mirror of
https://github.com/internetstandards/toolbox-wiki.git
synced 2024-11-24 20:11:36 +01:00
Updated SPF how to (markdown)
This commit is contained in:
parent
c040afce2a
commit
20131c40f3
@ -6,11 +6,11 @@
|
|||||||
- [Outbound e-mail traffic (DNS records)](#outbound-e-mail-traffic--dns-records-)
|
- [Outbound e-mail traffic (DNS records)](#outbound-e-mail-traffic--dns-records-)
|
||||||
- [Inbound e-mail traffic](#inbound-e-mail-traffic)
|
- [Inbound e-mail traffic](#inbound-e-mail-traffic)
|
||||||
* [Implementing SPF in Postfix with SpamAssassin](#implementing-spf-in-postfix-with-spamassassin)
|
* [Implementing SPF in Postfix with SpamAssassin](#implementing-spf-in-postfix-with-spamassassin)
|
||||||
* [Configuring Postfix](#configuring-postfix)
|
+ [Configuring Postfix](#configuring-postfix)
|
||||||
+ [Postfix configuration for Python SPF policy agent](#postfix-configuration-for-python-spf-policy-agent)
|
- [Postfix configuration for Python SPF policy agent](#postfix-configuration-for-python-spf-policy-agent)
|
||||||
+ [Postfix configuration for SpamAssassin](#postfix-configuration-for-spamassassin)
|
- [Postfix configuration for SpamAssassin](#postfix-configuration-for-spamassassin)
|
||||||
* [Configuring Python SPF policy agent](#configuring-python-spf-policy-agent)
|
+ [Configuring Python SPF policy agent](#configuring-python-spf-policy-agent)
|
||||||
* [Configuring SpamAssassin](#configuring-spamassassin)
|
+ [Configuring SpamAssassin](#configuring-spamassassin)
|
||||||
|
|
||||||
# Introduction
|
# Introduction
|
||||||
This how to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing SPF.
|
This how to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing SPF.
|
||||||
@ -51,7 +51,7 @@ Ideally incoming e-mail is processed by making a **single decision** based on a
|
|||||||
* Mail server is operational
|
* Mail server is operational
|
||||||
* Software packages are already installed
|
* Software packages are already installed
|
||||||
|
|
||||||
## Configuring Postfix
|
### Configuring Postfix
|
||||||
The [Postfix SMTP server](http://www.postfix.org/smtpd.8.html) seems to be processing e-mails in a sequential order by means of so-called [access restriction lists](http://www.postfix.org/SMTPD_ACCESS_README.html#lists). For each stage of the SMTP conversation Postfix can apply a specific set of restrictions. As repeatedly stated in the [main.cf man page](http://www.postfix.org/postconf.5.html) “Restrictions are applied in the order as specified; the first restriction that matches wins”. This should be taken into consideration when configuring your Postfix implementation.
|
The [Postfix SMTP server](http://www.postfix.org/smtpd.8.html) seems to be processing e-mails in a sequential order by means of so-called [access restriction lists](http://www.postfix.org/SMTPD_ACCESS_README.html#lists). For each stage of the SMTP conversation Postfix can apply a specific set of restrictions. As repeatedly stated in the [main.cf man page](http://www.postfix.org/postconf.5.html) “Restrictions are applied in the order as specified; the first restriction that matches wins”. This should be taken into consideration when configuring your Postfix implementation.
|
||||||
|
|
||||||
The follow table provides a schematic overview of an SMTP conversation and relates specific stages to Postfix' access restriction lists.
|
The follow table provides a schematic overview of an SMTP conversation and relates specific stages to Postfix' access restriction lists.
