We're running a mail processing service for external customers. As a means of preventing spammers from relaying through our first hop (CentOS 6.6, Postfix 2.11.3), I want to check for the presence of an SPF record. I'm able to accomplish that with pypolicyd-spf (https://launchpad.net/pypolicyd-spf/).
The issue is that pypolicyd-spf will not reject mail from messages with MAIL FROM domains that don't have an SPF record. That is, if a spammer attempts to relay from a domain that doesn't have an SPF record, pypolicyd-spf shows:
Jan 6 22:38:54 DVR01 postfix/smtpd[31777]: connect from 118-160-214-49.dynamic.hinet.net[118.160.214.49] Jan 6 22:38:55 DVR01 policyd-spf[31781]: None; identity=helo; client-ip=118.160.214.49; helo=144.202.242.201; [email protected]; [email protected] Jan 6 22:38:55 DVR01 policyd-spf[31781]: None; identity=mailfrom; client-ip=118.160.214.49; helo=144.202.242.201; [email protected]; [email protected] Jan 6 22:38:55 DVR01 postfix/smtpd[31777]: 89B191C03D0: client=118-160-214-49.dynamic.hinet.net[118.160.214.49] Jan 6 22:39:00 DVR01 postfix/cleanup[31782]: 89B191C03D0: message-id= Jan 6 22:39:00 DVR01 postfix/qmgr[31775]: 89B191C03D0: from=, size=7053, nrcpt=19 (queue active) Jan 6 22:39:00 DVR01 postfix/smtp[31783]: 89B191C03D0: to=, relay=RLY01.DEV.MS.LOCAL[192.168.111.117]:25, delay=5.9, delays=5.9/0/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 52C4D1C04DB)
For reference, an SPF FAIL looks like this:
Jan 7 17:18:22 DVR01 postfix/smtpd[45867]: connect from unknown[221.5.48.181] Jan 7 17:18:22 DVR01 policyd-spf[45870]: None; identity=helo; client-ip=221.5.48.181; helo=cgtisxj; [email protected]; [email protected] Jan 7 17:18:22 DVR01 policyd-spf[45870]: Fail; identity=mailfrom; client-ip=221.5.48.181; helo=cgtisxj; [email protected]; [email protected] Jan 7 17:18:22 DVR01 postfix/smtpd[45867]: NOQUEUE: reject: RCPT from unknown[221.5.48.181]: 550 5.7.1 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;[email protected];ip=221.5.48.181;[email protected]; from= to= proto=ESMTP helo=
Effectively, I want to reject the NONE result.
Normally, this would be a bad idea; not everyone has implemented SPF records for their domains. But we're going to require it of our customers so we don't care to receive mail from domains that don't have SPF records.
So, the question: using at least some of what I have in place (I'd rather stick with CentOS and Postfix,) how can I accept only "Pass; identity=mailfrom"?
Thanks, Nathan
Can you just use DMARC? It can be configured to be SPF only, and the alignment requirement will take care of your 'identity=mailfrom' desire. Here's a Postfix implementation of the DMARC standard - http://www.trusteddomain.org/opendmarc/ .
If you can require that your customers have SPF, can't you also require them to have DMARC?