Using Postfix to check and verify SPF

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Postfix to check and verify SPF

Simon Brereton-2
Hi

I finally got around to implementing SPF for my mail server and domains.  A lot easier than I thought it would be, certainly much easier than DKIM and I'm ashamed I didn't do it earlier.

In the course of doing that, I noticed that gmail/yahoo both add X-Headers about the validity of the SPF record.  I would like to do the same.

It doesn't, however, seem sensible to me to have the MTA do that if the content-filter will do it - so I fiddled around with amavis, installed Mail::SPF and now amavis purports to check the SPF record.  Well, and good, except that a) it doesn't add a specific tag line about the SPF validity (unless it's a fail) and b) I probably want to REJECT forged mail and not DISCARD or TAG..  Although the last option isn't the worst option in the world.

Looking at how to get postfix to do the lifting on this, I find on http://www.postfix.org/addon.html that " Note: Postfix already ships with SPF support, in the form of a plug-in policy daemon. This is the preferred integration model, at least until SPF is mandated by standards."

Well and good - but I don't seem to find further information in the documentation.  Added to which, I already pass incoming mail off to postfix-policyd for greylisting.  Do I really want to pass it off to a separate content filter adding even more hops?

On http://www.postfix.org/docs.html I found http://www.freesoftwaremagazine.com/articles/focus_spam_postfix?page=0%2C1# which says " use the smtpd-policy.pl script that ships with Postfix to handle SPF, and Postgrey as an add-on greylisting policy server. They’re defined in my master.cf file as:
spfpolicy unix -   n    n   - -   spawn
   user=nobody argv=/usr/bin/perl
         /usr/local/libexec/postfix/smtpd-policy.pl"

But I don't find smtpd-policy.pl in the files installed with Postfix - so I assume that's poetic licence..?  And it's actually installed from postfix-policyd-spf-perl, yes?  But I notice there's also a python option - postfix-policyd-spf-python.  

So my obvious question to the list is - Can I get amavis to explicity add a header with the SPF validity, and if not, can I do this with policyd?  And if not, and I must install postfix-policyd-spf-python or postfix-policyd-spf-perl which do you recommend and why?


Thanks.

Simon




Reply | Threaded
Open this post in threaded view
|

Re: Using Postfix to check and verify SPF

Scott Kitterman-4
On 10/26/2011 10:17 AM, Simon Brereton wrote:
...
> So my obvious question to the list is - Can I get amavis to explicity
> add a header with the SPF validity, and if not, can I do this with
> policyd?  And if not, and I must install postfix-policyd-spf-python
> or postfix-policyd-spf-perl which do you recommend and why?

There is an amavis user list that you should consult for amavis support.

postfix-policyd-spf-perl is very simple and is, IMO, not suitable for
anything other than hobby installs.  postfix-policyd-spf-python is well
documented, supports a wide variety of configurations for different uses
and is much more complete.

I'm the last one to do any work on the Perl implementation and the
developer of the Python implementation.  Unless you are severely
allergic to Python and prepared to read/modify Perl source, I'd use the
Python one.  It is available as a distribution package in many distros.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Using Postfix to check and verify SPF

Simon Brereton-2
On 26 October 2011 10:27, Scott Kitterman <[hidden email]> wrote:
> On 10/26/2011 10:17 AM, Simon Brereton wrote:
> ...
>>
>> So my obvious question to the list is - Can I get amavis to explicity
>> add a header with the SPF validity, and if not, can I do this with
>> policyd?  And if not, and I must install postfix-policyd-spf-python
>> or postfix-policyd-spf-perl which do you recommend and why?
>
> There is an amavis user list that you should consult for amavis support.

True - but most people use it.  Googling didn't help, so it's unlikely
that it can do it - still worth asking the wise people here though.

> postfix-policyd-spf-perl is very simple and is, IMO, not suitable for
> anything other than hobby installs.  postfix-policyd-spf-python is well
> documented, supports a wide variety of configurations for different uses and
> is much more complete.
>
> I'm the last one to do any work on the Perl implementation and the developer
> of the Python implementation.  Unless you are severely allergic to Python
> and prepared to read/modify Perl source, I'd use the Python one.  It is
> available as a distribution package in many distros.

