Feature #2343
Add SPF option to Postfix
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-filter | |||
Target version: | v6.5-beta3 | |||
Resolution: | NEEDINFO: | No |
Description
Postfix could refuse mail from unauthorized sources using SPF record.
Now we use SPF checking to assign a "score" to email through SpamAssassin (see #1429).
This issue tracks email rejection using SPF records.
See https://help.ubuntu.com/community/Postfix/SPF for a quick guide.
Related issues
History
#1 Updated by Davide Principi over 7 years ago
- Description updated (diff)
- Status changed from NEW to TRIAGED
- Target version set to v6.5-beta3
- % Done changed from 0 to 20
- Estimated time set to 1.00
This feature was implemented but never tested:
# rpm -ql nethserver-mail-filter | grep spf /etc/e-smith/templates/etc/postfix/main.cf/31spfpolicy /etc/e-smith/templates/etc/postfix/master.cf/60spfpolicy /usr/libexec/nethserver/postfix-policyd-spf-perl /usr/share/doc/postfix-policyd-spf-perl-2.010 /usr/share/doc/postfix-policyd-spf-perl-2.010/CHANGES /usr/share/doc/postfix-policyd-spf-perl-2.010/INSTALL /usr/share/doc/postfix-policyd-spf-perl-2.010/LICENSE /usr/share/doc/postfix-policyd-spf-perl-2.010/READMETest case
- Enable SPF checks in Postfix
smtpd
:# config setprop postfix SpfStatus enabled # signal-event nethserver-mail-filter-save
- Try to receive an email from a client with invalid SPF record
#2 Updated by Davide Principi over 7 years ago
- Status changed from TRIAGED to MODIFIED
- % Done changed from 20 to 60
The implementation is there since the beginning. No modifications required. QA validation only.
#3 Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#4 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Filippo Carletti
#5 Updated by Filippo Carletti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 70 to 90
maillog after enabling SPF policy daemon:
Dec 10 14:50:42 nsrv64a2 postfix/policy-spf[15346]: Policy action=PREPEND Received-SPF: softfail (nethesis.it: Sender is not authorized by default to use 'filippo@nethesis.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=nsrv64a2.nethesis.lan; identity=mailfrom; envelope-from="filippo@nethesis.it"; helo=nethesis.it; client-ip=10.0.2.2
Using a sending domain that has strict sfp fail record:
Dec 10 15:02:53 nsrv64a2 postfix/policy-spf[15392]: Policy action=550 Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan Dec 10 15:02:53 nsrv64a2 postfix/smtpd[15387]: NOQUEUE: reject: RCPT from unknown[10.0.2.2]: 550 5.7.1 <filippo.carletti@nethesis.lan>: Recipient address rejected: Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan; from=<postmaster@workaround.org>
While testing, I noticed that few domains have SPF fail record (~all vs -all). See:
$ dig +short google.com txt "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
#6 Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm