Feature #2343

Add SPF option to Postfix

Added by Filippo Carletti about 6 years ago. Updated almost 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-filter
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

Postfix could refuse mail from unauthorized sources using SPF record.

Now we use SPF checking to assign a "score" to email through SpamAssassin (see #1429).

This issue tracks email rejection using SPF records.
See https://help.ubuntu.com/community/Postfix/SPF for a quick guide.


Related issues

Related to NethServer 6 - Task #1429: Use SPF and RBL for spamassassin scoring CLOSED 09/05/2012 09/06/2012

History

#1 Updated by Davide Principi about 6 years ago

  • Description updated (diff)
  • Status changed from NEW to TRIAGED
  • Target version set to v6.5-beta3
  • % Done changed from 0 to 20
  • Estimated time set to 1.00

This feature was implemented but never tested:

    # rpm -ql nethserver-mail-filter | grep spf
/etc/e-smith/templates/etc/postfix/main.cf/31spfpolicy
/etc/e-smith/templates/etc/postfix/master.cf/60spfpolicy
/usr/libexec/nethserver/postfix-policyd-spf-perl
/usr/share/doc/postfix-policyd-spf-perl-2.010
/usr/share/doc/postfix-policyd-spf-perl-2.010/CHANGES
/usr/share/doc/postfix-policyd-spf-perl-2.010/INSTALL
/usr/share/doc/postfix-policyd-spf-perl-2.010/LICENSE
/usr/share/doc/postfix-policyd-spf-perl-2.010/README

Test case
  1. Enable SPF checks in Postfix smtpd:
       # config setprop postfix SpfStatus enabled
       # signal-event nethserver-mail-filter-save
    
  2. Try to receive an email from a client with invalid SPF record

#2 Updated by Davide Principi about 6 years ago

  • Status changed from TRIAGED to MODIFIED
  • % Done changed from 20 to 60

The implementation is there since the beginning. No modifications required. QA validation only.

#3 Updated by Davide Principi about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#4 Updated by Giacomo Sanchietti about 6 years ago

  • Assignee set to Filippo Carletti

#5 Updated by Filippo Carletti about 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 70 to 90

maillog after enabling SPF policy daemon:

Dec 10 14:50:42 nsrv64a2 postfix/policy-spf[15346]: Policy action=PREPEND Received-SPF: softfail (nethesis.it: Sender is not authorized by default to use 'filippo@nethesis.it' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=nsrv64a2.nethesis.lan; identity=mailfrom; envelope-from="filippo@nethesis.it"; helo=nethesis.it; client-ip=10.0.2.2

Using a sending domain that has strict sfp fail record:

Dec 10 15:02:53 nsrv64a2 postfix/policy-spf[15392]: Policy action=550 Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan
Dec 10 15:02:53 nsrv64a2 postfix/smtpd[15387]: NOQUEUE: reject: RCPT from unknown[10.0.2.2]: 550 5.7.1 <filippo.carletti@nethesis.lan>: Recipient address rejected: Please see http://www.openspf.net/Why?s=helo;id=workaround.org;ip=10.0.2.2;r=nsrv64a2.nethesis.lan; from=<postmaster@workaround.org>

While testing, I noticed that few domains have SPF fail record (~all vs -all). See:

$ dig +short google.com txt
"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all" 

#6 Updated by Davide Principi almost 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF