SPF and Greylisting

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF and Greylisting

steve-2

Hi,

 

policyd-spf and postgrey are implemented and working.

 

With exim, I was able to check the spf result and greylist upon receiving a certain result. I’m using Mail_From_pass_restriction = mfrom_passed_spf in policy-spf.conf.

 

Is there any way I can defer or greylist based on an spf result of Softfail?

 

TIA,

 

Steve

Reply | Threaded
Open this post in threaded view
|

Re: SPF and Greylisting

Viktor Dukhovni
On Fri, Apr 05, 2019 at 10:55:38AM -0400, [hidden email] wrote:

> Hi,
>
> policyd-spf and postgrey are implemented and working.
>
> Is there any way I can defer or greylist based on an spf result of Softfail?

Yes, by having the policy service return a 4XX response.  Postfix
will do whatever the policy service asks.  Your question is perhaps
about those policy services, rather than Postfix per-se.

Note that you SHOULD NOT ultimately refuse email on SPF softfail,
but greylisting would be OK, if you find it meets your needs.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: SPF and Greylisting

Wietse Venema
In reply to this post by steve-2
[hidden email]:
> Hi,
>
> policyd-spf and postgrey are implemented and working.
>
> With exim, I was able to check the spf result and greylist upon receiving a
> certain result. I'm using Mail_From_pass_restriction = mfrom_passed_spf in
> policy-spf.conf.
>
> Is there any way I can defer or greylist based on an spf result of Softfail?

If these are plugged in with check_policy_service, then the result
from the SPF check is not limited to permit or deny, it can be the
full repertoire of smtpd_mumble_restrictions.

So the SPF check could output something like

    check_policy_service name-of-greylist-plugin

if the client needs to be greylisted, and

    dunno

if not.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: SPF and Greylisting

Scott Kitterman-4
In reply to this post by steve-2


On April 5, 2019 2:55:38 PM UTC, [hidden email] wrote:

>Hi,
>
>
>
>policyd-spf and postgrey are implemented and working.
>
>
>
>With exim, I was able to check the spf result and greylist upon
>receiving a
>certain result. I'm using Mail_From_pass_restriction = mfrom_passed_spf
>in
>policy-spf.conf.
>
>
>
>Is there any way I can defer or greylist based on an spf result of
>Softfail?

This isn't precisely what you asked for, but I think it's close enough to give you the idea:

https://git.launchpad.net/spf-engine/tree/README.per_user_whitelisting

It shows how to use Postfix restriction classes to take different actions based on SPF result.

Note that this has not been updated in quite some time.  If you do use it and find it can be improved, bug reports on the Launchpad project would be appreciated.

Scott K
Reply | Threaded
Open this post in threaded view
|

RE: SPF and Greylisting

steve-2
In reply to this post by Wietse Venema
Thanks for all of the suggestions.

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_unauth_pipelining,
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service unix:private/policyd-spf,
        reject_unknown_reverse_client_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        check_policy_service unix:/var/spool/postfix/postgrey/socket

So far, I've made a copy of policyd-spf and modified it so that Softfail and
Neutral returned defer.

However, there really doesn't seem to be a practical difference between
defer and reject in terms since a retry to the deferral would just lead to a
subsequent deferral until some action is taken.

I suppose the whole thing is moot since I'm greylisting as the last
condition, so really if the spf check returns dunno (everything other than
Fail or Permerror), eventually it will either be rejected by a following
rule or greylisted by the final policy check.

Steve

-----Original Message-----
From: [hidden email] <[hidden email]> On
Behalf Of Wietse Venema
Sent: April 5, 2019 11:20 AM
To: Postfix users <[hidden email]>
Subject: Re: SPF and Greylisting

[hidden email]:
> Hi,
>
> policyd-spf and postgrey are implemented and working.
>
> With exim, I was able to check the spf result and greylist upon
> receiving a certain result. I'm using Mail_From_pass_restriction =
> mfrom_passed_spf in policy-spf.conf.
>
> Is there any way I can defer or greylist based on an spf result of
Softfail?

If these are plugged in with check_policy_service, then the result from the
SPF check is not limited to permit or deny, it can be the full repertoire of
smtpd_mumble_restrictions.

So the SPF check could output something like

    check_policy_service name-of-greylist-plugin

if the client needs to be greylisted, and

    dunno

if not.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: SPF and Greylisting

@lbutlr
In reply to this post by Viktor Dukhovni
On 5 Apr 2019, at 09:11, Viktor Dukhovni <[hidden email]> wrote:
> Note that you SHOULD NOT ultimately refuse email on SPF softfail,
> but greylisting would be OK, if you find it meets your needs.

Is grey listing still effective? I know when I stopped using it it was not doing much of anything and I can't imagine it's gotten more effective.


--
Lisa Bonet ate no Basil