|
||||||
@ -79,7 +79,7 @@ The follow table provides a schematic overview of an SMTP conversation and relat
|
|||||||
| 221 2.0.0 Bye | | |
|
| 221 2.0.0 Bye | | |
|
||||||
| Connection closed by foreign host. | | |
|
| Connection closed by foreign host. | | |
|
||||||
|
|
||||||
### Postfix configuration for Python SPF policy agent
|
#### Postfix configuration for Python SPF policy agent
|
||||||
The implementation described in this how to uses an external application to perform SPF checking: Python SPF policy agent (postfix-policyd-spf-python). In order for Postfix to be able to use this application, the following needs to be added to **/etc/postfix/master.cf**:
|
The implementation described in this how to uses an external application to perform SPF checking: Python SPF policy agent (postfix-policyd-spf-python). In order for Postfix to be able to use this application, the following needs to be added to **/etc/postfix/master.cf**:
|
||||||
|
|
||||||
`policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf`
|
`policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf`
|
||||||
@ -100,7 +100,7 @@ Now also add the following to **/etc/postfix/main.cf**, outside of any section.
|
|||||||
|
|
||||||
`policy-spf_time_limit = 3600s`
|
`policy-spf_time_limit = 3600s`
|
||||||
|
|
||||||
### Postfix configuration for SpamAssassin
|
#### Postfix configuration for SpamAssassin
|
||||||
Because this implementation uses SpamAssassin for post-SMTP spam filtering, the following needs to be added to /etc/postfix/master.cf:
|
Because this implementation uses SpamAssassin for post-SMTP spam filtering, the following needs to be added to /etc/postfix/master.cf:
|
||||||
|
|
||||||
```
|
```
|
||||||
@ -111,7 +111,7 @@ Finally, add the following to **/etc/postfix/main.cf** outside of any section to
|
|||||||
|
|
||||||
`spamassassin_destination_recipient_limit = 1`
|
`spamassassin_destination_recipient_limit = 1`
|
||||||
|
|
||||||
## Configuring Python SPF policy agent
|
### Configuring Python SPF policy agent
|
||||||
The next step is to tell the Python SPF policy agent how to behave when checking SPF records. This behavior is determined by adding [configuration parameters](https://manpages.debian.org/stretch/postfix-policyd-spf-python/policyd-spf.conf.5.en.html) to **/etc/postfix-policyd-spf-python/policyd-spf.conf**.
|
The next step is to tell the Python SPF policy agent how to behave when checking SPF records. This behavior is determined by adding [configuration parameters](https://manpages.debian.org/stretch/postfix-policyd-spf-python/policyd-spf.conf.5.en.html) to **/etc/postfix-policyd-spf-python/policyd-spf.conf**.
|
||||||
|
|
||||||
The default configuration of the Python SPF policy agent provides a binary "block" or "don't block" functionality. However, the implementation described in this how to uses SpamAssassin as a post-SMTP spam filter. This means that Postfix should not reject e-mails coming from e-mail servers that are not listed in the SPF record. Instead an SPF header is appended to the e-mail. The information in the header is used by SpamAssassin to weigh whether an incoming e-mail should be considered spam. This specific setup requires the following non-default configuration parameters in **/etc/postfix-policyd-spf-python/policyd-spf.conf**:
|
The default configuration of the Python SPF policy agent provides a binary "block" or "don't block" functionality. However, the implementation described in this how to uses SpamAssassin as a post-SMTP spam filter. This means that Postfix should not reject e-mails coming from e-mail servers that are not listed in the SPF record. Instead an SPF header is appended to the e-mail. The information in the header is used by SpamAssassin to weigh whether an incoming e-mail should be considered spam. This specific setup requires the following non-default configuration parameters in **/etc/postfix-policyd-spf-python/policyd-spf.conf**:
|
||||||
@ -121,7 +121,7 @@ HELO_reject = False
|
|||||||
Mail_From_reject = False
|
Mail_From_reject = False
|
||||||
```
|
```
|
||||||
|
|
||||||
## Configuring SpamAssassin
|
### Configuring SpamAssassin
|
||||||
SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**.
|
SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**.
|
||||||
|
|
||||||
Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how to, the SPF scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's IP-address or host is not in the domain's SPF record.
|
Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how to, the SPF scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's IP-address or host is not in the domain's SPF record.
|
||||||
|
Loading…
Reference in New Issue
Block a user