policyd-spf tip

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

policyd-spf tip

lists@lazygranch.com
There are many "problem solving pages" on the interwebs that have wrong
information on setting up policyd-spf. The key to make sure you use
consistent names in both main.cf and master.cf. Yeah, I know, I'm
preaching to the choir, but hopefully the next person with a set up
problem finds this message in a search.

In master.cf:
policy    unix  -       n       n       -       0       spawn
     user=nobody  argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf

Note you need to make sure the conf file location is correct.

In main.cf:
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_rbl_client zen.spamhaus.org,
  check_policy_service unix:private/policy,
  permit

policy_time_limit = 3600

The word "policy" needs to be consistent in all three locations. For
example, this would be wrong:
  check_policy_service unix:private/policyd-spf,

Also wrong would be:
policyd_time_limit = 3600


In postfix, systemctl status postfix should indicate the policyd-spf
daemon was started:
------------
● postfix.service - Postfix Mail Transport
Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
vendor preset: disabled) Active: active (running) since Mon 2017-12-25
05:28:11 UTC; 16s ago Process: 7661 ExecStop=/usr/sbin/postfix stop
(code=exited, status=0/SUCCESS) Process: 7681
ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 7679 ExecStartPre=/usr/libexec/postfix/chroot-update
(code=exited, status=0/SUCCESS) Process: 7677
ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited,
status=0/SUCCESS) Main PID: 7755 (master)
CGroup: /system.slice/postfix.service
├─7755 /usr/libexec/postfix/master -w ├─7756 pickup -l -t unix -u
├─7757 qmgr -l -t unix -u ├─7758 smtpd -n smtp -t inet -u -o
stress= ├─7759 proxymap -t unix
-u ├─7760 tlsmgr -l -t unix -u
           ├─7761 anvil -l -t unix -u
           ├─7763 trivial-rewrite -n rewrite -t unix -u
           ├─7764 spawn -z -n policy -t unix user=nobody
argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
├─7765 /usr/bin/python /usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
├─7766 cleanup -z -t unix -u └─7767 virtual -t unix
-------------------------------------

And proof it is working from an email header:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=66.163.187.148; helo=sonic316-22.consmr.mail.ne1.yahoo.com; envelope-from=[hidden email]; receiver=[hidden email]
 
gao
Reply | Threaded
Open this post in threaded view
|

Re: policyd-spf tip

gao
I quickly checked my policyd-spf setting after read your email. I
noticed that the policyd-spf in my system is not running as a service.

I guess you are using debian. I am using CentOS7 and I installed
pypolicyd-spf from EPEL. So is there a big advantage to running it as a
daemon service? How do I enable it as a service? Obviously yum install
doesn't take care of the service setup.

Gao

On 2017-12-24 22:02, [hidden email] wrote:

> There are many "problem solving pages" on the interwebs that have wrong
> information on setting up policyd-spf. The key to make sure you use
> consistent names in both main.cf and master.cf. Yeah, I know, I'm
> preaching to the choir, but hopefully the next person with a set up
> problem finds this message in a search.
>
> In master.cf:
> policy    unix  -       n       n       -       0       spawn
>      user=nobody  argv=/usr/libexec/postfix/policyd-spf
> /etc/policyd-spf/policyd-spf.conf
>
> Note you need to make sure the conf file location is correct.
>
> In main.cf:
> smtpd_recipient_restrictions =
>   permit_sasl_authenticated,
>   permit_mynetworks,
>   reject_unauth_destination,
>   reject_rbl_client zen.spamhaus.org,
>   check_policy_service unix:private/policy,
>   permit
>
> policy_time_limit = 3600
>
> The word "policy" needs to be consistent in all three locations. For
> example, this would be wrong:
>   check_policy_service unix:private/policyd-spf,
>
> Also wrong would be:
> policyd_time_limit = 3600
>
>
> In postfix, systemctl status postfix should indicate the policyd-spf
> daemon was started:
> ------------
> ● postfix.service - Postfix Mail Transport
> Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
> vendor preset: disabled) Active: active (running) since Mon 2017-12-25
> 05:28:11 UTC; 16s ago Process: 7661 ExecStop=/usr/sbin/postfix stop
> (code=exited, status=0/SUCCESS) Process: 7681
> ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
> Process: 7679 ExecStartPre=/usr/libexec/postfix/chroot-update
> (code=exited, status=0/SUCCESS) Process: 7677
> ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited,
> status=0/SUCCESS) Main PID: 7755 (master)
> CGroup: /system.slice/postfix.service
> ├─7755 /usr/libexec/postfix/master -w ├─7756 pickup -l -t unix -u
> ├─7757 qmgr -l -t unix -u ├─7758 smtpd -n smtp -t inet -u -o
> stress= ├─7759 proxymap -t unix
> -u ├─7760 tlsmgr -l -t unix -u
>            ├─7761 anvil -l -t unix -u
>            ├─7763 trivial-rewrite -n rewrite -t unix -u
>            ├─7764 spawn -z -n policy -t unix user=nobody
> argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
> ├─7765 /usr/bin/python /usr/libexec/postfix/policyd-spf
> /etc/policyd-spf/policyd-spf.conf
> ├─7766 cleanup -z -t unix -u └─7767 virtual -t unix
> -------------------------------------
>
> And proof it is working from an email header:
> Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
> client-ip=66.163.187.148; helo=sonic316-22.consmr.mail.ne1.yahoo.com;
> envelope-from=[hidden email]; receiver=[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: policyd-spf tip

lists@lazygranch.com
I figured I would middle post, so skip down a bit.

