On 05/11/2016 03:51 PM, Noel Jones wrote:
On 5/11/2016 5:18 PM, list...@tutanota.com wrote:I installed the policyd-spf milter with Postfix 3.1. It also has postscreen. I want to reject email that does not pass the SPF check. In the main.cf configuration I added smtpd_relay_restrictions = [...] reject_unauth_destination check_policy_service unix:private/policy [...] In the mail I get I alway see the headers [...] Authentication-Results: mail.example.com ... [...] so that's good. But on one recent spam that was delivered and was under investigation for the reasons I caught this [...] Authentication-Results: mail.example.com; spf=fail (SPF fail - not authorized) smtp.mailfrom=cantv.com (client-ip=213.160.81.59; helo=mail.ddd-server1.de; envelope-from=i...@cantv.com <mailto:envelope-from=i...@cantv.com>; receiver=u...@dom.tld) [...] I am wondering why the policy is checked but the email still did not get rejected? Since the configuration is in the main.cf I think its postscreen that would do it? Is that the wrong way? Or maybe I need to move it to a different section like smtpd_recipient_restrictions = [...] reject_unauth_destination check_policy_service unix:private/policy [...] What do I need to reject the email as soon as it fails the spf like that?Configure your policy service to reply with REJECT if you wish for it to reject mail that fails SPF. The rest of your configuration is fine.
I've found that legitimate mail fails SPF too often to reject. Problem is system administrators don't keep the policy up to date as the network changes, or they don't understand SPF.
I think SPF is good for spam score but shouldn't reject based on it alone.
