Debian Tutorials

Debian Tutorials


Step by step tutorials showing you how to install and configure various applications and services on Debian based Linux distros.

March 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031

Categories


Implementing SPF checks in Postfix

Ástþór IPÁstþór IP

Sender Policy Framework (SPF), as defined in RFC 4408, is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

It’s assumed that you have already installed Postfix and MailScanner. If not, check these tutorials:

Installing Postfix with MySql backend and SASL for SMTP authentication
Installing and configuring MailScanner for virus and spam filtering (Postfix, ClamAV, SpamAssassin, Razor)

1. Install the Postfix policy engine

apt-get install postfix-policyd-spf-perl

2. Add the policy check to smtpd_recipient_restrictions (pico /etc/postfix/main.cf)

smtpd_recipient_restrictions = [...], check_policy_service unix:private/policy

Make sure you don’t remove other restrictions, just add it to the end of the line.

3. Add the policy engine to the Postfix master.cf (pico /etc/postfix/master.cf)

policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl

4. Reload Postfix configuration

postfix reload

5. Check if this is working

telnet yourserver 25
HELO gmail.com
MAIL FROM: <user*@gmail.com>
RCPT TO: <user*@domain.com>
DATA
test
.

Replace user*@domain.com with a e-mail address hosted on your Postfix mailserver and user*@gmail.com with a valid Gmail e-mail address.

Look at /var/log/mail.log and you should see that the MailScanner score has been increased by SPF related rules:

Message 62ACA1813C.AFC5A from 192.168.1.4 ([email protected]) to domain.com is spam, SpamAssassin (score=7.394, required 6, MISSING_SUBJECT 1.28, SPF_HELO_NEUTRAL 2.00, SPF_NEUTRAL 1.21, TVD_SPACE_RATIO 2.90)

Comments 4
  • klslowik
    Posted on

    klslowik klslowik

    Author

    You should add to main.cf:

    policy_time_limit=3600


  • Jens
    Posted on

    Jens Jens

    Author

    it seems that my SPF isn’t running at all after doing this, the log dosent return anything of SPF, what could be wrong?


  • Michael
    Posted on

    Michael Michael

    Author

    Point 5 obviously misses something, according to the instructions after the first box.


  • aip
    Posted on

    aip aip

    Author

    @Michael: I have fixed this. Turns out some HTML code was removed. Thanks!