ok spf white/blacklisting is handled in policy-spf.conf
mine is found here
# ll | grep spf
drwxr-xr-x 2 root wheel uarch 4B Sep 14 04:24 python-policyd-spf
[14:59:30] mail18.scom.ca [root:0] /etc
# cd python-policyd-spf
[14:59:37] mail18.scom.ca [root:0] /etc/python-policyd-spf
# ll
total 14
drwxr-xr-x 2 root wheel uarch 4B Sep 14 04:24 .
drwxr-xr-x 29 root wheel uarch 120B Oct 19 07:16 ..
lrwxr-xr-x 1 root wheel - 41B Mar 30 2013 policyd-spf.conf ->
/usr/home/postfix/config/policyd-spf.conf
-rw-r--r-- 1 root wheel - 3.4K Jul 8 2013 policyd-spf.conf.bak
but yours will vary (probably /usr/local/etc/postfix or /etc/postfix)
anyways find policyd-spf.conf
froom there towards the bottom is where the whitelist, skiplist etc is
______________________________________________________________________
# Policy for deferring messages due to SPF TempError. Options are:
# TempError_Defer = True
# TempError_Defer = False
TempError_Defer = True
# Prospective SPF checking - Check to see if mail sent from the defined IP
# address would pass.
# Prospective = 192.168.0.4
# Do not check SPF for localhost addresses - add to skip addresses to
# skip SPF for internal networks if desired. Defaults are standard IPv4 and
# IPv6 localhost addresses.
skip_addresses = 127.0.0.0/8,10.220.0.0/16,40.92.0.0/14
#skip_addresses =
# Whitelist: CIDR Notation list of IP addresses not to check SPF for.
# Example (default is no whitelist):
Whitelist =
# Domain_Whitelist: List of domains whose sending IPs should be whitelisted
# from SPF.
# Example (default is no domain whitelist):
Domain_Whitelist = pipefiction.ca,hubinnovacionminera.pe
________________________________________________________________________
from here you can add in the domains, please note postfix has to be
restarted to pickup the changes.
Happy Thursday !!!
Thanks - paul
Paul Kudla
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email p...@scom.ca
On 11/3/2022 11:05 AM, Wietse Venema wrote:
Alex:
Hi,
I'm using sqlgrey for my greylisting service and having trouble with a
particular entry. I need to make sure email from this sender doesn't get
blocked, so would like to confirm that I can add something to my recipient
restrictions to bypass the SPF check for this domain.
Nov 2 18:02:30 armor policyd-spf[3053263]: 550 5.7.23 Message rejected due
to: SPF fail - not authorized. Please see
http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=
<UNKNOWN>
Nov 2 18:02:30 armor postfix-113/smtpd[3053261]: NOQUEUE: reject: RCPT
from wd1-az-mail-nat.myworkday.com[209.177.165.161]: 550 5.7.23 <
repo...@example.com>: Recipient address rejected: Message rejected due to:
SPF fail - not authorized. Please see
http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=<UNKNOWN>;
from=<workday_supp...@generalatlantic.com> to=<repo...@example.com>
proto=ESMTP helo=<wd1-az-mail-nat.myworkday.com>
This appears to indicate that generalatlantic.com is using the workday
service to send email, but the generalatlantic.com SPF record does not
include myworkday.com on the list of authorized senders.
I've added the following to my sqlgrey FQDN whitelisting entries, but
somehow it's still being rejected:
*.myworkday.com
generalatlantic.com
And the IP range to the IP whitelist:
209.177.165.0/24
Here is my smtpd_recipient_restrictions:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
With Postfix, between reject_unauth_destination and policy-spf,
insert:
check_sender_access inline:{{workday_supp...@generalatlantic.com = permit}}
or
cleck_client_access inline:{{myworkday.com = permit}}
to exclude such email from further restrictions.
Wietse
