Thanks Tom, I have been looking at testing SPF, and I sure this will help a lot!
Bill ----- Original Message ----- From: "Tom Baker|Netsmith Inc" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 17, 2003 8:00 AM Subject: [IMGate] Re: SPF > how will SPF records reduce reject of legit? For anyone curious this did work as I plannned, though wasn't as easy to setup as it should be. (I'll explain at the bottom for anyone else that wants to play with it ) My testbed worked perfectly, whitelisting at whatever point in my smtpd restrictions I wanted anything that "passed spf", and DUNNO (skipping as it was not there) anyone not configured for SPF. Anything with SPF configured and sending from an invalid server would result in a reject. I loaded it on my production machine, turns out a smtpd policy is pretty taxing on a heavily loaded server. For my mail volume I'll have to upgrade my hardware (its only a 733/512mb passing 120k+ and doing 400k+ rejects a day) before I can do this in production. If anyone else has higher hardware or lower volume and wants to play with it here's what I had to do... # First the sytem version of perl for FreeBSD 4.x is still ver 5.005_03 # and the required Mail::SPF::Query requires 5.6 to build. cd /usr/ports/lang/perl5.8 make make test make install rehash use.perl port # the spf policy is a perl script, download/extract/install Mail::SPF::Query # http://spf.pobox.com/downloads.html cd Mail-SPF-Query-1.9.5 perl Makefile.PL # you will get errors that 3 pre-requisits don't exist, # but only 1 of them is documented in the readme. # you need Net::DNS, Net::CIDR:Lite, and URI::Escape # install Net-DNS from the FreeBSD ports cd /usr/ports/net/p5-Net-DNS make install # download Net:CIDR::Lite from cpan # http://search.cpan.org/~dougw/Net-CIDR-Lite-0.15/ cd Net-CIDR-Lite-0.15 perl Makefile.PL make make test make install # download URI from cpan (includes URI::Escape) # http://search.cpan.org/~gaas/URI-1.28/ cd URI-1.28 Perl Makefile.PL make make test make install # now you should be able to install Mail::SPF::Query cd Mail-SPF-Query-1.9.5 perl Makefile.PL make make test make install # get the policy-script from http://spf.pobox.com/downloads.html cd /etc/postfix fetch http://spf.pobox.com/postfix-policyd-1.0.txt mv postfix-policyd-1.0.txt spf.pl # edit the spf.pl #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #! This is where I had a problem, no documentation #! That I found telling me to do this, #! but it didn't work until I did # line 19 my @HANDLERS = ( "testing", "sender_permitted_from", # "greylisting", ); # the above line in the perl script tells spf.pl to call # sub testing() first, if it finds a reject stop # if not, try sender_permitted_from() (the actual call) # comment out the testing line above (like greylisting is commented out) # we also need to fix something in the -----main---- section # line 191 my $action = "OK"; my %responses; foreach my $handler (@HANDLERS) { no strict 'refs'; my $response = $handler->(attr=>\%attr); syslog(debug=> "handler %s: %s", $handler, $response); if ($response !~ /^(ok|dunno)/i) { syslog(info=> "handler %s: %s is decisive.", $handler, $response); $action = $response; last; } } # $action is what is returned to postfix. # as the script is written, if SPF does not reject, the message is just whitelisted! # (the very first $action="OK"; # change the default action to DUNNO # line 191 my $action = "DUNNO SPF-No action taken"; # I also tweaked the following line to allow my choice based on spf pass/fail/unknown # line 197 if ($response !~ /^(ok|dunno)/i) { # changed to if ($response =~ /^(ok|dunno|reject)/i) { # the original code means only keep the action set in sender_permitted_from() # if the action was reject. If the action was OK or DUNNO ignore it and move on # I changed it to say if the response starts with any OK/DUNNO/REJECT ... Then # keep the action and stop trying other handlers # last change to the spf policy.. # original code in section " plugin: SPF " # line 227 if ($result eq "pass") { return "DUNNO"; } elsif ($result eq "fail") { return "REJECT " . ($smtp_comment || $header_comment); } elsif ($result eq "error") { return "DUNNO"; } else { return "DUNNO"; } # original code says if SPF is not setup, then DUNNO. # if SPF errors then DUNNO # if SPF is setup & pass then DUNNO # if SPF is setup & fail (unauth server) then REJECT # change the actions as you like. # I chose not to reject on anything, but log what would have happened. # and to whitelist if pass (this is pretty far down my restrictions) # my new snipplet: if ($result eq "pass") { return "OK"; } elsif ($result eq "fail") { return "DUNNO SPF-REJECT_WARNING: " . ($smtp_comment || $header_comment); } elsif ($result eq "error") { return "DUNNO SPF-ERROR"; } else { return "DUNNO SPF-UNKNOWN"; } # now activating the policy in postfix # add to your master.cf: policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /etc/postfix/spf.pl # edit /etc/main.cf smtpd_recipient_restrictions = .... check_policy_service unix:private/policy, .... # reload postfix postfix reload # watch events in maillog tail -f /var/log/maillog | egrep -i spf Don't forget to check your cpu usage, mine was too high on my production server.
