Implementing SPF checks in Postfix

Sender Policy Framework (SPF), as defined in RFC 4408, is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

It’s assumed that you have already installed Postfix and MailScanner. If not, check these tutorials:

Installing Postfix with MySql backend and SASL for SMTP authentication
Installing and configuring MailScanner for virus and spam filtering (Postfix, ClamAV, SpamAssassin, Razor)

1. Install the Postfix policy engine

apt-get install postfix-policyd-spf-perl


2. Add the policy check to smtpd_recipient_restrictions (pico /etc/postfix/main.cf)

smtpd_recipient_restrictions = [...], check_policy_service unix:private/policy


Make sure you don’t remove other restrictions, just add it to the end of the line.

3. Add the policy engine to the Postfix master.cf (pico /etc/postfix/master.cf)

policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl


4. Reload Postfix configuration

postfix reload


5. Check if this is working

telnet yourserver 25
HELO gmail.com
MAIL FROM: <user*@gmail.com>
RCPT TO: <user*@domain.com>
DATA
test
.


Replace user*@domain.com with a e-mail address hosted on your Postfix mailserver and user*@gmail.com with a valid Gmail e-mail address.

Look at /var/log/mail.log and you should see that the MailScanner score has been increased by SPF related rules:

Message 62ACA1813C.AFC5A from 192.168.1.4 ([email protected]) to domain.com is spam, SpamAssassin (score=7.394, required 6, MISSING_SUBJECT 1.28, SPF_HELO_NEUTRAL 2.00, SPF_NEUTRAL 1.21, TVD_SPACE_RATIO 2.90)