Thanks for the advice.  Curiously for a "hobby installs" package it
has more howtos and documentation on Google.  I'm not adverse to
python, but I'd still like reassurance that two policy filters is the
way to go..  For my edification, where would you put it in my
restrictions?

smtpd_recipient_restrictions = reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        permit_sasl_authenticated,
        reject_sender_login_mismatch,
        check_helo_access hash:/etc/postfix/helo_checks,
        check_sender_access hash:/etc/postfix/ip_whitelist,
        check_recipient_access hash:/etc/postfix/laxdomains,
        check_sender_access hash:/etc/postfix/backscatter
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
    permit_mynetworks,
        check_policy_service inet:127.0.0.1:10031,
        reject_unlisted_recipient,
        reject_unauth_destination,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client blackholes.mail-abuse.org,
        reject_rbl_client tw.countries.nerd.dk,
        reject_rbl_client kr.countries.nerd.dk,
        reject_rbl_client cn.countries.nerd.dk,
        reject_rbl_client relays.mail-abuse.org,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        warn_if_reject,
                reject_unknown_client,
        warn_if_reject,
                reject_rhsbl_client dsn.rfc-ignorant.org,
        warn_if_reject,
                reject_rbl_client dnsbl.sorbs.net,
        warn_if_reject,
                reject_rbl_client dnsbl.njabl.org,
        warn_if_reject,
                reject_rbl_client dul.dnsbl.sorbs.net,
        permit


Simon
Reply | Threaded
Open this post in threaded view
|

Re: Using Postfix to check and verify SPF

Scott Kitterman-4
On 10/26/2011 10:44 AM, Simon Brereton wrote:
> On 26 October 2011 10:27, Scott Kitterman<[hidden email]>  wrote:
>> On 10/26/2011 10:17 AM, Simon Brereton wrote:
>> ...
>>>
>>> So my obvious question to the list is - Can I get amavis to explicity
>>> add a header with the SPF validity, and if not, can I do this with
>>> policyd?  And if not, and I must install postfix-policyd-spf-python
>>> or postfix-policyd-spf-perl which do you recommend and why?
...

>> postfix-policyd-spf-perl is very simple and is, IMO, not suitable for
>> anything other than hobby installs.  postfix-policyd-spf-python is well
>> documented, supports a wide variety of configurations for different uses and
>> is much more complete.
>>
>> I'm the last one to do any work on the Perl implementation and the developer
>> of the Python implementation.  Unless you are severely allergic to Python
>> and prepared to read/modify Perl source, I'd use the Python one.  It is
>> available as a distribution package in many distros.
>
> Thanks for the advice.  Curiously for a "hobby installs" package it
> has more howtos and documentation on Google.  I'm not adverse to
> python, but I'd still like reassurance that two policy filters is the
> way to go..  For my edification, where would you put it in my
> restrictions?

I'm not sure I understand the rationale behind your current setup well
enough to make a specific recommendation. I think the documentation
shipped with both policy servers should give sufficient guidance.

The Perl implementation was done several years before the Python one and
was, for many years, shipped with Postfix, so it's not surprising that
it would show up that way.  If it works for you as is, it's fine, but it
is missing a lot of options supported in the new Python implementation
(grab the source and read the documentation for details).

Scott K

Reply | Threaded
Open this post in threaded view
|

Re: Using Postfix to check and verify SPF

Steve Fatula-2
In reply to this post by Simon Brereton-2
So my obvious question to the list is - Can I get amavis to explicity add a header with the SPF validity, and if not, can I do this with policyd?  And if not, and I must install postfix-policyd-spf-python or postfix-policyd-spf-perl which do you recommend and why?

Can't help you with Amavis, but, I use mailfromd. It's fast (C), and, can add headers or do most anything. We do use it to add our own SPF header. This in turn feeds dspam, and, we also greylist those not passing the SPF check (unless FAIL, where we do reject the message). So, if none of the others work out, mailfromd certainly will.