Install the required packages:
apt-get install postfix-policyd-spf-python postfix-pcre
Our server runs amavis-new, so we don’t want postfix to reject the mail outright but rather mark the headers so we need to edit some settings in the file:
/etc/postfix-policyd-spf-python/policyd-spf.conf
HELO_reject default option is SPF_Not_Pass
The options available to us are:
SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail. Softfail - Reject if result Softfail and Fail Fail - Reject on HELO Fail Null - Only reject HELO Fail for Null sender (SPF Classic) False - Never reject/defer on HELO, append header only. No_Check - Never check HELO.
The option I’ll select is False and allow the filtering to happen later in process (likely with a Dovecot sieve)
Mail_From_reject default option is Fail
The options available to us are:
SPF_Not_Pass - Reject if result not Pass/None/Tempfail. Softfail - Reject if result Softfail and Fail Fail - Reject on Mail From Fail (default) False - Never reject/defer on Mail From, append header only No_Check - Never check Mail From/Return Path.
Again I’ll change this to False. Leaving my complete configuration file as:
debugLevel = 1 defaultSeedOnly = 1 HELO_reject = False Mail_From_reject = False PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
We now move onto our master.cf file in the /etc/postfix directory and add this at the end:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
We move onto main.cf now and add a line to extend the timeout of checking a SPF record:
policyd-spf_time_limit = 3600
And finally adjust our smtpd_recipient_restrictions to account for the new SPF check
smtpd_recipient_restrictions = reject_unauth_destination, check_policy_service unix:private/policyd-spf
Restart Postfix to check it’s working:
Jul 1 19:47:01 brwn-one policyd-spf[29555]: Pass; identity=mailfrom; client-ip=209.85.128.48; helo=mail-wm1-f48.google.com; envelope-from=yyy@gmail.com; receiver=xxx@brwn.uk
Leave a Reply