Postfix SPF check
- This tutorial is contributed by iRedMail user, please use it on your own.
- iRedMail has SPF check enabled with Amavisd-new and perl module perl-Mail-SPF after queue, so you don't need this if after-queue SPF verification is ok for you.
Using the Python version of SPF Policy Server for Postfix it is possible to implement checking of SPF of incoming messages in Postfix, with immediate reject or pass (if desired). This article will describe how to achieve this feature.
- There is also a Perl version of the software, but it is not recommended because it does not scale well and should only be used for small scale servers.
- This tutorial was written for a CentOS-based system. Please adapt it to fit your distro and configuration.
- It is assumed that the user has good knowledge of the technologies used therein.
- Download the latest version of pypolicyd-spf from the project's home page.
- Unpack it and install it by using the instructions in the README file.
Set-up your /etc/python-policyd-spf/policyd-spf.conf to fit your needs.
At the beginning, make sure you set:
defaultSeedOnly = 0
For example, a quite good configuration for fighting spam (but not losing legitimate messages) would contain
HELO_reject = Fail Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128
The meaning of each parameter is explained in the README file and in the man page (man 5 policyd-spf.conf).
Enable SPF check in Postfix
Edit your master.cf file and add at the end:
# SPF check spfpolicy unix - n n - - spawn user=nobody argv=/usr/bin/python /usr/bin/policyd-spf
Edit your main.cf file and add the following line in smtpd_recipient_restrictions, towards the end, but before the main policyd service (usually running on port 10031):
smtpd_recipient_restrictions = ... check_policy_service unix:private/spfpolicy, ...
- Verify the effect of your changes by checking the maillog.
- When you are happy with a set of config parameters for pypolicyd-spf, be sure to enable actual SPF enforcing:
defaultSeedOnly = 1
--Maxie ro 20:13, 15 February 2011 (UTC)