Here's an idea.. maybe it's useful for someone, so I post it here.
I'm setting up a local mail server to cache remote service's mail for
faster access on the LAN. The remote server has an up-to-date SPF
record that is updated whenever the sending IP ranges change. I want
to limit unauthenticated mail reception to the sending servers of the
remote mail system. I use the following in main.cf:
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
check_client_access
cidr:$config_directory/tables/client_access_maps.cidr
reject
To automatically keep the client_access_maps.cird up-to-date I run the
following as a cron-job.. perhaps every hour. The SPF record changes
rarely, but obviously when it does, the mail would not be accepted on
the local server without an update. On the other hand, I assume when
the sending ranges change, the SPF records are updated well in advance
so there is plenty of time for the local system to pick up the change.
The following is "concept"; I don't have the script yet ready, but
it'll be easy to write with your favorite scripting language:
-------
1. get your remote sender's current SPF record:
dig yourremotesender.com txt > tempfile
2. parse the result in tempfile with regex:
/.*?ANSWER\sSECTION:.*?yourremotesender\.com*.\s+?\d+?\s+?IN\s+?TXT\s+?"v=spf1\s+?([^)]+?)\s+?.all"/
(dot matches newline)
3. explode the result
4. remove "ip4:" from the front of each segment if present
5. mogrify to format
<ip> OK
<ip>/cidr OK
.. and save to a temp file.
6. compare the checksum of the temp file to the currently active
client_access_maps.cidr; if different..
7. copy the tempfile to ../postfix/tables/client_access_maps.cidr
8. execute `postfix reload'
-------
Ville
