Drop any incoming emails where spf fails.

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Dec 21, 2016.

  1. rob_morin

    rob_morin Member

    Hello,. I would to be able to drop any emails that come in that have SPF settings that say -all
    Do i do this in ISPCONFIG, Postfix or Amavis?
    So if an email comes in and that domain has SPF record that says to drop the email if not from these servers and the email is not from those servers, i want to delete the email.
    We get a lot of forged emails, and it's time to start dropping them.
    Suggestions?

    Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can do that with policyd https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 but I won't do that on my system as you will loose legtimate emails (emails that were forwarded but the forwarding server did not use SRS). A large german provider tried what you want to do recently and they failed and had to change their setup due to the mass complaints of their users that lost emails.
     
  3. rob_morin

    rob_morin Member

    Lol, so whats the point of using it then? Is it possible to specify which domains to drop emails then? Like a few of our clients get lots of spam via forged headers, ie; the from and to domain is the same but not from the proper servers
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    SPF is broken by design, search for it and you find many articles that deal with the various problems around spf :) Here is a good article from a german postfix professional, maybe it's understandable by using google translate: https://www.heinlein-support.de/blog/news/gmx-de-und-web-de-haben-mail-rejects-durch-spf/
    Spamassassin takes SPF in account for score calculation and that is the way I use it.

    This might be possible, but I'm not using this setup so I can't tell you if policyd has this setting on a per domain basis.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    What you can do is that you adjust the spamassasin scores for spf errors,you can find the rule names in the german article as well.
     
  6. rob_morin

    rob_morin Member

    I get this errror in mail.log file now...

    warning: connect to private/policy-spf: No such file or directory
     
  7. rob_morin

    rob_morin Member

    Ahh ok so configure SA to give high score if spf fails?
     
  8. rob_morin

    rob_morin Member

    Ok i see the article, now, i didn't know there was a
    SPF_FAIL in SA, great I will use that.
    Thanks Till
     
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    SPF is indeed broken by design but it's up to the postmaster to define the action, that the receiving mailserver should trigger. If someone requestes hard-fails in the spf-record, your server can reject the mails.
    If someone sends me a mail that does not pass his spf-reord, i reject the mail. It's none of my business when the sender is not able to setup his spf-record. And that was the problem with a large provider in june - they ASKED to reject thier mails. BTW: they reverted this within a few days.
     

Share This Page