Hello,. I would to be able to drop any emails that come in that have SPF settings that say -all Do i do this in ISPCONFIG, Postfix or Amavis? So if an email comes in and that domain has SPF record that says to drop the email if not from these servers and the email is not from those servers, i want to delete the email. We get a lot of forged emails, and it's time to start dropping them. Suggestions? Thanks
You can do that with policyd https://www.howtoforge.com/hardening-postfix-for-ispconfig-3 but I won't do that on my system as you will loose legtimate emails (emails that were forwarded but the forwarding server did not use SRS). A large german provider tried what you want to do recently and they failed and had to change their setup due to the mass complaints of their users that lost emails.
Lol, so whats the point of using it then? Is it possible to specify which domains to drop emails then? Like a few of our clients get lots of spam via forged headers, ie; the from and to domain is the same but not from the proper servers
SPF is broken by design, search for it and you find many articles that deal with the various problems around spf Here is a good article from a german postfix professional, maybe it's understandable by using google translate: https://www.heinlein-support.de/blog/news/gmx-de-und-web-de-haben-mail-rejects-durch-spf/ Spamassassin takes SPF in account for score calculation and that is the way I use it. This might be possible, but I'm not using this setup so I can't tell you if policyd has this setting on a per domain basis.
What you can do is that you adjust the spamassasin scores for spf errors,you can find the rule names in the german article as well.
I get this errror in mail.log file now... warning: connect to private/policy-spf: No such file or directory
Ok i see the article, now, i didn't know there was a SPF_FAIL in SA, great I will use that. Thanks Till
SPF is indeed broken by design but it's up to the postmaster to define the action, that the receiving mailserver should trigger. If someone requestes hard-fails in the spf-record, your server can reject the mails. If someone sends me a mail that does not pass his spf-reord, i reject the mail. It's none of my business when the sender is not able to setup his spf-record. And that was the problem with a large provider in june - they ASKED to reject thier mails. BTW: they reverted this within a few days.