On Mon, 25 Dec 2017 11:56:02 -0800
Gao <[hidden email]> wrote:

> I quickly checked my policyd-spf setting after read your email. I
> noticed that the policyd-spf in my system is not running as a service.
>
> I guess you are using debian. I am using CentOS7 and I installed
> pypolicyd-spf from EPEL. So is there a big advantage to running it as
> a daemon service? How do I enable it as a service? Obviously yum
> install doesn't take care of the service setup.
>
> Gao

I'm on Centos 7. This is my uname -a.
Linux servername 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Looking at ps aux, policyd-spf is not running. In the strict sense,
that means it is not a daemon.
https://en.wikipedia.org/wiki/Daemon_(computing)
However all references to policyd and policyd-spf are as daemons.  

I'm new to Centos. I run opensuse on my desktop and had presently have
my VPS server on FreeBSD. Due to update issues, I decided to abandon
FreeBSD for Centos, since I'm more familiar with Linux than BSD these
days.



>
> On 2017-12-24 22:02, [hidden email] wrote:
> > There are many "problem solving pages" on the interwebs that have
> > wrong information on setting up policyd-spf. The key to make sure
> > you use consistent names in both main.cf and master.cf. Yeah, I
> > know, I'm preaching to the choir, but hopefully the next person
> > with a set up problem finds this message in a search.
> >
> > In master.cf:
> > policy    unix  -       n       n       -       0       spawn
> >      user=nobody  argv=/usr/libexec/postfix/policyd-spf
> > /etc/policyd-spf/policyd-spf.conf
> >
> > Note you need to make sure the conf file location is correct.
> >
> > In main.cf:
> > smtpd_recipient_restrictions =
> >   permit_sasl_authenticated,
> >   permit_mynetworks,
> >   reject_unauth_destination,
> >   reject_rbl_client zen.spamhaus.org,
> >   check_policy_service unix:private/policy,
> >   permit
> >
> > policy_time_limit = 3600
> >
> > The word "policy" needs to be consistent in all three locations. For
> > example, this would be wrong:
> >   check_policy_service unix:private/policyd-spf,
> >
> > Also wrong would be:
> > policyd_time_limit = 3600
> >
> >
> > In postfix, systemctl status postfix should indicate the policyd-spf
> > daemon was started:
> > ------------
> > ● postfix.service - Postfix Mail Transport
> > Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service;
> > enabled; vendor preset: disabled) Active: active (running) since
> > Mon 2017-12-25 05:28:11 UTC; 16s ago Process: 7661
> > ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
> > Process: 7681 ExecStart=/usr/sbin/postfix start (code=exited,
> > status=0/SUCCESS) Process: 7679
> > ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited,
> > status=0/SUCCESS) Process: 7677
> > ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited,
> > status=0/SUCCESS) Main PID: 7755 (master)
> > CGroup: /system.slice/postfix.service
> > ├─7755 /usr/libexec/postfix/master -w ├─7756 pickup -l -t unix -u
> > ├─7757 qmgr -l -t unix -u ├─7758 smtpd -n smtp -t inet -u -o
> > stress= ├─7759 proxymap -t unix -u ├─7760 tlsmgr -l -t unix -u
> >            ├─7761 anvil -l -t unix -u
> >            ├─7763 trivial-rewrite -n rewrite -t unix -u
> >            ├─7764 spawn -z -n policy -t unix user=nobody
> > argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
> > ├─7765 /usr/bin/python /usr/libexec/postfix/policyd-spf
> > /etc/policyd-spf/policyd-spf.conf
> > ├─7766 cleanup -z -t unix -u └─7767 virtual -t unix
> > -------------------------------------
> >
> > And proof it is working from an email header:
> > Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
> > client-ip=66.163.187.148;
> > helo=sonic316-22.consmr.mail.ne1.yahoo.com;
> > envelope-from=[hidden email]; receiver=[hidden email]  

Reply | Threaded
Open this post in threaded view
|

Re: policyd-spf tip

Scott Kitterman-4


On December 25, 2017 10:25:42 PM EST, "[hidden email]" <[hidden email]> wrote:

>I figured I would middle post, so skip down a bit.
>
>On Mon, 25 Dec 2017 11:56:02 -0800
>Gao <[hidden email]> wrote:
>
>> I quickly checked my policyd-spf setting after read your email. I
>> noticed that the policyd-spf in my system is not running as a
>service.
>>
>> I guess you are using debian. I am using CentOS7 and I installed
>> pypolicyd-spf from EPEL. So is there a big advantage to running it as
>> a daemon service? How do I enable it as a service? Obviously yum
>> install doesn't take care of the service setup.
>>
>> Gao
>
>I'm on Centos 7. This is my uname -a.
>Linux servername 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40
>UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>Looking at ps aux, policyd-spf is not running. In the strict sense,
>that means it is not a daemon.
>https://en.wikipedia.org/wiki/Daemon_(computing)
>However all references to policyd and policyd-spf are as daemons.  
>
>I'm new to Centos. I run opensuse on my desktop and had presently have
>my VPS server on FreeBSD. Due to update issues, I decided to abandon
>FreeBSD for Centos, since I'm more familiar with Linux than BSD these
>days.

Despite the name, it's not a daemon.  When I started the project, I anticipated that in it's future, but later decided staying with using spawn was a good idea.  I also decided renaming wasn't worth the trouble.

Scott K