Whitelisting secondary MX for spf check

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Whitelisting secondary MX for spf check

bsd@todoo.biz
Hello,

I am using two postfix server and quite often some misconfigured mail  
server are sending mail to the backup MX instead of the primary.
Both server have postfix implemented using the 'classic' conf:

in main.cf

> smtpd_recipient_restrictions =
>            permit_mynetworks,
>            permit_sasl_authenticated,
>            check_recipient_access hash:/usr/local/etc/postfix/access
>            reject_unauth_destination,
>            reject_invalid_hostname,
>            reject_unknown_sender_domain,
>            # SPF implementation
>            check_policy_service unix:private/policy
>            # Greylisting implementation
>            check_policy_service inet:127.0.0.1:10023

and in master.cf :

> # SPF policy implementation /usr/ports/mail/postfix-policyd-spf
> policy  unix  -       n       n       -       -       spawn
>   user=nobody argv=/usr/local/sbin/postfix-policyd-spf
>


The problem is that I sometimes have (quite often in fact) rejected  
mail because they are using spf and the mail is transfered from my  
backup MX to my master server and my server is considering that second  
server as the issuer.

Is there any option that I can activate on master.cf or main.cf to  
avoid that… my initial reading and googling have not been very  
successful.



Thanks.

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Gregober ---> PGP ID --> 0x1BA3C2FD
bsd @at@ todoo.biz
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

P "Please consider your environmental responsibility before printing  
this e-mail"


Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting secondary MX for spf check

Noel Jones-2
On 9/14/2009 12:18 PM, bsd wrote:

> Hello,
>
> I am using two postfix server and quite often some misconfigured mail
> server are sending mail to the backup MX instead of the primary.
> Both server have postfix implemented using the 'classic' conf:
>
> in main.cf
>
>> smtpd_recipient_restrictions =
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> check_recipient_access hash:/usr/local/etc/postfix/access
>> reject_unauth_destination,
>> reject_invalid_hostname,
>> reject_unknown_sender_domain,
>> # SPF implementation
>> check_policy_service unix:private/policy
>> # Greylisting implementation
>> check_policy_service inet:127.0.0.1:10023
>
> and in master.cf :
>
>> # SPF policy implementation /usr/ports/mail/postfix-policyd-spf
>> policy unix - n n - - spawn
>> user=nobody argv=/usr/local/sbin/postfix-policyd-spf
>>
>
>
> The problem is that I sometimes have (quite often in fact) rejected mail
> because they are using spf and the mail is transfered from my backup MX
> to my master server and my server is considering that second server as
> the issuer.

Add your secondary MX to mynetworks.

You shouldn't ever reject mail already accepted by your
secondary.  To facilitate that, your secondary must have as
strict or stricter UCE controls, and must have a current valid
recipients list.

If you can't do those things, you probably shouldn't have a
secondary.

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting secondary MX for spf check

Victor Duchovni
On Mon, Sep 14, 2009 at 12:40:08PM -0500, Noel Jones wrote:

>> The problem is that I sometimes have (quite often in fact) rejected mail
>> because they are using spf and the mail is transfered from my backup MX
>> to my master server and my server is considering that second server as
>> the issuer.
>
> Add your secondary MX to mynetworks.

Generally, "mynetworks" also grants "relay" rights, which violates least
privilege. So I would use a separate "whitelist" that is invoked just
after "reject_unauth_destination" and before other (e.g. SPF) checks.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Whitelisting secondary MX for spf check

Scott Kitterman-4
In reply to this post by bsd@todoo.biz
On Mon, 14 Sep 2009 19:18:36 +0200 bsd <[hidden email]> wrote:

>Hello,
>
>I am using two postfix server and quite often some misconfigured mail  
>server are sending mail to the backup MX instead of the primary.
>Both server have postfix implemented using the 'classic' conf:
>
>in main.cf
>
>> smtpd_recipient_restrictions =
>>            permit_mynetworks,
>>            permit_sasl_authenticated,
>>            check_recipient_access hash:/usr/local/etc/postfix/access
>>            reject_unauth_destination,
>>            reject_invalid_hostname,
>>            reject_unknown_sender_domain,
>>            # SPF implementation
>>            check_policy_service unix:private/policy
>>            # Greylisting implementation
>>            check_policy_service inet:127.0.0.1:10023
>
>and in master.cf :
>
>> # SPF policy implementation /usr/ports/mail/postfix-policyd-spf
>> policy  unix  -       n       n       -       -       spawn
>>   user=nobody argv=/usr/local/sbin/postfix-policyd-spf
>>
>
>
>The problem is that I sometimes have (quite often in fact) rejected  
>mail because they are using spf and the mail is transfered from my  
>backup MX to my master server and my server is considering that second  
>server as the issuer.
>
>Is there any option that I can activate on master.cf or main.cf to  
>avoid that… my initial reading and googling have not been very  
>successful.
>
Not exactly the question you asked, but if you are using one of the policy servers from http://www.openspf.org/Software , both provide their own mechanism for bypassing SPF checks for specific relays (like secondary MX).

The Python implementation provides this in a proper config file.  The Perl implementation is much more primative and you have to edit the actual executable script (patches welcome).  In either case, the documentation shipped with the packages should explain how to do it.

Scott K