Hi,
>>> This is independent of SPF. The rules discussed blocks your domain
>>> as envelope sender except for a whitelist you have specified
>>> (permit_mynetworks).
>>
>> Yes, and that was part of my concern. There are includes in our SPF
>> record for networks that we don't control. I don't want to add these
>> IPs to our $mynetworks, making them trusted for all mail. Am I
>> understanding that correctly?
>
> In that case, rather than using permit_mynetworks you should use a
> separate check_client_access that permits all the authorized IPs.
>
> Make sure to do this in smtpd_sender_restrictions so that settings
> here don't affect relay rules.
So where I previously had permit_mynetworks and a check_sender_access
check for my domain in smtpd_sender_restrictions, I should do
something like:
smtpd_sender_restrictions =
check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
check_client_access hash:/etc/postfix/spf_client_checks,
reject_unknown_sender_domain
where spf_client_checks includes all of the IP addresses in the SPF
record, including the includes? Perhaps I'm not understanding, because
that sounds like it has the potential to cause problems with keeping
up with changing IP addresses.
>> I'm also using spamassassin and amavisd-new, and would also prefer to
>> do it there. However, I believe the problem I had with doing that in
>> the past is the volume of mail that could be received at once, and not
>> being able to process it as fast as it arrives. Is that correct?
>
> That's really a separate issue. If you're already using amavisd-new
> with SpamAssassin, enabling SPF checks there add virtually zero
> extra overhead.
Yes, this is what I'd like to do, and trying to get that working properly.
This all started with trying to get spoof protection from outside
servers sending mail to our internal users as one of our users. I'm
trying to find the best way to do this.
> If your filter isn't keeping up with the mail flow,
> then you need to use a different filtering arrangement or add more hardware.
No, I meant there is too much volume for the pre-filter
smtpd_proxy_filter method you suggested, so I can't implement the
filtering that way.
>> Maybe it could be set up as an amavisd $policy_bank to skip filtering?
>
> Yes, you could skip filtering for mail arriving from "trusted" IPs.
That would also involve keeping up with the list of all IPs in the SPF
record, correct?
Would I then not be able to use the check_sender_access to reject mail
coming as my domain from unauthorized servers?
Thank you also for the transport_map relay explanation.
Alex
