Scott Kitterman wrote:
man postfix-policyd-spf-perl will tell you how to set this up. It certainly
doesn't qualify as easy, but, at least for a list of IP addresses it can be
done. See the paragraph that starts "The policy server skips ..." in the
synopsis.
Ah yes it does - I suppose I didn't expect this to be documented in the
synopsis... Perhaps the attached diff to the docs is of some use. Also
included is a change which makes the name of the unix socket more
meaningful (e.g. so that if you have multiple policy daemons configured
then smtpd_recipient_restrictions = ..., check_policy_service
unix:private/spfcheck, check_policy_service unix:private/whitelister.ctl
... is easier to read)...
I know you're not supposed to overload patches like that but hey, I'm
lazy ;o).
I agree it's not as easy or functional as it should be. If you look at
postfix-policyd-spf-python (be sure to get version 0.6 - currently in
unstable) it has the features you are looking for in a config file installed
in /etc.
OK. If I'd known that the Python package was stronger, then I would
have deployed it instead. Perhaps there should be a note at
http://www.openspf.org/Software to say that the Python package is more
feature-full/supported (or just a feature list). At the time I chose, I
just looked at that URL, and noted two releases (the last more recent)
for the Perl package, and only a single release for the Python
package... Of course, 0.6 came out since, by the look of it...
Regards,
Tim.
--- postfix-policyd-spf-perl-2.005/debian/postfix-policyd-spf-perl.1.orig 2008-02-29 10:32:53.000000000 +0000
+++ postfix-policyd-spf-perl-2.005/debian/postfix-policyd-spf-perl.1 2008-02-29 10:42:58.000000000 +0000
@@ -236,22 +236,30 @@
1. Add the following to /etc/postfix/master.cf:
- policy unix - n n - 0 spawn
+ spfcheck unix - n n - 0 spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
- 2. Configure the Postfix policy service in /etc/postfix/main.cf:
+ 2. Configure the Postfix spf policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
- check_policy_service unix:private/policy
+ check_policy_service unix:private/spfcheck
...
policy_time_limit = 3600
NOTE: Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
- 3. Restart Postfix.
+ 3. Set up machines which you expect to legitimately forward mail to this
+ server (see description in synopsis). This should typically include
+ the IP addresses which backup Mail eXchangers, and known non-SRS
+ forwarders will use to submit mail to this server (i.e. the source IPs
+ of the other servers).
+
+ 4. Restart Postfix.
+
+ 5. Verify correct backup-MX operation (if applicable).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
