From iRedMail

Summary

Using the Python version of SPF Policy Server for Postfix it is possible to implement checking of SPF of incoming messages in Postfix, with immediate reject or pass (if desired). This article will describe how to achieve this feature.

Notes

• There is also a Perl version of the software, but it is not recommended because it does not scale well and should only be used for small scale servers.
• This tutorial was written for a CentOS-based system. Please adapt it to fit your distro and configuration.
• It is assumed that the user has good knowledge of the technologies used therein.

Installation

• Download the latest version of pypolicyd-spf from the project's home page.
• Unpack it and install it by using the instructions in the README file.

Configuration

Set-up your /etc/python-policyd-spf/policyd-spf.conf to fit your needs.

At the beginning, make sure you set:

defaultSeedOnly = 0

For example, a quite good configuration for fighting spam (but not losing legitimate messages) would contain

HELO_reject = Fail
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128

The meaning of each parameter is explained in the README file and in the man page (man 5 policyd-spf.conf).

Enable SPF check in Postfix

Edit your master.cf file and add at the end:

# SPF check
spfpolicy unix  -       n       n       -       -       spawn
    user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

Edit your main.cf file and add the following line in smtpd_recipient_restrictions, towards the end, but before the main policyd service (usually running on port 10031):

smtpd_recipient_restrictions =
   ...
   check_policy_service unix:private/spfpolicy,
   ...

Restart postfix:

/etc/init.d/postfix restart

Final notes

• Verify the effect of your changes by checking the maillog.
• When you are happy with a set of config parameters for pypolicyd-spf, be sure to enable actual SPF enforcing:

defaultSeedOnly = 1