You might also want to look at bgp-spamd. With respect to dealing with SPF, the simple solution (permitting an IP if it is on the sending domain's SPF list) doesn't work too well in the general case since it appears many spammers publish SPF records.
However what I found works well, at least for some low-volume domains, is to identify the subset of domains for which I would like to honour the SPF records and automatically whitelist them. I wrote a little perl script, available as: <ftp://ftp.gno.org/pub/tools/gen-spf-whitelist> The script takes a set of whitelisted domains and queries the DNS to build up the matching set of whitelisted IPs. It then puts these into a file that can be loaded as a pf table. This permits pf to bypass spamd for these whitelisted domains. There is extra usage information (and a description of current limitations) in comments at the top of the script. This does require one to reload the pf configuration, however (due to paranoia) the current version of the script doesn't do that. Instead, it mails root if something has changed that would require the configuration to be updated. Experience shows that this doesn't trip very often. I invoke the script from daily.local as something like: /usr/local/sbin/gen-spf-whitelist \ example.com \ example.tld \ something.else.net \ (...) I qualified the above by mentioning I was using it on some low-volume domains because the current mechanism probably doesn't scale well with respect to maintaining the list of domains. It could probably benefit from a couple of substantive changes: - permit the whitelisted IPs to be updated without needing to have pf reload it's rules. This implies updating the pf table directly, in a manner similar to what is used for bgp-spamd. - be able to tie in with a client management system that permits users to request domains to be whitelisted (only SPF-publishing domains could be whitelisted this way using this mechanism). Potential candidate domains for inclusion will be obvious. If you 'grep GREY /var/log/daemon', the most likely potential candidates are those where you will see multiple delivery attempts from the same domain to the same recipient but where the originating IPs differ (although likely in the same net block). Devin
