Feature #2343
Add SPF option to Postfix
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-mail-filter | |||
| Target version: | v6.5-beta3 | |||
| Resolution: | NEEDINFO: | No |
Description
Postfix could refuse mail from unauthorized sources using SPF record.
Now we use SPF checking to assign a "score" to email through SpamAssassin (see #1429).
This issue tracks email rejection using SPF records.
See https://help.ubuntu.com/community/Postfix/SPF for a quick guide.
Related issues
History
#1
Updated by Davide Principi over 7 years ago
- Description updated (diff)
- Status changed from NEW to TRIAGED
- Target version set to v6.5-beta3
- % Done changed from 0 to 20
- Estimated time set to 1.00
This feature was implemented but never tested:
# rpm -ql nethserver-mail-filter | grep spf
/etc/e-smith/templates/etc/postfix/main.cf/31spfpolicy
/etc/e-smith/templates/etc/postfix/master.cf/60spfpolicy
/usr/libexec/nethserver/postfix-policyd-spf-perl
/usr/share/doc/postfix-policyd-spf-perl-2.010
/usr/share/doc/postfix-policyd-spf-perl-2.010/CHANGES
/usr/share/doc/postfix-policyd-spf-perl-2.010/INSTALL
/usr/share/doc/postfix-policyd-spf-perl-2.010/LICENSE
/usr/share/doc/postfix-policyd-spf-perl-2.010/README
Test case
- Enable SPF checks in Postfix
smtpd:# config setprop postfix SpfStatus enabled # signal-event nethserver-mail-filter-save
- Try to receive an email from a client with invalid SPF record
#2
Updated by Davide Principi over 7 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
The implementation is there since the beginning. No modifications required. QA validation only.
#3
Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#4
Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Filippo Carletti
#5
Updated by Filippo Carletti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 70 to 90
maillog after enabling SPF policy daemon:
Dec 10 14:50:42 nsrv64a2 postfix/policy-spf[15346]: Policy action=PREPEND Received-SPF: softfail (nethesis.it: Sender is not authorized by default to use 'filippo@nethesis.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=nsrv64a2.nethesis.lan; identity=mailfrom; envelope-from="filippo@nethesis.it"; helo=nethesis.it; client-ip=10.0.2.2
Using a sending domain that has strict sfp fail record:
Dec 10 15:02:53 nsrv64a2 postfix/policy-spf[15392]: Policy action=550 Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan Dec 10 15:02:53 nsrv64a2 postfix/smtpd[15387]: NOQUEUE: reject: RCPT from unknown[10.0.2.2]: 550 5.7.1 <filippo.carletti@nethesis.lan>: Recipient address rejected: Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan; from=<postmaster@workaround.org>
While testing, I noticed that few domains have SPF fail record (~all vs -all). See:
$ dig +short google.com txt "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
#6
Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm