Postfix + SPF/SRS advice

Hi guys,

I'm running a mail gateway (soon to add a second one) and I've just
recently started having problems with SPF as many of our users just
use us to forward mail. At the moment all I have is an SPF entry in
DNS so I'm looking at SPF and SRS patches/plugins for postfix. The
last SRS patch I found was for postfix 2.1.4 which is hardly helpful.

Can anyone give me suggestions on where I can find more information on
SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS
problem if any?

Thanks
Guy

I'm running packages provided in Ubuntu 8.04:
Postfix 2.5.1 + Postfix-mysql
postfix-policyd 1.82
amavisd-new
  - Clam-AV (no spamassassin at the moment - although I've noticed spf
packages related to it)

--
Don't just do something...sit there!

Guy wrote:
SPF running in conjunction with Postfix will only do verification.
http://www.openspf.org/Software lists the packages known to work properly.
What makes you think you have a problem?

That said, make sure to police your users effectively. Use antivirus and
antispam (do install spamassassin).
Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for
users on untrusted networks.

If you want further help with a specific case, post (non-verbose) logs
of a transaction and 'postconf -n'.

Brian

Hi Brian,

2008/9/8 Brian Evans - Postfix List <[hidden email]>:
> SPF running in conjunction with Postfix will only do verification.
> http://www.openspf.org/Software lists the packages known to work properly.
> What makes you think you have a problem?

I should have been more specific. I've had a couple of cases of
forwarded mail being rejected by servers doing SPF checks and
obviously the sender doesn't match my server since it's forwarded
mail. That's why I've been looking at SRS.

> That said, make sure to police your users effectively. Use antivirus and
> antispam (do install spamassassin).
> Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for
> users on untrusted networks.

At the moment the server already uses a few RBL's, greylisting and
clam-av. But it only accepts mail. It isn't set up to allow any
sending from users. SASL is already required for the servers used by
clients to send out mail.

Thanks
Guy


--
Don't just do something...sit there!

Guy wrote:
> Hi guys,
>
> I'm running a mail gateway (soon to add a second one) and I've just
> recently started having problems with SPF as many of our users just
> use us to forward mail.

Can you give more details here? do you forward mail for domains that
have a "-all"? (if so, can you give an example of such a domain?). is
forwarded mail rejected? ... etc.

> At the moment all I have is an SPF entry in
> DNS

which is irrelevant, gven that you have problems with other domains SPF
records, not with yours.

> so I'm looking at SPF and SRS patches/plugins for postfix. The
> last SRS patch I found was for postfix 2.1.4 which is hardly helpful.
>


postfix can be configured to pass any mail you want to whatever program
you want. so if you want SRS, pass mail to an external program where you
implement SRS. but there's no need to use SRS. you can use any rewrite
mechanism you like. (well, obviously, I'm not spf-friendly. sorry;-).

> Can anyone give me suggestions on where I can find more information on
> SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS
> problem if any?

the question is how you forward mail?

you can use maildrop, procmail or whatever program. just pipe the
message and you're done :)

Guy wrote:

we'd like to see a concrete example: sender domain and the
"uncooperative" remote server.


how is forwarding implemented?

Guy:
SRS requires envelope sender munging. This would require an external
content filter. Postfix Milter support to replace the envelope
sender is still on the todo list.

        Wietse

Hi Mouss,

2008/9/8 mouss <[hidden email]>:
> we'd like to see a concrete example: sender domain and the "uncooperative"
> remote server.

<[hidden email]>: host ricercare.co.uk[195.216.196.141] said: 550
SPF: x.x.x.x is not allowed to send mail from growse.com (in reply
to RCPT TO command)

> how is forwarding implemented?

Forwarding is done by a MySQL table called by virtual_alias_maps in
postfix. Any local mail is relayed to a Barracuda AntiSpam box and
forwarders are relayed to their mx's. All mail goes through a list of
rbls, greylisting (postfix-policyd) and clamav before relay.
At the moment there is only one domain going through this gateway, but
in the near future all our domains are going to be pushed through the
gateways.

Thanks
Guy

--
Don't just do something...sit there!

Hi Wietse,

2008/9/8 Wietse Venema <[hidden email]>:
> SRS requires envelope sender munging. This would require an external
> content filter. Postfix Milter support to replace the envelope
> sender is still on the todo list.

Are you aware of one that works well with Postfix? There are a few
packages in Ubuntu, but knowing what you guys recommend is better than
picking at random.

Thanks
Guy

--
Don't just do something...sit there!

Guy wrote:
growse.com SPF record: v=spf1 ip4:72.36.255.98 -all

This means.. if it's not sending as 72.36.255.98 reject it. (If the mail
server enforces SPF.)

Brian