On January 18, 2015 6:36:51 AM EST, "li...@rhsoft.net" <li...@rhsoft.net> wrote: > > >Am 18.01.2015 um 12:28 schrieb SW: >> Am 18.01.2015 um 12:01 schrieb SW: >>> I have an SPF record created in DNS for my domain. In my main.cf >config >>> file >>> for Postfix I have the following SPF settings: >>> >>> spf_received_header = yes >>> spf_mark_only = no >>> >>> smtpd_recipient_restrictions = peject_spf_invalid_sender, >>> >permit_spf_valid_sender, >>> >>> smtpd_sender_restrictions = reject_spf_invalid_sender, >>> permit_spf_valid_sender >>> >>> >>> Is the above config correct to reject received emails that is NOT >being >>> delivered from the specified IP addresses in SPF? >> >> a) postfix don' t support SPF out of the box >> there are policy daemons for that task >> b) hence all the spf_ params are fantasy >> c) SPF of your own domain is not relevant for yourself >> to receive mails, to prevent forged mails just add >> you domains in a access table with a reject and place >> "permit_mynetworks" and "permit_sasl_authenticated" in >> front of that restriction >> >> When I ran make config (on FreeBSD) to install the Postfix port I >selected >> the SPF support option. I assumed that would allow me to do SPF >checking >> with the options I mentioned? Although, I just noticed that when I >ran make >> config now it says: >> >> SPF - SPF support (via libspf2 1.2.x) > >that's a unofficial patch i guess and would have been a good idea to >mention your environemnt in the initial post > >> Is this the policy you were referring to? I do have libspf2 installed >> currently. > >i referred to a *policy daemon* >http://www.postfix.org/SMTPD_POLICY_README.html > >https://www.google.at/search?q=spf+policyd > >> If I check the mail headers I can see the SPF: >> >> Received-SPF: pass (mail.domain.com: domain of anotherdomain.net >designates >> xxx.xxx.xxx.xxx as permitted sender) >> >> Does this mean SPF is working correctly? > >looks so but that's likely the wrong mailing list because these options > >are *not* part of a stock postfix > >https://www.google.at/search?q=postfix+reject_spf_invalid_sender
Early in the SPF project, there were some unofficial postfix patches developed that integrated SPF checking directly into Postfix. This was before the Postfix policy service was introduced in Postfix 2.1. They have not been recommended by the SPF project since shortly after 2.1 was released. Libspf2 1.2 is similarly ancient (2.10 is the current version). Versions older than approximately 2.8 suffer from some serious security issues and are not suitable for use. Regardless of if your setup is functional, it's not one you want. As already mentioned, use a policy server to check SPF. There are (IIRC) multiple choices available in Ports. Scott K
