Postfix SPF

Discussion in 'Tips/Tricks/Mods' started by, Oct 5, 2017.

  1. ISPConfig Developer ISPConfig Developer

    Since is a lil bit outdated... yeah
    debian 9, works aswell on 8

    apt-get install postfix-policyd-spf-python
    #  For a fully commented sample config file see policyd-spf.conf.commented
    debugLevel = 1
    #TestOnly = 1
    HELO_reject = SPF_Not_Pass
    Mail_From_reject = Fail
    PermError_reject = True
    TempError_Defer = False
    skip_addresses =,::ffff:,::1
    Header_Type = AR
    Authserv_Id = <FQDN>
    replace <FQDN> with your hostname

    Uncomment TestOnly for well yeah testonly,
    Adjust Helo_reject ect. to your needs, see the man-page for that, for me it works perfectly fine as it is

    Add/Update /etc/postfix/
    policyd-spf  unix  -       n       n       -       0       spawn
        user=policyd-spf argv=/usr/bin/policyd-spf
    And /etc/postfix/
    check_policy_service unix:private/policyd-spf
    after reject_unauth_destination, could look like that
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/, reject_unknown_helo_hostname,reject_invalid_hostname, reject_non_fqdn_hostname,check_policy_service unix:private/policyd-spf, reject_rbl_client, check_recipient_access mysql:/etc/postfix/
    And at a new line on /etc/postfix/ add
    policyd-spf_time_limit = 3600
    gently inform your daemon to reload
    service postfix reload
    and watch for issues
    tail -f /var/log/
    Last edited: Oct 5, 2017
  2. ISPConfig Developer ISPConfig Developer


    Results are always temperror [ Debian at least, since ~2006 ]
    - if you're using a local caching nameserver your /etc/resolv.conf has 1 entry only, however an old patch to the DNS-package of python made it mandatory to have 2 nameserver-entries in the resolv.conf or else no python application using DNS/ will work!
    Either add 2nd nameserver entry in resolv.conf or ... hack it:
    and comment out the following lines [ :
    63 #        if len(fields) < 2:
    64 #            continue
    Attention, this will fail to get a valid nameserver if the first line in resolv.conf is "search domain" something

    Edit: doh you obviously could add
    namserver twice in your resolv.conf, not nice but nicer than hacking the
    Last edited: Oct 5, 2017
  3. Tuumke

    Tuumke Member HowtoForge Supporter

    Isn't SPF done by ISPConfig / DNS? If not, i would think this is standard with the perfect server guide?
  4. ISPConfig Developer ISPConfig Developer

    one part of SPF is to set your records for your domain in the DomainNameSystem, yes
    but the other part is checking the records for other domains when receiving mail.

    That either needs to be configured/weighted in spamassasin - which comes after the mail has been accepted and pulled trough amavis/clamav or you can block the mail right in the beginning using this like a RBL.

    I choose this over spamassasin not because of my resources but to respect the domain owners wish not to accept forged mails with his name.

Share This Page