cannot validate that the messages come from an authorized mail server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 4th September 2011, 01:18
hereinoz hereinoz is offline
Junior Member
 
Join Date: Feb 2009
Posts: 22
Thanks: 5
Thanked 1 Time in 1 Post
Default

Thanks Falco.

Doesn't really answer the question though. My question was specifically how Postfix with SPF would react if there were no SPF records in the sending domain's DNS. In other words, how it would react when it was one of the "some recipient domains" referred to on the google page. Would it reject or would it accept with no SPF records.

I guess the best way is build one, send it an email from a domain without any SPF records, and see how it responds. At least, then, I will know.

Cheers,
Reply With Quote
  #4  
Old 4th September 2011, 19:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

I'm not totally sure, but I guess if there's no SPF record, Postfix will check the MX record and see if the mail originated from that server.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 4th September 2011, 23:15
hereinoz hereinoz is offline
Junior Member
 
Join Date: Feb 2009
Posts: 22
Thanks: 5
Thanked 1 Time in 1 Post
Default

No worries, I will build one and see what happens.
Reply With Quote
  #6  
Old 12th October 2011, 14:18
ressel ressel is offline
Senior Member
 
Join Date: Apr 2007
Location: Denmark
Posts: 128
Thanks: 18
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by hereinoz View Post
No worries, I will build one and see what happens.
What result did you get?
Reply With Quote
  #7  
Old 13th October 2011, 18:28
DrJohn DrJohn is offline
Member
 
Join Date: Aug 2007
Location: Portland, OR, USA
Posts: 66
Thanks: 8
Thanked 2 Times in 2 Posts
 
Default

I recently implemented SPF in Postfix. With no SPF record Postfix defaults to passing the domain through. Here's the relevant portion of main.cf:
Code:
smtpd_recipient_restrictions = 
   check_client_access hash:/etc/postfix/helo_client_exceptions,
   check_sender_access    hash:/etc/postfix/sender_checks,
   reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
   reject_non_fqdn_hostname,
##################################
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,

#SPF validation
   check_policy_service unix:private/policy,

# Add RBL exceptions here, when changing rbl_client_exceptions, this
# file must be regenerated using postmap <file>, to generate a
# Berkeley DB
       	check_client_access hash:/etc/postfix/rbl_client_exceptions,
	check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions,	
	    reject_rbl_client b.barracudacentral.org,
            reject_rbl_client multi.uribl.com,
	    reject_rbl_client bl.mailspike.net,
            reject_rbl_client dul.dnsbl.sorbs.net,
	    reject_rbl_client ix.dnsbl.manitu.net, 
  	     reject_rbl_client psbl.surriel.com,

#postgrey
            check_policy_service inet:127.0.0.1:10023,
            permit 

smtpd_data_restrictions = 
	   reject_unauth_pipelining,
 	   permit
In mail.log for a domain with no SPF TXT record:
Code:
Oct 13 15:07:52 m2a74am-vm5 postfix/policy-spf[1783]: : Policy action=PREPEND Received-SPF: none (smoby.fr: No applicable sender policy available) receiver=m2a74am-vm5.chromsource.loc; identity=mailfrom; envelope-from="3djpietrzyk@smoby.fr"; helo=187-11-194-118.dsl.telesp.net.br; client-ip=187.11.194.118
Then later with RBL:
Code:
Oct 13 15:07:52 m2a74am-vm5 postfix/smtpd[1764]: NOQUEUE: reject: RCPT from unknown[187.11.194.118]: 554 5.7.1 Service unavailable; Client host [187.11.194.118] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=187.11.194.118; from=<3djpietrzyk@smoby.fr> to=<someone@somwhere.com> proto=ESMTP helo=<187-11-194-118.dsl.telesp.net.br>
I am considering removing the SPF checks from Postfix because so far, after a week of use, only a very small percentage (< 0.5%) of incoming email does not pass the SPF check. I suspect that the subsequent RBL Checks will pick up most of the overt spam. I have, however, placed SPF TXT records into all of my domains.

BTW, barracudacentral.org catches 99+% of them before going to the others on the RBL list. I recommend registering with them if you have fixed IPs (it's free).

-- John
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Email Working ISPConfig3 Squirrelmail and Courier etc Ian Wilson Installation/Configuration 17 19th June 2013 22:58
Postfix SMTP Auth to Dovecot Not Working -- HELP! Scratchpad Server Operation 6 12th April 2011 13:29
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 05:39.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.