Postfix SPF

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Since https://www.howtoforge.com/postfix_spf is a lil bit outdated... yeah
    debian 9, works aswell on 8

    Code:
    apt-get install postfix-policyd-spf-python
    
    /etc/postfix-policyd-spf-python/policyd-spf.conf
    Code:
    #  For a fully commented sample config file see policyd-spf.conf.commented
    
    debugLevel = 1
    #TestOnly = 1
    
    HELO_reject = SPF_Not_Pass
    Mail_From_reject = Fail
    
    PermError_reject = True
    TempError_Defer = False
    
    skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
    
    Header_Type = AR
    Authserv_Id = <FQDN>
    
    replace <FQDN> with your hostname

    Uncomment TestOnly for well yeah testonly,
    Adjust Helo_reject ect. to your needs, see the man-page for that, for me it works perfectly fine as it is

    Add/Update /etc/postfix/master.cf
    Code:
    policyd-spf  unix  -       n       n       -       0       spawn
        user=policyd-spf argv=/usr/bin/policyd-spf
    
    And /etc/postfix/main.cf
    Add
    Code:
    check_policy_service unix:private/policyd-spf
    after reject_unauth_destination, could look like that
    Code:
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unknown_helo_hostname,reject_invalid_hostname, reject_non_fqdn_hostname,check_policy_service unix:private/policyd-spf, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf
    
    And at a new line on /etc/postfix/main.cf add
    Code:
    policyd-spf_time_limit = 3600
    
    gently inform your daemon to reload
    Code:
    service postfix reload
    
    and watch for issues
    Code:
    tail -f /var/log/mail.info
    
     
    Last edited: Oct 5, 2017
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Troubleshooting:

    Results are always temperror [ Debian at least, since ~2006 ]
    - if you're using a local caching nameserver your /etc/resolv.conf has 1 entry only, however an old patch to the DNS-package of python made it mandatory to have 2 nameserver-entries in the resolv.conf or else no python application using DNS/Base.py will work!
    Either add 2nd nameserver entry in resolv.conf or ... hack it:
    /usr/lib/python3/dist-packages/DNS/Base.py
    and comment out the following lines [ :
    Code:
    63 #        if len(fields) < 2:
    64 #            continue
    
    Attention, this will fail to get a valid nameserver if the first line in resolv.conf is "search domain" something


    Edit: doh you obviously could add
    namserver 127.0.0.1 twice in your resolv.conf, not nice but nicer than hacking the Base.py
     
    Last edited: Oct 5, 2017
  3. Tuumke

    Tuumke Member HowtoForge Supporter

    Isn't SPF done by ISPConfig / DNS? If not, i would think this is standard with the perfect server guide?
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    one part of SPF is to set your records for your domain in the DomainNameSystem, yes
    but the other part is checking the records for other domains when receiving mail.

    That either needs to be configured/weighted in spamassasin - which comes after the mail has been accepted and pulled trough amavis/clamav or you can block the mail right in the beginning using this like a RBL.

    I choose this over spamassasin not because of my resources but to respect the domain owners wish not to accept forged mails with his name.
     

Share This Page