In a previously post I updated my webmail installation on a self hosted mail system to the latest release. This post will cover SPF (Sender Policy Framework) which is responsible for email authentication during the delivery of the emails.
For you own domains you should set DNS-based TXT records which described you policy and the systems(ip-addresses or ranges) which are allowed to handle e-mail traffic for your domain(s).
Postfix-SPF validation can sieve additional amount of unwanted e-mails if they are reaching your postboxes after postfix was accepted the e-mails.
But this is not the the root-solution if your postfix instance is getting too much spam and fake-mails.
SPF Integration
This integration was done on a Debian 10 with postfix version 3+
apt install postfix-policyd-spf-python
# /etc/postfix/main.cf
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
[..],
check_policy_service unix:private/policyd-spf,
[..]
# /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Finally restart the postfix service:
systemctl restart postfix
and send yourself from another provider a couple of emails.
Tests, conclusions
You will see in your mail.log an additional line, which will tell you, if the inbound SPF-verification was successful or not.
policyd-spf: prepend Received-SPF: Pass (mailfrom) identity=mailfrom;
client-ip=209.85.166.46; helo=mail-io1-f46.google.com;
This one example shows a wrong configured system, which was trying to send a email through the server, where SPF verification was configured:
policyd-spf: prepend Received-SPF: Permerror (mailfrom)
identity=mailfrom; client-ip=167.88.2.77; helo=katrine.wirhandelnonline.com;
envelope-from=katrine@wirhandelnonline.com;
The Permerror reason tells, that the configuration is wrong on the other side.
Leave a Reply