slightly updated version of https://www.howtoforge.com/postfix_spf debian 9, works aswell on 8 for debian. Note that you can handle SPF with spamassasin and instead of blocking the mail it can add or reduce score. However some domain owners don't want to be combined with all sorts of magic pills - so respect if they want the mail not to reach the target. Code: apt-get install postfix-policyd-spf-python postconf -M policyd-spf/spawn="policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf" postconf -e "policyd-spf_time_limit = 3600" Modify /etc/postfix/main.cf Code: smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service unix:private/policyd-spf, ... Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world. You can use this script for that: Code: #!/bin/sh smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions` if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/main.cf fi Modify /etc/postfix-policyd-spf-python/policyd-spf.conf Change debuglevel as you like, replace <FQDN> with the servers hostname or check the manual for all the options. If you want to accept mail and let spamassasin mark them as spam set HELO_reject = false A good guide on this is on https://www.flomain.de/2015/08/how-to-postfix-with-spf/ should work now, if you rekick your postfix that is gently inform your daemon to reload Code: service postfix reload and watch for issues Code: tail -f /var/log/mail.info
Troubleshooting: Results are always temperror [ Debian at least, since ~2006 ] - if you're using a local caching nameserver your /etc/resolv.conf has 1 entry only, however an old patch to the DNS-package of python made it mandatory to have 2 nameserver-entries in the resolv.conf or else no python application using DNS/Base.py will work! Either add 2nd nameserver entry in resolv.conf or ... hack it: /usr/lib/python3/dist-packages/DNS/Base.py and comment out the following lines [ : Code: 63 # if len(fields) < 2: 64 # continue Attention, this will fail to get a valid nameserver if the first line in resolv.conf is "search domain" something Edit: doh you obviously could add namserver 127.0.0.1 twice in your resolv.conf, not nice but nicer than hacking the Base.py
Isn't SPF done by ISPConfig / DNS? If not, i would think this is standard with the perfect server guide?
one part of SPF is to set your records for your domain in the DomainNameSystem, yes but the other part is checking the records for other domains when receiving mail. That either needs to be configured/weighted in spamassasin - which comes after the mail has been accepted and pulled trough amavis/clamav or you can block the mail right in the beginning using this like a RBL. I choose this over spamassasin not because of my resources but to respect the domain owners wish not to accept forged mails with his name.