Debian 8/9: Postfix SPF

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    slightly updated version of https://www.howtoforge.com/postfix_spf
    debian 9, works aswell on 8


    for debian.
    Note that you can handle SPF with spamassasin and instead of blocking the mail it can add or reduce score.
    However some domain owners don't want to be combined with all sorts of magic pills - so respect if they want the mail not to reach the target.

    Code:
    apt-get install postfix-policyd-spf-python
    postconf -M policyd-spf/spawn="policyd-spf  unix  -       n       n       -       0       spawn user=nobody argv=/usr/bin/policyd-spf"
    postconf -e "policyd-spf_time_limit = 3600"
    
    Modify /etc/postfix/main.cf
    Code:
    smtpd_recipient_restrictions =
        ...
        reject_unauth_destination,
        check_policy_service unix:private/policyd-spf,
        ...
    
    Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world.
    You can use this script for that:
    Code:
    #!/bin/sh
    smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions`
    if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then
        sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/main.cf
    fi
    
    Modify /etc/postfix-policyd-spf-python/policyd-spf.conf
    Change debuglevel as you like, replace <FQDN> with the servers hostname or check the manual for all the options. If you want to accept mail and let spamassasin mark them as spam set HELO_reject = false
    A good guide on this is on https://www.flomain.de/2015/08/how-to-postfix-with-spf/
    should work now, if you rekick your postfix that is

    gently inform your daemon to reload
    Code:
    service postfix reload
    
    and watch for issues
    Code:
    tail -f /var/log/mail.info
    
     
    Last edited: Jul 18, 2018
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Troubleshooting:

    Results are always temperror [ Debian at least, since ~2006 ]
    - if you're using a local caching nameserver your /etc/resolv.conf has 1 entry only, however an old patch to the DNS-package of python made it mandatory to have 2 nameserver-entries in the resolv.conf or else no python application using DNS/Base.py will work!
    Either add 2nd nameserver entry in resolv.conf or ... hack it:
    /usr/lib/python3/dist-packages/DNS/Base.py
    and comment out the following lines [ :
    Code:
    63 #        if len(fields) < 2:
    64 #            continue
    
    Attention, this will fail to get a valid nameserver if the first line in resolv.conf is "search domain" something


    Edit: doh you obviously could add
    namserver 127.0.0.1 twice in your resolv.conf, not nice but nicer than hacking the Base.py
     
    Last edited: Oct 5, 2017
  3. Tuumke

    Tuumke Member

    Isn't SPF done by ISPConfig / DNS? If not, i would think this is standard with the perfect server guide?
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    one part of SPF is to set your records for your domain in the DomainNameSystem, yes
    but the other part is checking the records for other domains when receiving mail.

    That either needs to be configured/weighted in spamassasin - which comes after the mail has been accepted and pulled trough amavis/clamav or you can block the mail right in the beginning using this like a RBL.

    I choose this over spamassasin not because of my resources but to respect the domain owners wish not to accept forged mails with his name.
     
  5. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    *edit* updated instructions
     

Share This Page