Sender Policy Framework (SPF)

From MattWiki

Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam. SPF is defined in Experimental RFC 4408.

SPF DNS Server Setup

The first and maybe the most important part is setting up the DNS TXT entry for SPF. Keep it simple.

  • If your lone email server is going to be the only server sending your mail then this will work nicely
"v=spf1 mx -all"
  • Or if your A recorded is your host recorded and the only server to send mail
"v=spf1 a -all"
  • If you have to relay your mail threw an external server.
"v=spf1 a ptr:mail.external-server.net -all"

Troubleshooting & Testing SPF's DNS records

Python-Postfix-Policyd-SPF

SPF Postfix Server Setup (from RPMS)

Using the MDR Yum repo install the pypolicyd-spf by running:

yum install pypolicyd-spf

Once you have installed pypolicyd-spf you now need to setup the software. In /etc/postfix/main.cf as close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.

  • /etc/postfix/main.cf
smtpd_recipient_restrictions =
  check_policy_service unix:private/spfcheck
policy_time_limit = 3600

And add the following to your /etc/postfix/master.cf file, somewhere near the bottom.

  • /etc/postfix/master.cf
spfcheck     unix  -       n       n       -       -       spawn
       user=nobody argv=/usr/bin/policyd-spf

Next lets reload postfix

postfix reload

SPF Postfix Server Setup (from Source)

Today were going to use python-postfix-policyd-spf 0.7.3 (released 2010-02-17) from launchpad.net, or from my mirror (0.7.2).

wget http://launchpad.net/pypolicyd-spf/0.7/0.7.3/+download/pypolicyd-spf-0.7.3.tar.gz
tar -xzf pypolicyd-spf-0.7.3.tar.gz
cd pypolicyd-spf-0.7.3
./setup.py build
cd build/scripts-2.5/
cp policyd-spf /usr/local/bin/policyd-spf
cd ../lib
cp policydspfsupp.py /usr/lib/python2.5/policydspfsupp.py
cd ../../
mkdir /etc/python-policyd-spf/
cp policyd-spf.conf /etc/python-policyd-spf/policyd-spf.conf
cp policyd-spf.1 /usr/share/man/man1/policyd-spf.1
cp policyd-spf.conf.5 /usr/share/man/man5/policyd-spf.conf.5

Next we need to update the main.cf file

  • /etc/postfix/main.cf

As close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.

smtpd_recipient_restrictions =
  check_policy_service unix:private/policy
policy_time_limit = 3600

Now we need to setup the master.cf file

  • /etc/postfix/master.cf

Add the following to your master.cf file, somewhere near the bottom.

policy     unix  -       n       n       -       -       spawn
       user=nobody argv=/usr/local/bin/policyd-spf

Next lets reload postfix

postfix reload

Troubleshooting python-postfix-policyd-spf

The only two modules it needs are pydns and pyspf. Both are on sourceforge and have RPMs:

(pyspf is a separate download in the pymilter project)

SPF Postfix Server Setup using postfix-policyd-spf-perl

First thing we need to do is install is install perl-Mail-SPF.noarch using yum

yum install perl-Mail-SPF.noarch

Next you will need to download the SPF perl script from http://www.openspf.org/Software

wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar -xzf postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /usr/local/bin/

Next we need to update the main.cf file /etc/postfix/main.cf

As close to the bottom of your smtpd_recipient_restrictions as you can but above any DNSBL add the following.

smtpd_recipient_restrictions =
  check_policy_service unix:private/policy

Now we need to setup the master.cf file /etc/postfix/master.cf

Add the following to your master.cf file, somewhere near the bottom.

policy     unix  -       n       n       -       -       spawn
       user=nobody argv=/usr/bin/perl /usr/local/bin/postfix-policyd-spf-perl

Next lets reload postfix

postfix reload