Man Linux: Main Page and Category List

NAME

       postfix-policyd-spf-perl - pure-Perl Postfix policy server for SPF
       checking

VERSION

       2.007

USAGE

       Usage:
           policyd-spf-perl [-v]

OTHER DOCUMENTATION

       This documentation assumes you have read Postfix’s README_FILES/
       SMTPD_POLICY_README.

SYNOPSIS

       postfix-policyd-spf-perl is a Postfix SMTP policy server for SPF
       checking.  It is implemented in pure Perl and uses the Mail::SPF CPAN
       module.  Note that Mail::SPF is a complete re-implementation of SPF
       based on the final SPF RFC, RFC 4408.  It shares no code with the older
       Mail::SPF::Query that was the original SPF development implementation.

       This version of the policy server always checks HELO before Mail From
       (older versions just checked HELO if Mail From was null).  It will
       reject mail that fails either Mail From or HELO SPF checks.  It will
       defer mail if there is a temporary SPF error and the message would
       othersise be permitted (DEFER_IF_PERMIT).  If the HELO check produces a
       REJECT/DEFER result, Mail From will not be checked.

       If the message is not rejected or deferred, the policy server will
       PREPEND the appropriate SPF Received header.  If Mail From is anything
       other than completely empty (i.e. <>) then the Mail From result will be
       used for SPF Received (e.g.  Mail From None even if HELO is Pass).

       The policy server skips SPF checks for connections from the localhost
       (127.) and instead prepends and logs ’SPF skipped - localhost is always
       allowed.’  If you have relays that you want to skip SPF checks for, you
       can add them to relay_addresses on line 78 using standard CIDR notation
       in a space separated list.  For these addresses, ’X-Comment: SPF
       skipped for whitelisted relay’ is prepended and logged.

       Error conditions within the policy server (that don’t result in a
       crash) or from Mail::SPF will return DUNNO.

DESCRIPTION

       Logging is sent to syslogd.

       Each time a Postfix SMTP server process is started it connects to the
       policy service socket and Postfix runs one instance of this Perls
       script.  By default, a Postfix SMTP server process terminates after 100
       seconds of idle time, or after serving 100 clients.  Thus, the cost of
       starting this Perl script is smoothed over time.

       The default policy_time_limit is 1000 seconds.  This may be too short
       for some SMTP transactions to complete.  As recommended in
       SMTPD_POLICY_README, this should be extended to 3600 seconds.  To do
       so, set "policy_time_limit = 3600" in /etc/postfix/main.cf.

TESTING THE POLICY DAEMON

       Testing the policy daemon

       To test the policy daemon by hand, execute:

           % /usr/sbin/postfix-policyd-spf-perl

       Each query is a bunch of attributes.  Order does not matter, and the
       server uses only a few of all the attributes shown below:

           request=smtpd_access_policy
           protocol_state=RCPT
           protocol_name=SMTP
           helo_name=some.domain.tld
           queue_id=
           instance=71b0.45e2f5f1.d4da1.0
           sender=foo@bar.tld
           recipient=bar@foo.tld
           client_address=1.2.3.4
           client_name=another.domain.tld
           [empty line]

       The policy daemon will answer in the same style, with an attribute list
       followed by a empty line:

           action=550 Please see
       http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
                  receiver=bar@foo.tld
           [empty line]

       To test HELO checking sender should be empty:

           sender=
           ... More attributes...
           [empty line]

       If you want more detail in the system logs change $VERBOSE to 1.

POSTFIX INTEGRATION

        1. Add the following to /etc/postfix/master.cf:

               spfcheck  unix  -       n       n       -       0       spawn
                   user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl

        2. Configure the Postfix SPF policy service in /etc/postfix/main.cf:

               smtpd_recipient_restrictions =
                   ...
                   reject_unauth_destination
                   check_policy_service unix:private/spfcheck
                   ...
               policy_time_limit = 3600

           NOTE:  Specify check_policy_service AFTER reject_unauth_destination
       or
           else your system can become an open relay.

        3. Set up machines which you expect to legitimately forward mail to
       this
           server (see description in synopsis).  This should typically
       include
           the IP addresses which backup Mail eXchangers, and known non-SRS
           forwarders will use to submit mail to this server (i.e. the source
       IPs
           of the other servers).

        4. Restart Postfix.

        5. Verify correct backup MX operation (if applicable).

SEE ALSO

       libmail-spf-perl, <http://www.openspf.org>

AUTHORS

       This version of policyd-spf-perl was written by Meng Weng Wong
       <mengwong+spf@pobox.com> and updated for libmail-spf-perl by Scott
       Kitterman <scott@kitterman.com> and Julian Mehnle <julian@mehnle.net>.

       This man-page was written by Scott Kitterman <scott@kitterman.com>.

                                  2008-07-25       postfix-policyd-spf-perl(1)