Effect of SPF with Postfix

Discussion in 'Server Operation' started by hereinoz, Sep 2, 2011.

  1. hereinoz

    hereinoz Member

    Hi all,

    I am considering enabling SPF in Postfix, but I have one question before I do, and that is:

    If I enable SPF, as per Falko's excellent HowTo, and an incoming mail message comes from a domain which has no SPF records at all in its DNS, does that email get passed, or does it get failed and dropped?

    Hope you can help,

  2. falko

    falko Super Moderator ISPConfig Developer

    That's what I found on http://www.google.com/support/a/bin/answer.py?answer=33786 :

  3. hereinoz

    hereinoz Member

    Thanks Falco.

    Doesn't really answer the question though. My question was specifically how Postfix with SPF would react if there were no SPF records in the sending domain's DNS. In other words, how it would react when it was one of the "some recipient domains" referred to on the google page. Would it reject or would it accept with no SPF records.

    I guess the best way is build one, send it an email from a domain without any SPF records, and see how it responds. At least, then, I will know.

  4. falko

    falko Super Moderator ISPConfig Developer

    I'm not totally sure, but I guess if there's no SPF record, Postfix will check the MX record and see if the mail originated from that server.
  5. hereinoz

    hereinoz Member

    No worries, I will build one and see what happens.
  6. ressel

    ressel Member

    What result did you get?
  7. DrJohn

    DrJohn Member

    I recently implemented SPF in Postfix. With no SPF record Postfix defaults to passing the domain through. Here's the relevant portion of main.cf:
    smtpd_recipient_restrictions = 
       check_client_access hash:/etc/postfix/helo_client_exceptions,
       check_sender_access    hash:/etc/postfix/sender_checks,
    ### Can cause issues with Auth SMTP, so be weary!
    #SPF validation
       check_policy_service unix:private/policy,
    # Add RBL exceptions here, when changing rbl_client_exceptions, this
    # file must be regenerated using postmap <file>, to generate a
    # Berkeley DB
           	check_client_access hash:/etc/postfix/rbl_client_exceptions,
    	check_sender_access hash:/etc/postfix/rhsbl_sender_exceptions,	
    	    reject_rbl_client b.barracudacentral.org,
                reject_rbl_client multi.uribl.com,
    	    reject_rbl_client bl.mailspike.net,
                reject_rbl_client dul.dnsbl.sorbs.net,
    	    reject_rbl_client ix.dnsbl.manitu.net, 
      	     reject_rbl_client psbl.surriel.com,
                check_policy_service inet:,
    smtpd_data_restrictions = 
    In mail.log for a domain with no SPF TXT record:
    Oct 13 15:07:52 m2a74am-vm5 postfix/policy-spf[1783]: : Policy action=PREPEND Received-SPF: none (smoby.fr: No applicable sender policy available) receiver=m2a74am-vm5.chromsource.loc; identity=mailfrom; envelope-from="[email protected]"; helo=187-11-194-118.dsl.telesp.net.br; client-ip=
    Then later with RBL:
    Oct 13 15:07:52 m2a74am-vm5 postfix/smtpd[1764]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 Service unavailable; Client host [] blocked using b.barracudacentral.org; http://www.barracudanetworks.com/reputation/?pr=1&ip=; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<187-11-194-118.dsl.telesp.net.br>
    I am considering removing the SPF checks from Postfix because so far, after a week of use, only a very small percentage (< 0.5%) of incoming email does not pass the SPF check. I suspect that the subsequent RBL Checks will pick up most of the overt spam. I have, however, placed SPF TXT records into all of my domains.

    BTW, barracudacentral.org catches 99+% of them before going to the others on the RBL list. I recommend registering with them if you have fixed IPs (it's free).

    -- John

Share This Page