Feature #2343

Add SPF option to Postfix

Added by Filippo Carletti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:v6.5-beta3
Resolution: NEEDINFO:No


Postfix could refuse mail from unauthorized sources using SPF record.

Now we use SPF checking to assign a "score" to email through SpamAssassin (see #1429).

This issue tracks email rejection using SPF records.
See https://help.ubuntu.com/community/Postfix/SPF for a quick guide.

Related issues

Related to NethServer 6 - Task #1429: Use SPF and RBL for spamassassin scoring CLOSED 09/05/2012 09/06/2012


#1 Updated by Davide Principi over 6 years ago

  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • Target version set to v6.5-beta3
  • % Done changed from 0 to 20
  • Estimated time set to 1.00

This feature was implemented but never tested:

    # rpm -ql nethserver-mail-filter | grep spf

Test case
  1. Enable SPF checks in Postfix smtpd:
       # config setprop postfix SpfStatus enabled
       # signal-event nethserver-mail-filter-save
  2. Try to receive an email from a client with invalid SPF record

#2 Updated by Davide Principi over 6 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

The implementation is there since the beginning. No modifications required. QA validation only.

#3 Updated by Davide Principi over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee set to Filippo Carletti

#5 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 70 to 90

maillog after enabling SPF policy daemon:

Dec 10 14:50:42 nsrv64a2 postfix/policy-spf[15346]: Policy action=PREPEND Received-SPF: softfail (nethesis.it: Sender is not authorized by default to use 'filippo@nethesis.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=nsrv64a2.nethesis.lan; identity=mailfrom; envelope-from="filippo@nethesis.it"; helo=nethesis.it; client-ip=

Using a sending domain that has strict sfp fail record:

Dec 10 15:02:53 nsrv64a2 postfix/policy-spf[15392]: Policy action=550 Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=;r=nsrv64a2.nethesis.lan
Dec 10 15:02:53 nsrv64a2 postfix/smtpd[15387]: NOQUEUE: reject: RCPT from unknown[]: 550 5.7.1 <filippo.carletti@nethesis.lan>: Recipient address rejected: Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=;r=nsrv64a2.nethesis.lan; from=<postmaster@workaround.org>

While testing, I noticed that few domains have SPF fail record (~all vs -all). See:

$ dig +short google.com txt
"v=spf1 include:_spf.google.com ip4: ip4: ~all" 

#6 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:

Also available in: Atom PDF