Comments on How To Implement SPF In Postfix
How To Implement SPF In Postfix This tutorial shows how to implement SPF (Sender Policy Framework) in a Postfix 2.x installation. The Sender Policy Framework is an open standard specifying a technical method to prevent sender address forgery. There are lots of SPF extensions and patches available for Postfix, but most require that you recompile Postfix. Therefore we will install the postfix-policyd-spf-perl package from openspf.org which is a Perl package and can be implemented in existing Postfix installations (no Postfix compilation required).
18 Comment(s)
Comments
Thank you for the excellent how-to. I've only recently come across SPF and after creating a short tutorial detailing how to set up SPF / Sender ID records with 123-reg for the domain itself, I was dreading having to actually implement it in Postfix.
I'll let you know how I get on.
If you are using the current release of Ubuntu (7.04 - Feisty Fawn) mail::spf and the Postfix policy server are built into the packaging system. All you have to do is:
sudo apt-get install libmail-spf-perl postfix-policyd-spf-perl
and all of the packages with dependencies will get pulled in.
The is also a Python policy server at the same site. It is also in Ubuntu with the Python SPF library updated to the current release (2.0.3). If you prefer Python all you have to do is:
sudo apt-get install python-spf python-policyd-spf
With the exception of the saying python instead of perl and the path to the executable (covered in the documentation), integration with Postfix is the same.
One other small comment... The How-To says Postfix 2.x, but the policy service was introduced in Postfix 2.1, so it should say 2.1+ rather than 2.x.
this is on my schedule to do tomorrow.
Just wondering though why other How Tos for this menution DNS
settings and this one does not?
Thanks
This HOWTO describes the way to check if the incoming mail message is in accordance with the SPF that is set by the admins of the domain from which the message was sent.
DNS records for SPF serve the purpose of setting your own policy for others to check.
Therefore, you can check for SPF for incoming messages and not use SPF for your own domain (makes sense if you're not in control of your DNS records, or if it is complicated for you to create a sutable SPF policy), or you can set your own SPF policy for your domain and not use SPF for incoming messages (stupid), or you can use both SPF checking for incoming mail and set your own SPF policy for others to check (best).
Hi there
Thanks for this HOWTO, it was very informative. I picked up a problem, however. In this section:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy
The entry check_policy_service unix:private/policy causes Postfix to generate the following error:
postfix/smtpd[2815]: warning: problem talking to server private/policy: Connection timed out
This may be due to policyd-weight not being installed. Deleting this entry from main.cf resolves the issue (or presumably installing policyd-weight will solve the issue too, however, since policyd-weight is no longer being maintained, I don't think I will go for this option.)
Regards
Hi,
I follow the steps and i´m getting the same error:
Jan 12 18:41:52 mta01 postfix/smtpd[9392]: warning: connect to private/policy: No such file or directory Jan 12 18:41:53 mta01 postfix/smtpd[9392]: warning: connect to private/policy: No such file or directory Jan 12 18:41:53 mta01 postfix/smtpd[9392]: warning: problem talking to server private/policy: No such file or directory
Any help.
Regards,
Dauto
Thanks for a really nice tutorial, works like a charm!
As for Fedora 9, all files are installed from standard repositories by :
yum install perl-Mail-SPF-Query perl-Mail-SPF
The postfix-policyd-spf script lives in the perl-Mail-SPF package as
/usr/share/doc/perl-Mail-SPF-Query-1.999.1/examples/postfix-policyd-spf
I just copied this file to /usr/local/libexec, making corresponding changes to master.cf.
greylisting and SPF-policyd-perl work together?
If you get error like this:
warning: problem talking to server private/policy-spf: No such file or directory
You should check name of policy in master.cf. In this howto is name in master.cf
policy unix - ........
but in main.cf is policy-spf. So easily rename to policy-spf in master.cf to
policy-spf unix - ........
I also had to install the CPAN module Sys::Hostname::Long.
By the way, it makes sense to test the script BEFORE editing main.cf and restarting postfix, to make sure you don't lose any mails in case it doesnt work.
Note that postfix-policyd-spf-perl is maintenance-only. For current development, see python-postfix-policyd-spf, also at http://www.openspf.org/Software
useful info, thanks.
CRUCIAL: postfix-policyd-spf-perl has serious BUGS. For example, it is rejecting softfail SPF (which should not be rejected.) And the current version no longer installs properly. It has not had a bug fix in many years. Thus, this tutorial is OUTDATED.
The current SPF tool is python-postfix-policyd-spf, also at http://www.openspf.org/Software
Can you set a whitelist domain if someone set SPF wrong ?
Lucian, make sure your SPF record is correct and valid, you are welcome to use https://easydmarc.com/spf-record-check-tools
Do check if your SPF record is valid using a tool like: https://dmarcly.com/tools/spf-record-checker
Also, make sure your SPF record doesn't contain 10+ DNS lookups: https://dmarcly.com/blog/spf-permerror-too-many-dns-lookups-when-spf-record-exceeds-10-dns-lookup-limit