Ubuntu Manpage: postfix-policyd-spf-perl - pure-Perl Postfix policy server for SPF checking

Provided by: postfix-policyd-spf-perl_2.011-2_all

NAME

       postfix-policyd-spf-perl - pure-Perl Postfix policy server for SPF checking

VERSION

       2.011

USAGE

       Usage:
           policyd-spf-perl [-v]

SYNOPSIS

postfix-policyd-spf-perl is a Postfix SMTP policy server for SPF checking. It is implemented in pure
Perl and uses the Mail::SPF CPAN module. Note that Mail::SPF is a complete re-implementation of SPF
based on the final experimental SPF RFC, RFC 4408. It shares no code with the older Mail::SPF::Query
that was the original SPF development implementation. Mail::SPF was the inspiration for the new void
lookup limit added in the standards track SPF RFC, RFC 7208. While Mail::SPF has not yet been
specifically updated for RFC 7208, there are no significant changes needed.

This version of the policy server always checks HELO before Mail From (older versions just checked HELO
if Mail From was null). It will reject mail that fails either Mail From or HELO SPF checks. It will
defer mail if there is a temporary SPF error and the message would othersise be permitted
(DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From will not be checked.

If the message is not rejected or deferred, the policy server will PREPEND the appropriate SPF Received
header. If Mail From is anything other than completely empty (i.e. <>) then the Mail From result will be
used for SPF Received (e.g. Mail From None even if HELO is Pass).

The policy server skips SPF checks for connections from the localhost (127.) and instead prepends and
logs 'SPF skipped - localhost is always allowed.' If you have relays that you want to skip SPF checks
for, create a configuration file, /etc/postfix/exempt_spf_addresses and add them on one using standard
CIDR notation in a space separated list. For these addresses, 'X-Comment: SPF skipped for whitelisted
relay' is prepended and logged. IPv6 localhost is also skipped.

A configuration file, /etc/postfix/exempt_spf_domains, can be used to ignore domains that have broken SPF
configurations that would normally fail. For those domains, add the domain to the file (one per line),
and restart postfix so that the policy server can reload its configuration. The policy server will
ignore the domain going forward.

If defined, the configuration files described above need to have permissions to allow the policy server
to read the files.

Error conditions within the policy server (that don't result in a crash) or from Mail::SPF will return
DUNNO.

DESCRIPTION

       Logging is sent to syslogd.

       Each time a Postfix SMTP server process is started it connects to the policy service socket  and  Postfix
       runs  one  instance of this Perls script.  By default, a Postfix SMTP server process terminates after 100
       seconds of idle time, or after serving 100 clients.  Thus, the cost  of  starting  this  Perl  script  is
       smoothed over time.

       The  default  policy_time_limit  is  1000  seconds.   This may be too short for some SMTP transactions to
       complete.  As recommended in SMTPD_POLICY_README, this should be extended to 3600 seconds.  To do so, set
       "policy_time_limit = 3600" in /etc/postfix/main.cf.

TESTING THE POLICY DAEMON

       Testing the policy daemon

       To test the policy daemon by hand, execute:

           % /usr/sbin/postfix-policyd-spf-perl

       Each query is a bunch of attributes.  Order does not matter, and the server uses only a few  of  all  the
       attributes shown below:

           request=smtpd_access_policy
           protocol_state=RCPT
           protocol_name=SMTP
           helo_name=some.domain.tld
           queue_id=
           instance=71b0.45e2f5f1.d4da1.0
           sender=foo@bar.tld
           recipient=bar@foo.tld
           client_address=1.2.3.4
           client_name=another.domain.tld
           [empty line]

       The policy daemon will answer in the same style, with an attribute list followed by a empty line:

           action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
                  receiver=bar@foo.tld
           [empty line]

       To test HELO checking sender should be empty:

           sender=
           ... More attributes...
           [empty line]

       If you want more detail in the system logs change $VERBOSE to 1.

POSTFIX INTEGRATION

        1. Add the following to /etc/postfix/master.cf:

               spfcheck  unix  -       n       n       -       0       spawn
                   user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl

        2. Configure the Postfix SPF policy service in /etc/postfix/main.cf:

               smtpd_recipient_restrictions =
                   ...
                   reject_unauth_destination
                   check_policy_service unix:private/spfcheck
                   ...
               spfcheck_time_limit = 3600

           NOTE:  Specify check_policy_service AFTER reject_unauth_destination or
           else your system can become an open relay.

        3. Set up machines which you expect to legitimately forward mail to this
           server (see description in synopsis).  This should typically include
           the IP addresses which backup Mail eXchangers, and known non-SRS
           forwarders will use to submit mail to this server (i.e. the source IPs
           of the other servers).

        4. Restart Postfix.

        5. Verify correct backup MX operation (if applicable).

AUTHORS

       This  version  of policyd-spf-perl was written by Meng Weng Wong <mengwong+spf@pobox.com> and updated for
       libmail-spf-perl by Scott Kitterman <scott@kitterman.com> and Julian Mehnle <julian@mehnle.net>.

       This man-page was written by Scott Kitterman <scott@kitterman.com>.

                                                   2012-01-19                        postfix-policyd-spf-perl(1)