{"id":6171,"date":"2016-08-19T08:01:01","date_gmt":"2016-08-19T00:01:01","guid":{"rendered":"http:\/\/rmohan.com\/?p=6171"},"modified":"2016-08-19T08:01:01","modified_gmt":"2016-08-19T00:01:01","slug":"postfix-implement-spf-record-checking","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6171","title":{"rendered":"Postfix Implement SPF Record Checking"},"content":{"rendered":"<p>So I\u2019ve been dealing with quite a bit of spam recently, the usual \u201cYou\u2019re due a tax rebate open XYZ.zip and fill out the form\u201d, etc. Following from my last blog post, <a href=\"http:\/\/blog.iwader.co.uk\/postfix-force-smtp-authentication\/\">Postfix Force SMTP Authentication<\/a>, I noticed I never setup my mail server to check received mail against the senders SPF records, which I always take the time to setup on domains, so why had I not taken the time to make sure my own mail server was taking advantage of SPF.<\/p>\n<p>In this guide I\u2019ll cover configuring postfix to check SPF records under Debian 7 Wheezy<\/p>\n<h2>What are SPF records?<\/h2>\n<p>Sender Policy Framework (SPF) records are a DNS record you apply to your domain to let other mail servers know emails originating from your mail server are legitimate and not spam.<\/p>\n<p>As with real-world snail mail anyone can put a return address on an envelope, the same applies to email. SPF records provide a way of saying mail from example.com should only be accepted if they\u2019re from this server, or this cluster of servers and if they originate from another source, don\u2019t accept them.<\/p>\n<h2>Installing the daemon<\/h2>\n<p>First things first we need to install the daemon that is going to check the SPF records for us. This comes as a postfix module we\u2019ll need to configure.<\/p>\n<p><code>sudo apt-get install postfix-policyd-spf-perl<\/code><\/p>\n<p>Next we need to locate the executable file, by default this is located at <code>\/usr\/sbin\/postfix-policyd-spf-perl<\/code> however for other linux flavours this is likely located elsewhere.<\/p>\n<p>To locate the executable we can use the following commands<\/p>\n<p><code>updatedb<\/code><br \/>\n<code>locate policyd-spf<\/code><\/p>\n<p>Likely locations are <code>\/usr\/bin\/<\/code>, <code>\/usr\/sbin\/<\/code>, <code>\/usr\/local\/bin\/<\/code> etc. (The usual locations you\u2019d find an executable at). Take note of the executable\u2019s location as we\u2019ll need it later.<\/p>\n<h2>Configuring postfix<\/h2>\n<p>Next up we need to configure postfix to use the new daemon we\u2019ve installed. Open <code>\/etc\/postfix\/main.cf<\/code> with your favourite editor<\/p>\n<p><code>vi \/etc\/postfix\/main.cf<\/code><\/p>\n<p>Add the following option at the bottom of the file<\/p>\n<pre>policy-spf_time_limit = 3600s<\/pre>\n<p>This changes the time out limit so the policy server won\u2019t time out while a message is still being processed.<\/p>\n<p>After that we now need to edit <code>\/etc\/postfix\/master.cf<\/code> to configure a new service for postfix to use.<\/p>\n<pre>policy-spf unix - n n - - spawn user=nobody argv=\/usr\/sbin\/postfix-policyd-spf-perl<\/pre>\n<p>Change the <code>argv=<\/code> option accordingly with the location of the executable we installed previously.<\/p>\n<p>Finally we need to add the new policy service to our <code>smtpd_recipient_restrictions<\/code> option in <code>\/etc\/postfix\/main.cf<\/code><\/p>\n<pre>smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private\/policy-spf<\/pre>\n<blockquote><p>Note: Put the policy server after <code>reject\\_unauth\\_destination<\/code> to prevent unexpected responses from the policy service and to prevent your system from becoming an open relay. You should also put the policy service after you permit local senders as we only want to check the SPF records of inbound mail from the internet, not outbound mail from you or your users.<\/p><\/blockquote>\n<p>The last thing to do is reload postfix<\/p>\n<p><code>sudo \/etc\/init.d\/postfix reload<\/code><\/p>\n<h2>Verifying It\u2019s working<\/h2>\n<p>The simplest way to varify you\u2019ve successfully installed and configured the SPF checking is to monitor your mail log whilst sending yourself an email from an external source such as Gmail.<\/p>\n<p><code>tail -f \/var\/log\/mail.log<\/code><\/p>\n<p>If there is a problem with the policy service or its integration with Postfix it will be logged, likewise accepted mail that passes the SPF checking will also be logged.<\/p>\n<pre>May 13 18:23:51 postfix\/policy-spf[5509]: Policy action=PREPEND Received-SPF: pass (gmail.com ... _spf.google.com: Sender is authorized to use '@gmail.com' in 'mfro<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>So I\u2019ve been dealing with quite a bit of spam recently, the usual \u201cYou\u2019re due a tax rebate open XYZ.zip and fill out the form\u201d, etc. Following from my last blog post, Postfix Force SMTP Authentication, I noticed I never setup my mail server to check received mail against the senders SPF records, which I [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6171"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6171"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6171\/revisions"}],"predecessor-version":[{"id":6172,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6171\/revisions\/6172"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}