Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408.
SPF DNS Server Setup[edit | edit source]
The first and maybe the most important part is setting up the DNS TXT entry for SPF. Keep it simple.
- If your lone email server is going to be the only server sending your mail then this will work nicely
"v=spf1 mx -all"
- Or if your A recorded is your host recorded and the only server to send mail
"v=spf1 a -all"
- If you have to relay your mail threw an external server.
"v=spf1 a ptr:mail.external-server.net -all"
Troubleshooting & Testing SPF's DNS records[edit | edit source]
- http://old.openspf.org/wizard.html - A setup wizard for your DNS server.
- http://old.openspf.org/faq.html#checkers
- http://old.openspf.org/why.html - Is SPF working?
Python-Postfix-Policyd-SPF[edit | edit source]
SPF Postfix Server Setup (from RPMS)[edit | edit source]
Using the MDR Yum repo install the pypolicyd-spf by running:
yum install pypolicyd-spf
Once you have installed pypolicyd-spf you now need to setup the software. In /etc/postfix/main.cf as close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.
- /etc/postfix/main.cf
smtpd_recipient_restrictions = check_policy_service unix:private/spfcheck policy_time_limit = 3600
And add the following to your /etc/postfix/master.cf file, somewhere near the bottom.
- /etc/postfix/master.cf
spfcheck unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
Next lets reload postfix
postfix reload
SPF Postfix Server Setup (from Source)[edit | edit source]
Today were going to use python-postfix-policyd-spf 0.7.3 (released 2010-02-17) from launchpad.net, or from my mirror (0.7.2).
wget http://launchpad.net/pypolicyd-spf/0.7/0.7.3/+download/pypolicyd-spf-0.7.3.tar.gz tar -xzf pypolicyd-spf-0.7.3.tar.gz cd pypolicyd-spf-0.7.3 ./setup.py build cd build/scripts-2.5/ cp policyd-spf /usr/local/bin/policyd-spf cd ../lib cp policydspfsupp.py /usr/lib/python2.5/policydspfsupp.py cd ../../ mkdir /etc/python-policyd-spf/ cp policyd-spf.conf /etc/python-policyd-spf/policyd-spf.conf cp policyd-spf.1 /usr/share/man/man1/policyd-spf.1 cp policyd-spf.conf.5 /usr/share/man/man5/policyd-spf.conf.5
Next we need to update the main.cf file
- /etc/postfix/main.cf
As close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.
smtpd_recipient_restrictions = check_policy_service unix:private/policy policy_time_limit = 3600
Now we need to setup the master.cf file
- /etc/postfix/master.cf
Add the following to your master.cf file, somewhere near the bottom.
policy unix - n n - - spawn user=nobody argv=/usr/local/bin/policyd-spf
Next lets reload postfix
postfix reload
Troubleshooting python-postfix-policyd-spf[edit | edit source]
The only two modules it needs are pydns and pyspf. Both are on sourceforge and have RPMs:
(pyspf is a separate download in the pymilter project)
SPF Postfix Server Setup using postfix-policyd-spf-perl[edit | edit source]
First thing we need to do is install is install perl-Mail-SPF.noarch using yum
yum install perl-Mail-SPF.noarch
Next you will need to download the SPF perl script from http://www.openspf.org/Software
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz tar -xzf postfix-policyd-spf-perl-2.005.tar.gz cd postfix-policyd-spf-perl-2.005 cp postfix-policyd-spf-perl /usr/local/bin/
Next we need to update the main.cf file /etc/postfix/main.cf
As close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.
smtpd_recipient_restrictions = check_policy_service unix:private/policy
Now we need to setup the master.cf file /etc/postfix/master.cf
Add the following to your master.cf file, somewhere near the bottom.
policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/local/bin/postfix-policyd-spf-perl
Next lets reload postfix
postfix reload