Git/email-toolbox-wiki
1
0
Fork 0
mirror of https://github.com/internetstandards/toolbox-wiki.git synced 2025-11-04 07:45:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated SPF how to (markdown)

Browse Source
This commit is contained in:
Dennis Baaten
2019-06-05 22:11:03 +02:00
parent c040afce2a
commit 20131c40f3
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
SPF-how-to.md
View File

@@ -6,11 +6,11 @@
- [Outbound e-mail traffic (DNS records)](#outbound-e-mail-traffic--dns-records-) - [Outbound e-mail traffic (DNS records)](#outbound-e-mail-traffic--dns-records-)
- [Inbound e-mail traffic](#inbound-e-mail-traffic) - [Inbound e-mail traffic](#inbound-e-mail-traffic)
* [Implementing SPF in Postfix with SpamAssassin](#implementing-spf-in-postfix-with-spamassassin) * [Implementing SPF in Postfix with SpamAssassin](#implementing-spf-in-postfix-with-spamassassin)
* [Configuring Postfix](#configuring-postfix) + [Configuring Postfix](#configuring-postfix)
+ [Postfix configuration for Python SPF policy agent](#postfix-configuration-for-python-spf-policy-agent) - [Postfix configuration for Python SPF policy agent](#postfix-configuration-for-python-spf-policy-agent)
+ [Postfix configuration for SpamAssassin](#postfix-configuration-for-spamassassin) - [Postfix configuration for SpamAssassin](#postfix-configuration-for-spamassassin)
* [Configuring Python SPF policy agent](#configuring-python-spf-policy-agent) + [Configuring Python SPF policy agent](#configuring-python-spf-policy-agent)
* [Configuring SpamAssassin](#configuring-spamassassin) + [Configuring SpamAssassin](#configuring-spamassassin)
# Introduction # Introduction
This how to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing SPF. This how to is created by the Dutch Internet Standards Platform (the organization behind [internet.nl](https://internet.nl)) and is meant to provide practical information and guidance on implementing SPF.
@@ -51,7 +51,7 @@ Ideally incoming e-mail is processed by making a **single decision** based on a
* Mail server is operational * Mail server is operational
* Software packages are already installed * Software packages are already installed
## Configuring Postfix ### Configuring Postfix
The [Postfix SMTP server](http://www.postfix.org/smtpd.8.html) seems to be processing e-mails in a sequential order by means of so-called [access restriction lists](http://www.postfix.org/SMTPD_ACCESS_README.html#lists). For each stage of the SMTP conversation Postfix can apply a specific set of restrictions. As repeatedly stated in the [main.cf man page](http://www.postfix.org/postconf.5.html) “Restrictions are applied in the order as specified; the first restriction that matches wins”. This should be taken into consideration when configuring your Postfix implementation. The [Postfix SMTP server](http://www.postfix.org/smtpd.8.html) seems to be processing e-mails in a sequential order by means of so-called [access restriction lists](http://www.postfix.org/SMTPD_ACCESS_README.html#lists). For each stage of the SMTP conversation Postfix can apply a specific set of restrictions. As repeatedly stated in the [main.cf man page](http://www.postfix.org/postconf.5.html) “Restrictions are applied in the order as specified; the first restriction that matches wins”. This should be taken into consideration when configuring your Postfix implementation.
The follow table provides a schematic overview of an SMTP conversation and relates specific stages to Postfix' access restriction lists. The follow table provides a schematic overview of an SMTP conversation and relates specific stages to Postfix' access restriction lists.
@@ -79,7 +79,7 @@ The follow table provides a schematic overview of an SMTP conversation and relat
| 221 2.0.0 Bye | | | | 221 2.0.0 Bye | | |
| Connection closed by foreign host. | | | | Connection closed by foreign host. | | |
### Postfix configuration for Python SPF policy agent #### Postfix configuration for Python SPF policy agent
The implementation described in this how to uses an external application to perform SPF checking: Python SPF policy agent (postfix-policyd-spf-python). In order for Postfix to be able to use this application, the following needs to be added to **/etc/postfix/master.cf**: The implementation described in this how to uses an external application to perform SPF checking: Python SPF policy agent (postfix-policyd-spf-python). In order for Postfix to be able to use this application, the following needs to be added to **/etc/postfix/master.cf**:
`policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf` `policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf`
@@ -100,7 +100,7 @@ Now also add the following to **/etc/postfix/main.cf**, outside of any section.
