Loading ...
Sorry, an error occurred while loading the content.

SPF implementation not working

Expand Messages
  • Paul Cocker
    I m trying to implement SPF on our Postfix 2.3.3 installation running on CentOS 5.2 and have been using the Sender address verification for all e-mail
    Message 1 of 4 , Jun 1, 2009
    • 0 Attachment
      I'm trying to implement SPF on our Postfix 2.3.3 installation running on
      CentOS 5.2 and have been using the "Sender address verification for all
      e-mail" article on the postfix site. We're also using a Barracuda filter
      and SPF verification hasn't been leading to false positives so we're
      happy to enable it for everything.

      I believe that the config below should do the trick:


      address_verify_map = btree:/var/lib/postfix/verify
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      html_directory = no
      inet_interfaces = all
      local_recipient_maps =
      local_transport = error:local mail delivery is disabled
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination =
      mynetworks = 100.100.100.0/24
      myorigin = domain2.co.uk
      newaliases_path = /usr/bin/newaliases.postfix
      parent_domain_matches_subdomains =
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
      relay_recipient_maps = hash:/etc/postfix/relay_recipients
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_banner = $myhostname ESTMP
      smtpd_sender_restrictions = permit_mynetworks check_sender_access
      hash:/etc/postfix/sender_access reject_unknown_sender_domain
      reject_unverified_sender
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = hash:/etc/postfix/virtual


      And here is the SPF chunk from main.cf

      # Enable SPF

      smtpd_sender_restrictions =
      permit_mynetworks
      check_sender_access hash:/etc/postfix/sender_access
      reject_unknown_sender_domain
      reject_unverified_sender

      # Postfix 2.6 and later.
      #unverified_sender_reject_reason = Address verification failed

      # Note 1: Be sure to read the "Caching" section below!
      # Note 2: Avoid hash files here. Use btree instead.
      address_verify_map = btree:/var/lib/postfix/verify


      However SPF does not appear to be functioning. I have verified that the
      verify.db file is writable and indeed it has grown, and sender_access.db
      exists as specified.

      I'm not sure how to proceed. At the least I guess I need to know what a
      rejection on the grounds above would look like in the logs so I can see
      if it's isolated cases or a total failure of my configuration.

      I should note that the SPF failures I'm looking at are against our own
      domain, checks which work on our Barracuda, thus proving that the SPF
      record itself is good.

      Here is an example

      Jun 1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7:
      client=unknown[163.13.128.190]
      Jun 1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7:
      message-id=<221000364829142.CUEPWRFOXJAQFJV@[163.13.128.190]>
      Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7:
      from=<paul.cocker@...>, size=2545, nrcpt=1 (queue active)
      Jun 1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7:
      to=<paul.cocker@...>,
      relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3,
      delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host
      hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable;
      Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation;
      http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end
      of DATA command))
      Jun 1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender
      non-delivery notification: 47E5F1F800F9
      Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed


      The mail is passed from the postfix mail server to the Barracuda server
      without being rejected, despite the forged from field and invalid IP.

      Paul Cocker
      _____________________________________________________________________

      Please consider the environment, think before you print.

      TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
    • Noel Jones
      ... The article you refer to is about sending address verification probes, not SPF. You have not enabled SPF in postfix. Note that some sites consider the
      Message 2 of 4 , Jun 1, 2009
      • 0 Attachment
        Paul Cocker wrote:
        > I'm trying to implement SPF on our Postfix 2.3.3 installation running on
        > CentOS 5.2 and have been using the "Sender address verification for all
        > e-mail" article on the postfix site. We're also using a Barracuda filter
        > and SPF verification hasn't been leading to false positives so we're
        > happy to enable it for everything.

        The article you refer to is about sending address verification
        probes, not SPF. You have not enabled SPF in postfix. Note
        that some sites consider the address probes you have enabled a
        form of abuse - if you send too many of them them, they will
        blacklist you. You might want to turn that feature back off.

        To check SPF records in postfix, you need either a milter or a
        policy service. There exists a library and patch to add SPF
        to postfix, but that software is not recommended - use a
        milter or policy service. Here's the relevant postfix
        documentation:
        http://www.postfix.org/MILTER_README.html
        http://www.postfix.org/SMTPD_POLICY_README.html

        and here are some commonly used software:
        http://sourceforge.net/projects/sid-milter/
        http://www.postfix.org/addon.html#policy
        http://www.openspf.org/Software

