RE: SPF and Greylisting

Fri, 05 Apr 2019 11:26:03 -0700 

Thanks for all of the suggestions.

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_unauth_pipelining,
        permit_mynetworks,
        reject_unauth_destination,
        check_policy_service unix:private/policyd-spf,
        reject_unknown_reverse_client_hostname,
        reject_non_fqdn_helo_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        check_policy_service unix:/var/spool/postfix/postgrey/socket

So far, I've made a copy of policyd-spf and modified it so that Softfail and
Neutral returned defer.

However, there really doesn't seem to be a practical difference between
defer and reject in terms since a retry to the deferral would just lead to a
subsequent deferral until some action is taken.

I suppose the whole thing is moot since I'm greylisting as the last
condition, so really if the spf check returns dunno (everything other than
Fail or Permerror), eventually it will either be rejected by a following
rule or greylisted by the final policy check.

Steve

-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
Behalf Of Wietse Venema
Sent: April 5, 2019 11:20 AM
To: Postfix users <postfix-users@postfix.org>
Subject: Re: SPF and Greylisting

st...@douville.net:
> Hi,
>
> policyd-spf and postgrey are implemented and working.
>
> With exim, I was able to check the spf result and greylist upon 
> receiving a certain result. I'm using Mail_From_pass_restriction = 
> mfrom_passed_spf in policy-spf.conf.
>
> Is there any way I can defer or greylist based on an spf result of
Softfail?

If these are plugged in with check_policy_service, then the result from the
SPF check is not limited to permit or deny, it can be the full repertoire of
smtpd_mumble_restrictions.

So the SPF check could output something like

    check_policy_service name-of-greylist-plugin

if the client needs to be greylisted, and

    dunno

if not.

        Wietse

Reply via email to