routeprotocol.com

Adding SPF checking to incoming mail on Postfix (Ubuntu 16.04)

Install the required packages:

apt-get install postfix-policyd-spf-python postfix-pcre

Our server runs amavis-new, so we don’t want postfix to reject the mail outright but rather mark the headers so we need to edit some settings in the file:

/etc/postfix-policyd-spf-python/policyd-spf.conf

HELO_reject default option is SPF_Not_Pass

The options available to us are:

SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
Softfail - Reject if result Softfail and Fail
Fail - Reject on HELO Fail
Null - Only reject HELO Fail for Null sender (SPF Classic)
False - Never reject/defer on HELO, append header only. 
No_Check - Never check HELO.

The option I’ll select is False and allow the filtering to happen later in process (likely with a Dovecot sieve)

Mail_From_reject default option is Fail

The options available to us are:

SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
Softfail - Reject if result Softfail and Fail
Fail - Reject on Mail From Fail (default)
False - Never reject/defer on Mail From, append header only
No_Check - Never check Mail From/Return Path.

Again I’ll change this to False. Leaving my complete configuration file as:

 debugLevel = 1
 defaultSeedOnly = 1

 HELO_reject = False
 Mail_From_reject = False

 PermError_reject = False
 TempError_Defer = False

 skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

We now move onto our master.cf file in the /etc/postfix directory and add this at the end:

policyd-spf  unix  -       n       n       -       0       spawn
     user=policyd-spf argv=/usr/bin/policyd-spf

We move onto main.cf now and add a line to extend the timeout of checking a SPF record:

policyd-spf_time_limit = 3600

And finally adjust our smtpd_recipient_restrictions to account for the new SPF check

smtpd_recipient_restrictions = reject_unauth_destination, check_policy_service unix:private/policyd-spf

Restart Postfix to check it’s working:

Jul  1 19:47:01 brwn-one policyd-spf[29555]: Pass; identity=mailfrom; client-ip=209.85.128.48; helo=mail-wm1-f48.google.com; envelope-from=yyy@gmail.com; receiver=xxx@brwn.uk

Posted

in

, ,

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.