I'm trying to implement SPF on our Postfix 2.3.3 installation running on CentOS 5.2 and have been using the "Sender address verification for all e-mail" article on the postfix site. We're also using a Barracuda filter and SPF verification hasn't been leading to false positives so we're happy to enable it for everything.
I believe that the config below should do the trick: address_verify_map = btree:/var/lib/postfix/verify alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes html_directory = no inet_interfaces = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = mynetworks = 100.100.100.0/24 myorigin = domain2.co.uk newaliases_path = /usr/bin/newaliases.postfix parent_domain_matches_subdomains = queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk relay_recipient_maps = hash:/etc/postfix/relay_recipients sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESTMP smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unknown_sender_domain reject_unverified_sender unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual And here is the SPF chunk from main.cf # Enable SPF smtpd_sender_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/sender_access reject_unknown_sender_domain reject_unverified_sender # Postfix 2.6 and later. #unverified_sender_reject_reason = Address verification failed # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. address_verify_map = btree:/var/lib/postfix/verify However SPF does not appear to be functioning. I have verified that the verify.db file is writable and indeed it has grown, and sender_access.db exists as specified. I'm not sure how to proceed. At the least I guess I need to know what a rejection on the grounds above would look like in the logs so I can see if it's isolated cases or a total failure of my configuration. I should note that the SPF failures I'm looking at are against our own domain, checks which work on our Barracuda, thus proving that the SPF record itself is good. Here is an example Jun 1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7: client=unknown[163.13.128.190] Jun 1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7: message-id=<221000364829142.cuepwrfoxjaq...@[163.13.128.190]> Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: from=<paul.coc...@tntpost.co.uk>, size=2545, nrcpt=1 (queue active) Jun 1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7: to=<paul.coc...@tntpost.co.uk>, relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3, delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable; Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end of DATA command)) Jun 1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender non-delivery notification: 47E5F1F800F9 Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed The mail is passed from the postfix mail server to the Barracuda server without being rejected, despite the forged from field and invalid IP. Paul Cocker _____________________________________________________________________ Please consider the environment, think before you print. TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.