Hi guys,
I'm running a mail gateway (soon to add a second one) and I've just recently started having problems with SPF as many of our users just use us to forward mail. At the moment all I have is an SPF entry in DNS so I'm looking at SPF and SRS patches/plugins for postfix. The last SRS patch I found was for postfix 2.1.4 which is hardly helpful. Can anyone give me suggestions on where I can find more information on SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS problem if any? Thanks Guy I'm running packages provided in Ubuntu 8.04: Postfix 2.5.1 + Postfix-mysql postfix-policyd 1.82 amavisd-new - Clam-AV (no spamassassin at the moment - although I've noticed spf packages related to it) -- Don't just do something...sit there! |
Guy wrote:
> Hi guys, > > I'm running a mail gateway (soon to add a second one) and I've just > recently started having problems with SPF as many of our users just > use us to forward mail. At the moment all I have is an SPF entry in > DNS so I'm looking at SPF and SRS patches/plugins for postfix. The > last SRS patch I found was for postfix 2.1.4 which is hardly helpful. > > Can anyone give me suggestions on where I can find more information on > SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS > problem if any? > > SPF running in conjunction with Postfix will only do verification. http://www.openspf.org/Software lists the packages known to work properly. What makes you think you have a problem? That said, make sure to police your users effectively. Use antivirus and antispam (do install spamassassin). Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for users on untrusted networks. If you want further help with a specific case, post (non-verbose) logs of a transaction and 'postconf -n'. Brian |
Hi Brian,
2008/9/8 Brian Evans - Postfix List <[hidden email]>: > SPF running in conjunction with Postfix will only do verification. > http://www.openspf.org/Software lists the packages known to work properly. > What makes you think you have a problem? I should have been more specific. I've had a couple of cases of forwarded mail being rejected by servers doing SPF checks and obviously the sender doesn't match my server since it's forwarded mail. That's why I've been looking at SRS. > That said, make sure to police your users effectively. Use antivirus and > antispam (do install spamassassin). > Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for > users on untrusted networks. At the moment the server already uses a few RBL's, greylisting and clam-av. But it only accepts mail. It isn't set up to allow any sending from users. SASL is already required for the servers used by clients to send out mail. Thanks Guy -- Don't just do something...sit there! |
In reply to this post by Guy-749
Guy wrote:
> Hi guys, > > I'm running a mail gateway (soon to add a second one) and I've just > recently started having problems with SPF as many of our users just > use us to forward mail. Can you give more details here? do you forward mail for domains that have a "-all"? (if so, can you give an example of such a domain?). is forwarded mail rejected? ... etc. > At the moment all I have is an SPF entry in > DNS which is irrelevant, gven that you have problems with other domains SPF records, not with yours. > so I'm looking at SPF and SRS patches/plugins for postfix. The > last SRS patch I found was for postfix 2.1.4 which is hardly helpful. > postfix can be configured to pass any mail you want to whatever program you want. so if you want SRS, pass mail to an external program where you implement SRS. but there's no need to use SRS. you can use any rewrite mechanism you like. (well, obviously, I'm not spf-friendly. sorry;-). > Can anyone give me suggestions on where I can find more information on > SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS > problem if any? the question is how you forward mail? you can use maildrop, procmail or whatever program. just pipe the message and you're done :) |
In reply to this post by Guy-749
Guy wrote:
> Hi Brian, > > 2008/9/8 Brian Evans - Postfix List <[hidden email]>: >> SPF running in conjunction with Postfix will only do verification. >> http://www.openspf.org/Software lists the packages known to work properly. >> What makes you think you have a problem? > > I should have been more specific. I've had a couple of cases of > forwarded mail being rejected by servers doing SPF checks and > obviously the sender doesn't match my server since it's forwarded > mail. That's why I've been looking at SRS. we'd like to see a concrete example: sender domain and the "uncooperative" remote server. > >> That said, make sure to police your users effectively. Use antivirus and >> antispam (do install spamassassin). >> Read through http://www.openspf.org/ for issues on SPF. REQUIRE SASL for >> users on untrusted networks. > > At the moment the server already uses a few RBL's, greylisting and > clam-av. But it only accepts mail. It isn't set up to allow any > sending from users. SASL is already required for the servers used by > clients to send out mail. how is forwarding implemented? |
In reply to this post by Guy-749
Guy:
> Hi guys, > > I'm running a mail gateway (soon to add a second one) and I've just > recently started having problems with SPF as many of our users just > use us to forward mail. At the moment all I have is an SPF entry in > DNS so I'm looking at SPF and SRS patches/plugins for postfix. The > last SRS patch I found was for postfix 2.1.4 which is hardly helpful. > > Can anyone give me suggestions on where I can find more information on > SPF/SRS in Postfix or suggestions on other solutions to the SPF/SRS > problem if any? SRS requires envelope sender munging. This would require an external content filter. Postfix Milter support to replace the envelope sender is still on the todo list. Wietse |
In reply to this post by mouss-2
Hi Mouss,
2008/9/8 mouss <[hidden email]>: > we'd like to see a concrete example: sender domain and the "uncooperative" > remote server. <[hidden email]>: host ricercare.co.uk[195.216.196.141] said: 550 SPF: x.x.x.x is not allowed to send mail from growse.com (in reply to RCPT TO command) > how is forwarding implemented? Forwarding is done by a MySQL table called by virtual_alias_maps in postfix. Any local mail is relayed to a Barracuda AntiSpam box and forwarders are relayed to their mx's. All mail goes through a list of rbls, greylisting (postfix-policyd) and clamav before relay. At the moment there is only one domain going through this gateway, but in the near future all our domains are going to be pushed through the gateways. Thanks Guy -- Don't just do something...sit there! |
In reply to this post by Wietse Venema
Hi Wietse,
2008/9/8 Wietse Venema <[hidden email]>: > SRS requires envelope sender munging. This would require an external > content filter. Postfix Milter support to replace the envelope > sender is still on the todo list. Are you aware of one that works well with Postfix? There are a few packages in Ubuntu, but knowing what you guys recommend is better than picking at random. Thanks Guy -- Don't just do something...sit there! |
In reply to this post by Guy-749
Guy wrote:
> Hi Mouss, > > 2008/9/8 mouss <[hidden email]>: > >> we'd like to see a concrete example: sender domain and the "uncooperative" >> remote server. >> > > <[hidden email]>: host ricercare.co.uk[195.216.196.141] said: 550 > SPF: x.x.x.x is not allowed to send mail from growse.com (in reply > to RCPT TO command) > \ > growse.com SPF record: v=spf1 ip4:72.36.255.98 -all This means.. if it's not sending as 72.36.255.98 reject it. (If the mail server enforces SPF.) Brian |
Free forum by Nabble | Edit this page |