Debian 8/9: Postfix SPF

Discussion in 'Tips/Tricks/Mods' started by, Oct 5, 2017.

  1. ISPConfig Developer ISPConfig Developer

    slightly updated version of
    debian 9, works aswell on 8

    for debian.
    Note that you can handle SPF with spamassasin and instead of blocking the mail it can add or reduce score.
    However some domain owners don't want to be combined with all sorts of magic pills - so respect if they want the mail not to reach the target.

    apt-get install postfix-policyd-spf-python
    postconf -M policyd-spf/spawn="policyd-spf  unix  -       n       n       -       0       spawn user=nobody argv=/usr/bin/policyd-spf"
    postconf -e "policyd-spf_time_limit = 3600"
    Modify /etc/postfix/
    smtpd_recipient_restrictions =
        check_policy_service unix:private/policyd-spf,
    Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world.
    You can use this script for that:
    smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions`
    if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then
        sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/
    Modify /etc/postfix-policyd-spf-python/policyd-spf.conf
    Change debuglevel as you like, replace <FQDN> with the servers hostname or check the manual for all the options. If you want to accept mail and let spamassasin mark them as spam set HELO_reject = false
    A good guide on this is on
    should work now, if you rekick your postfix that is

    gently inform your daemon to reload
    service postfix reload
    and watch for issues
    tail -f /var/log/
    Last edited: Jul 18, 2018
  2. ISPConfig Developer ISPConfig Developer


    Results are always temperror [ Debian at least, since ~2006 ]
    - if you're using a local caching nameserver your /etc/resolv.conf has 1 entry only, however an old patch to the DNS-package of python made it mandatory to have 2 nameserver-entries in the resolv.conf or else no python application using DNS/ will work!
    Either add 2nd nameserver entry in resolv.conf or ... hack it:
    and comment out the following lines [ :
    63 #        if len(fields) < 2:
    64 #            continue
    Attention, this will fail to get a valid nameserver if the first line in resolv.conf is "search domain" something

    Edit: doh you obviously could add
    namserver twice in your resolv.conf, not nice but nicer than hacking the
    Last edited: Oct 5, 2017
  3. Tuumke

    Tuumke Active Member

    Isn't SPF done by ISPConfig / DNS? If not, i would think this is standard with the perfect server guide?
  4. ISPConfig Developer ISPConfig Developer

    one part of SPF is to set your records for your domain in the DomainNameSystem, yes
    but the other part is checking the records for other domains when receiving mail.

    That either needs to be configured/weighted in spamassasin - which comes after the mail has been accepted and pulled trough amavis/clamav or you can block the mail right in the beginning using this like a RBL.

    I choose this over spamassasin not because of my resources but to respect the domain owners wish not to accept forged mails with his name.
  5. ISPConfig Developer ISPConfig Developer

    *edit* updated instructions

Share This Page