`policy-spf_time_limit = 3600s` `policy-spf_time_limit = 3600s`
### Postfix configuration for SpamAssassin #### Postfix configuration for SpamAssassin
Because this implementation uses SpamAssassin for post-SMTP spam filtering, the following needs to be added to /etc/postfix/master.cf: Because this implementation uses SpamAssassin for post-SMTP spam filtering, the following needs to be added to /etc/postfix/master.cf:
``` ```
@@ -111,7 +111,7 @@ Finally, add the following to **/etc/postfix/main.cf** outside of any section to
`spamassassin_destination_recipient_limit = 1` `spamassassin_destination_recipient_limit = 1`
## Configuring Python SPF policy agent ### Configuring Python SPF policy agent
The next step is to tell the Python SPF policy agent how to behave when checking SPF records. This behavior is determined by adding [configuration parameters](https://manpages.debian.org/stretch/postfix-policyd-spf-python/policyd-spf.conf.5.en.html) to **/etc/postfix-policyd-spf-python/policyd-spf.conf**. The next step is to tell the Python SPF policy agent how to behave when checking SPF records. This behavior is determined by adding [configuration parameters](https://manpages.debian.org/stretch/postfix-policyd-spf-python/policyd-spf.conf.5.en.html) to **/etc/postfix-policyd-spf-python/policyd-spf.conf**.
The default configuration of the Python SPF policy agent provides a binary "block" or "don't block" functionality. However, the implementation described in this how to uses SpamAssassin as a post-SMTP spam filter. This means that Postfix should not reject e-mails coming from e-mail servers that are not listed in the SPF record. Instead an SPF header is appended to the e-mail. The information in the header is used by SpamAssassin to weigh whether an incoming e-mail should be considered spam. This specific setup requires the following non-default configuration parameters in **/etc/postfix-policyd-spf-python/policyd-spf.conf**: The default configuration of the Python SPF policy agent provides a binary "block" or "don't block" functionality. However, the implementation described in this how to uses SpamAssassin as a post-SMTP spam filter. This means that Postfix should not reject e-mails coming from e-mail servers that are not listed in the SPF record. Instead an SPF header is appended to the e-mail. The information in the header is used by SpamAssassin to weigh whether an incoming e-mail should be considered spam. This specific setup requires the following non-default configuration parameters in **/etc/postfix-policyd-spf-python/policyd-spf.conf**:
@@ -121,7 +121,7 @@ HELO_reject = False
Mail_From_reject = False Mail_From_reject = False
``` ```
## Configuring SpamAssassin ### Configuring SpamAssassin
SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**. SpamAssassin uses a scoring mechanism in order to determine if an e-mail should be considered spam. By default SpamAssassin considers an e-mail to be spam if the score at least "5". An e-mail starts with a score of 0 and points are added based on the [tests](https://spamassassin.apache.org/old/tests_3_3_x.html) performed. The tests performed can be configured by adding specific [configuration parameters](https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html) in **/etc/spamassassin/local.cf**.
Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how to, the SPF scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's IP-address or host is not in the domain's SPF record. Now here's the tricky part. The points added to the score of an incoming e-mail based on the results of a specific test, is at its core a custom job. Many variables can be taken into consideration when scoring an e-mail (which is considered the strength of a post-SMTP spam filter) and the detailed scoring depends on a domain owner's specific wishes. For the sake of this how to, the SPF scoring will be based on the assumption that the domain owner wants to consider an e-mail to be spam if the sending e-mail server's IP-address or host is not in the domain's SPF record.