Loading ...
Sorry, an error occurred while loading the content.

Re: SPF implementation not working

Expand Messages
  • Noel Jones
    ... The article you refer to is about sending address verification probes, not SPF. You have not enabled SPF in postfix. Note that some sites consider the
    Message 1 of 4 , Jun 1, 2009
    • 0 Attachment
      Paul Cocker wrote:
      > I'm trying to implement SPF on our Postfix 2.3.3 installation running on
      > CentOS 5.2 and have been using the "Sender address verification for all
      > e-mail" article on the postfix site. We're also using a Barracuda filter
      > and SPF verification hasn't been leading to false positives so we're
      > happy to enable it for everything.

      The article you refer to is about sending address verification
      probes, not SPF. You have not enabled SPF in postfix. Note
      that some sites consider the address probes you have enabled a
      form of abuse - if you send too many of them them, they will
      blacklist you. You might want to turn that feature back off.

      To check SPF records in postfix, you need either a milter or a
      policy service. There exists a library and patch to add SPF
      to postfix, but that software is not recommended - use a
      milter or policy service. Here's the relevant postfix
      documentation:
      http://www.postfix.org/MILTER_README.html
      http://www.postfix.org/SMTPD_POLICY_README.html

      and here are some commonly used software:
      http://sourceforge.net/projects/sid-milter/
      http://www.postfix.org/addon.html#policy
      http://www.openspf.org/Software

      -- Noel Jones

      >
      > I believe that the config below should do the trick:
      >
      >
      > address_verify_map = btree:/var/lib/postfix/verify
      > alias_database = hash:/etc/aliases
      > alias_maps = hash:/etc/aliases
      > command_directory = /usr/sbin
      > config_directory = /etc/postfix
      > daemon_directory = /usr/libexec/postfix
      > debug_peer_level = 2
      > disable_vrfy_command = yes
      > html_directory = no
      > inet_interfaces = all
      > local_recipient_maps =
      > local_transport = error:local mail delivery is disabled
      > mail_owner = postfix
      > mailq_path = /usr/bin/mailq.postfix
      > manpage_directory = /usr/share/man
      > mydestination =
      > mynetworks = 100.100.100.0/24
      > myorigin = domain2.co.uk
      > newaliases_path = /usr/bin/newaliases.postfix
      > parent_domain_matches_subdomains =
      > queue_directory = /var/spool/postfix
      > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      > relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
      > relay_recipient_maps = hash:/etc/postfix/relay_recipients
      > sample_directory = /usr/share/doc/postfix-2.3.3/samples
      > sendmail_path = /usr/sbin/sendmail.postfix
      > setgid_group = postdrop
      > smtpd_banner = $myhostname ESTMP
      > smtpd_sender_restrictions = permit_mynetworks check_sender_access
      > hash:/etc/postfix/sender_access reject_unknown_sender_domain
      > reject_unverified_sender
      > unknown_local_recipient_reject_code = 550
      > virtual_alias_maps = hash:/etc/postfix/virtual
      >
      >
      > And here is the SPF chunk from main.cf
      >
      > # Enable SPF
      >
      > smtpd_sender_restrictions =
      > permit_mynetworks
      > check_sender_access hash:/etc/postfix/sender_access
      > reject_unknown_sender_domain
      > reject_unverified_sender
      >
      > # Postfix 2.6 and later.
      > #unverified_sender_reject_reason = Address verification failed
      >
      > # Note 1: Be sure to read the "Caching" section below!
      > # Note 2: Avoid hash files here. Use btree instead.
      > address_verify_map = btree:/var/lib/postfix/verify
      >
      >
      > However SPF does not appear to be functioning. I have verified that the
      > verify.db file is writable and indeed it has grown, and sender_access.db
      > exists as specified.
      >
      > I'm not sure how to proceed. At the least I guess I need to know what a
      > rejection on the grounds above would look like in the logs so I can see
      > if it's isolated cases or a total failure of my configuration.
      >
      > I should note that the SPF failures I'm looking at are against our own
      > domain, checks which work on our Barracuda, thus proving that the SPF
      > record itself is good.
      >
      > Here is an example
      >
      > Jun 1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7:
      > client=unknown[163.13.128.190]
      > Jun 1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7:
      > message-id=<221000364829142.CUEPWRFOXJAQFJV@[163.13.128.190]>
      > Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7:
      > from=<paul.cocker@...>, size=2545, nrcpt=1 (queue active)
      > Jun 1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7:
      > to=<paul.cocker@...>,
      > relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3,
      > delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host
      > hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable;
      > Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation;
      > http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end
      > of DATA command))
      > Jun 1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender
      > non-delivery notification: 47E5F1F800F9
      > Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed
      >
      >
      > The mail is passed from the postfix mail server to the Barracuda server
      > without being rejected, despite the forged from field and invalid IP.
      >
      > Paul Cocker
      > _____________________________________________________________________
      >
      > Please consider the environment, think before you print.
      >
      > TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
    • Paul Cocker
      ... Ah, clearly I have become confused somewhere along the line. Thanks, I ll check the articles you linked. Would I be correct in thinking you are referring
      Message 2 of 4 , Jun 3, 2009
      • 0 Attachment
        > -----Original Message-----
        > From: Noel Jones [mailto:njones@...]
        > Sent: 01 June 2009 14:30
        > To: Paul Cocker; postfix-users@...
        > Subject: [SPAM?] Re: SPF implementation not working
        > Importance: Low
        >
        > Paul Cocker wrote:
        > > I'm trying to implement SPF on our Postfix 2.3.3
        > installation running
        > > on CentOS 5.2 and have been using the "Sender address
        > verification for
        > > all e-mail" article on the postfix site. We're also using a
        > Barracuda
        > > filter and SPF verification hasn't been leading to false
        > positives so
        > > we're happy to enable it for everything.
        >
        > The article you refer to is about sending address
        > verification probes, not SPF. You have not enabled SPF in
        > postfix. Note that some sites consider the address probes
        > you have enabled a form of abuse - if you send too many of
        > them them, they will blacklist you. You might want to turn
        > that feature back off.
        >

        Ah, clearly I have become confused somewhere along the line. Thanks,
        I'll check the articles you linked.

        Would I be correct in thinking you are referring only to
        reject_unverified_sender, or do you mean the entire
        smtpd_sender_restrictions block I posted?
        _____________________________________________________________________

        Please consider the environment, think before you print.

        TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
      • Noel Jones
        ... I was referring specifically to reject_unverified_sender. -- Noel Jones
        Message 3 of 4 , Jun 3, 2009
        • 0 Attachment
          Paul Cocker wrote:
          >> -----Original Message-----
          >> From: Noel Jones [mailto:njones@...]
          >> postfix. Note that some sites consider the address probes
          >> you have enabled a form of abuse - if you send too many of
          >> them them, they will blacklist you. You might want to turn
          >> that feature back off.
          >>
          >
          > Would I be correct in thinking you are referring only to
          > reject_unverified_sender, or do you mean the entire
          > smtpd_sender_restrictions block I posted?

          I was referring specifically to reject_unverified_sender.

          -- Noel Jones
        Your message has been successfully submitted and would be delivered to recipients shortly.