Postfix SPF support ------------------------------------------------------------------------------- SPF patch for libspf2 >= 1.2.0 by Nigel Kukard, partly based on work by Dean Strik's and Jef Poskanzer's spfmilter. Fixes and enhancements by Martin Matuska Patch site: http://www.vx.sk/postfix-spf/ License: Secure Mailer License (Postfix License) ChangeLog 01.02.2011, Martin Matuska - updated for Postfix 2.8.0 22.09.2010, Martin Matuska - updated for Postfix 2.7.1 - fixed IPv6 support 01.10.2010, Martin Matuska - added permit_spf_valid_sender - changed build to use -DHAS_SPF 02.10.2010, Martin Matuska - fixed SPF patch version output - updated SPF_README 05.10.2010, Martin Matuska - fixed spf_explanation, spf_local_policy and spf_global_whitelist About this document This document describes how to configure Postfix to use SPF ("Sender Policy Framework") validation. It does not describe the function or design of SPF itself. Refer to one or more of the websites listed at the end of this text for more information. The actual SPF validation is offloaded to a special library called libspf2. It is therefore necessary that you install libspf2 on your system. You can find libspf2 either in your usual package repository or at http://www.libspf2.org/. Building Postfix with SPF support To build Postfix with SPF support, first we need to generate the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next. * If the libspf2 include files are in directory /usr/include/spf2 and the libspf2 library (e.g libspf2.so) are in directory /usr/lib: % make tidy # if you have left-over files from a previous build % make makefiles CCARGS="-DHAS_SPF -DHAVE_NS_TYPE" AUXLIBS="-lspf2" % make * If the libspf2 include files are in directory /usr/local/include/spf2 and the libspf2 library (e.g libspf2.so) are in directory /usr/local/lib: % make tidy # if you have left-over files from a previous build % make makefiles CCARGS="-I/usr/local/include -DHAS_SPF -DHAVE_NS_TYPE" \ AUXLIBS="-L/usr/local/lib -lspf2" % make If you need to apply other customizations (such as Berkeley DB databases, MySQL, PostgreSQL, LDAP or SASL), see the respective Postfix README documents, and combine their "make makefiles" instructions with the instructions above: % make tidy # if you have left-over files from a previous build % make makefiles CCARGS="-DHAS_SPF -DHAVE_NS_TYPE \ (other -D or -I options)" \ AUXLIBS="-lspf2 \ (other -l options for libraries in /usr/lib) \ (-L/path/name + -l options for other libraries)" The -DHAVE_NS_TYPE flag in all examples above is only needed if your system complains about ns_type conflicting. To complete the build process, see the Postfix INSTALL instructions. SPF sender restrictions Postfix SPF support introduces two additional sender restrictions: reject_spf_invalid_sender Reject the request when the sender credentials are evaluated by SPF as invalid. permit_spf_valid_sender Permit the request when the sender credentials are evaluated by SPF as valid. Example: /usr/local/etc/postfix/main.cf: smtpd_sender_restrictions = ... reject_spf_invalid_sender ... SPF received header Postfix will by default add a mail header, Received-SPF:, to any mail passing the SPF validation. This information can be useful for the recipient of the message. You can disable this behaviour by setting 'spf_received_header = no'. /usr/local/etc/postfix/main.cf: spf_received_header = no Action on SPF reject By default, if using the sender restriction "reject_spf_invalid_sender", Postfix will reject mail with invalid sender credentials. You can however choose to prevent this from happening, and let the mail pass, by setting 'spf_mark_only = yes'. The Received-SPF: header (if enabled, see above) will show that the mail failed the test. /usr/local/etc/postfix/main.cf: spf_mark_only = yes SPF reject code You can set the numerical SMTP response code when rejecting mails due to SPF rule violations by changing the value of the 'spf_reject_code' variable (default: 550). /usr/local/etc/postfix/main.cf: spf_reject_code = 550 SPF explanation string If a site does provide SPF DNS records yet no explanation, a generic explanation will be used, with a URL to visit for more information. You can override this generic explanation by setting the "spf_explanation" configuration option. See the SPF reference sites for information about the format used. /usr/local/etc/postfix/main.cf: spf_explanation = "%{h} [%{i}] is not allowed to send mail for %{s}" SPF global whitelist There exists a global SPF whitelist on trusted-forwarder.org. You can enable use of this global whitelist by setting the variable 'spf_global_whitelist = yes'. /usr/local/etc/postfix/main.cf: spf_global_whitelist = yes SPF local policy It is also possible to set a local policy using the spf_local_policy setting. Currently the format is not documented here. ------------------------------------------------------------------------------- Downloads and information with regard to this patch can be found at http://www.vx.sk/postfix-spf/ Links: http://www.linuxrulz.org/nkukard/postfix/ - Updates by Kukard http://www.ipnet6.org/postfix/spf/ - Original patch home http://spf.pobox.com/ - SPF background http://www.libspf2.org/ - LibSPF2 site http://www.trusted-forwarder.org/ - Global whitelist http://www.postfix.org/ - Postfix home page