I'm trying to implement SPF on our Postfix 2.3.3 installation running on
CentOS 5.2 and have been using the "Sender address verification for all
e-mail" article on the postfix site. We're also using a Barracuda filter
and SPF verification hasn't been leading to false positives so we're
happy to enable it for everything.

I believe that the config below should do the trick:


address_verify_map = btree:/var/lib/postfix/verify
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mynetworks = 100.100.100.0/24
myorigin = domain2.co.uk
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESTMP
smtpd_sender_restrictions = permit_mynetworks        check_sender_access
hash:/etc/postfix/sender_access        reject_unknown_sender_domain
reject_unverified_sender
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual


And here is the SPF chunk from main.cf

# Enable SPF

smtpd_sender_restrictions =
        permit_mynetworks
        check_sender_access hash:/etc/postfix/sender_access
        reject_unknown_sender_domain
        reject_unverified_sender

# Postfix 2.6 and later.
#unverified_sender_reject_reason = Address verification failed

# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
address_verify_map = btree:/var/lib/postfix/verify


However SPF does not appear to be functioning. I have verified that the
verify.db file is writable and indeed it has grown, and sender_access.db
exists as specified.

I'm not sure how to proceed. At the least I guess I need to know what a
rejection on the grounds above would look like in the logs so I can see
if it's isolated cases or a total failure of my configuration.

I should note that the SPF failures I'm looking at are against our own
domain, checks which work on our Barracuda, thus proving that the SPF
record itself is good.

Here is an example

Jun  1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7:
client=unknown[163.13.128.190]
Jun  1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7:
message-id=<221000364829142.cuepwrfoxjaq...@[163.13.128.190]>
Jun  1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7:
from=<paul.coc...@tntpost.co.uk>, size=2545, nrcpt=1 (queue active)
Jun  1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7:
to=<paul.coc...@tntpost.co.uk>,
relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3,
delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host
hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable;
Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation;
http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end
of DATA command))
Jun  1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender
non-delivery notification: 47E5F1F800F9
Jun  1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed


The mail is passed from the postfix mail server to the Barracuda server
without being rejected, despite the forged from field and invalid IP.

Paul Cocker
_____________________________________________________________________

Please consider the environment, think before you print.

TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), 
TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT 
Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post 
Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary 
and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd 
(02556692). All companies are registered in England and Wales; registered 
address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, 
SL7 1HY.

Reply via email to