        -- Noel Jones

        >
        > I believe that the config below should do the trick:
        >
        >
        > address_verify_map = btree:/var/lib/postfix/verify
        > alias_database = hash:/etc/aliases
        > alias_maps = hash:/etc/aliases
        > command_directory = /usr/sbin
        > config_directory = /etc/postfix
        > daemon_directory = /usr/libexec/postfix
        > debug_peer_level = 2
        > disable_vrfy_command = yes
        > html_directory = no
        > inet_interfaces = all
        > local_recipient_maps =
        > local_transport = error:local mail delivery is disabled
        > mail_owner = postfix
        > mailq_path = /usr/bin/mailq.postfix
        > manpage_directory = /usr/share/man
        > mydestination =
        > mynetworks = 100.100.100.0/24
        > myorigin = domain2.co.uk
        > newaliases_path = /usr/bin/newaliases.postfix
        > parent_domain_matches_subdomains =
        > queue_directory = /var/spool/postfix
        > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
        > relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
        > relay_recipient_maps = hash:/etc/postfix/relay_recipients
        > sample_directory = /usr/share/doc/postfix-2.3.3/samples
        > sendmail_path = /usr/sbin/sendmail.postfix
        > setgid_group = postdrop
        > smtpd_banner = $myhostname ESTMP
        > smtpd_sender_restrictions = permit_mynetworks check_sender_access
        > hash:/etc/postfix/sender_access reject_unknown_sender_domain
        > reject_unverified_sender
        > unknown_local_recipient_reject_code = 550
        > virtual_alias_maps = hash:/etc/postfix/virtual
        >
        >
        > And here is the SPF chunk from main.cf
        >
        > # Enable SPF
        >
        > smtpd_sender_restrictions =
        > permit_mynetworks
        > check_sender_access hash:/etc/postfix/sender_access
        > reject_unknown_sender_domain
        > reject_unverified_sender
        >
        > # Postfix 2.6 and later.
        > #unverified_sender_reject_reason = Address verification failed
        >
        > # Note 1: Be sure to read the "Caching" section below!
        > # Note 2: Avoid hash files here. Use btree instead.
        > address_verify_map = btree:/var/lib/postfix/verify
        >
        >
        > However SPF does not appear to be functioning. I have verified that the
        > verify.db file is writable and indeed it has grown, and sender_access.db
        > exists as specified.
        >
        > I'm not sure how to proceed. At the least I guess I need to know what a
        > rejection on the grounds above would look like in the logs so I can see
        > if it's isolated cases or a total failure of my configuration.
        >
        > I should note that the SPF failures I'm looking at are against our own
        > domain, checks which work on our Barracuda, thus proving that the SPF
        > record itself is good.
        >
        > Here is an example
        >
        > Jun 1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7:
        > client=unknown[163.13.128.190]
        > Jun 1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7:
        > message-id=<221000364829142.CUEPWRFOXJAQFJV@[163.13.128.190]>
        > Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7:
        > from=<paul.cocker@...>, size=2545, nrcpt=1 (queue active)
        > Jun 1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7:
        > to=<paul.cocker@...>,
        > relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3,
        > delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host
        > hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable;
        > Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation;
        > http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end
        > of DATA command))
        > Jun 1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender
        > non-delivery notification: 47E5F1F800F9
        > Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed
        >
        >
        > The mail is passed from the postfix mail server to the Barracuda server
        > without being rejected, despite the forged from field and invalid IP.
        >
        > Paul Cocker
        > _____________________________________________________________________
        >
        > Please consider the environment, think before you print.
        >
        > TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
      • Paul Cocker
        ... Ah, clearly I have become confused somewhere along the line. Thanks, I ll check the articles you linked. Would I be correct in thinking you are referring
        Message 3 of 4 , Jun 3, 2009
        • 0 Attachment
          > -----Original Message-----
          > From: Noel Jones [mailto:njones@...]
          > Sent: 01 June 2009 14:30
          > To: Paul Cocker; postfix-users@...
          > Subject: [SPAM?] Re: SPF implementation not working
          > Importance: Low
          >
          > Paul Cocker wrote:
          > > I'm trying to implement SPF on our Postfix 2.3.3
          > installation running
          > > on CentOS 5.2 and have been using the "Sender address
          > verification for
          > > all e-mail" article on the postfix site. We're also using a
          > Barracuda
          > > filter and SPF verification hasn't been leading to false
          > positives so
          > > we're happy to enable it for everything.
          >
          > The article you refer to is about sending address
          > verification probes, not SPF. You have not enabled SPF in
          > postfix. Note that some sites consider the address probes
          > you have enabled a form of abuse - if you send too many of
          > them them, they will blacklist you. You might want to turn
          > that feature back off.
          >

          Ah, clearly I have become confused somewhere along the line. Thanks,
          I'll check the articles you linked.

          Would I be correct in thinking you are referring only to
          reject_unverified_sender, or do you mean the entire
          smtpd_sender_restrictions block I posted?
          _____________________________________________________________________

          Please consider the environment, think before you print.

          TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
        • Noel Jones
          ... I was referring specifically to reject_unverified_sender. -- Noel Jones
          Message 4 of 4 , Jun 3, 2009
          • 0 Attachment
            Paul Cocker wrote:
            >> -----Original Message-----
            >> From: Noel Jones [mailto:njones@...]
            >> postfix. Note that some sites consider the address probes
            >> you have enabled a form of abuse - if you send too many of
            >> them them, they will blacklist you. You might want to turn
            >> that feature back off.
            >>
            >
            > Would I be correct in thinking you are referring only to
            > reject_unverified_sender, or do you mean the entire
            > smtpd_sender_restrictions block I posted?

            I was referring specifically to reject_unverified_sender.

            -- Noel Jones
          Your message has been successfully submitted and would be delivered to recipients shortly.