spfquery.pyspf(1) General Commands Manual spfquery.pyspf(1)NAME
spfquery.pyspf - pure-Python spfquery script
VERSION
2.0.4
DESCRIPTION
The spfquery script is a Python reimplementination of Wayne Schlitt's spfquery command line tool.
USAGE
The spfquery script is called with a number of possible options. Options can either use standard '-' prefix or be PERL style long options,
'--'. Supported options are:
"--file" or "-file" {filename}: Read the query (or queries) from the designated
file. If {filename} is '0', then query inputs are read from STDIN.
"--ip" or "-ip" {address}: Client IP address to use for SPF check.
"--sender" or "-sender" {Mail From address}: Envelope sender from which mail was
received.
"--helo" or "-helo" {client hostname}: HELO/EHLO name used by SMTP client.
"--local" or "-local" {local policy SPF string}: Additional SPF mechanisms to be
checked on the basis of local policy. Note that local policy matches are
not strictly SPF results. Local policy processing is not defined in RFC
4408. Result may vary among SPF implementations.
"--rcpt-to" or "rcpt-to" {rcpt-to address - if available}: Receipt to address is
not used for actual SPF processing, but if available it can be useful for
logging, spf-received header construction, and providing useful rejection
messages when messages are rejected due to SPF.
"--default-explanation" or "-default-explanation" {explanation string}: Default
Fail explanation string to be used.
"--sanitize" or "-sanitize" and "--debug" or "-debug": These options are no-op
in the Python implementation, but are valid inputs to provide compatibliity
with input files developed to work with the original PERL and C spfquery
implementations.
EXAMPLE
spfquery --sender scott@example.com --ip 192.0.2.0 [other options ...]
SEE ALSO
RFC 4408, <http://www.openspf.org>
AUTHORS
This version of spfquery was written by Stuart Gathman <stuart@bmsi.com>.
This man-page was created by Scott Kitterman <scott@kitterman.com>.
2007-01-16 spfquery.pyspf(1)
Check Out this Related Man Page
policy-spf(1) General Commands Manual policy-spf(1)NAME
python-policyd-spf - pure-Python Postfix policy daemon for SPF checking
VERSION
1.0
USAGE
NOTE: Depending on the packaging and distribution, the exact path to the executable may vary.
$ policyd-spf (Start using installed config file)
$ policyd-spf -h (Display usage message)
$ policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
(Config file name to use)
Configuration options are described in the sample configuration file installed in /usr/share/doc/postfix-policyd-spf-python (policyd-
spf.conf.commented) and in policyd-spf.conf(5). The provided setup.py installs an uncommented configuration file in /etc/postfix-policyd-
spf-python/.
Additionally, whitelisting certain IP addresses or IP addresses used by listed domains from SPF checks is supported. Skipping SPF checks
for local submission or trusted relays is also provided. The sample configuration file and policyd-spf.conf(5) shows the format to use.
OTHER DOCUMENTATION
This documentation assumes you have read Postfix's README_FILES/ SMTPD_POLICY_README and are generally familiar with Sender Policy Frame-
work (SPF). See RFC 4408 for details.
See man 5 policyd-spf.conf for configuration file information.
man 5 policyd-spf.peruser provides documentation on setting up and using different configuration options on a per user (mail reciepient)
basis.
SYNOPSIS
python-policyd-spf is a Postfix SMTPd policy daemon for SPF checking. It is implemented in pure Python and uses the pyspf module. The SPF
web site is http://www.openspf.org/. The Postfix configuration must be changed to check SPF.
DESCRIPTION
Logging is sent to syslogd.
Each time a Postfix SMTP server process is started it connects to the policy service socket and Postfix runs one instance of this Python
script. By default, a Postfix SMTP server process terminates after 100 seconds of idle time, or after serving 100 clients. Thus, the cost
of starting this Python script is smoothed over time
The default policy_time_limit is 1000 seconds. This may be too short for some SMTP transactions to complete. As recommended in SMTPD_POL-
ICY_README, this should be extended to 3600 seconds. To do so, set "policy_time_limit = 3600" in /etc/postfix/main.cf.
Messages that get a Fail SPF result will be rejected. Messages that get a Permerror are, by default, treated as if they had no SPF record.
Messages that get a Temperror result are, by default, treated as if they had no SPF record, but can (and probably should) be deferred if
otherwise permitted. Messages that get other SPF results (Pass, None, Neutral, Softfail) will have the SPF Received header prepended.
Note: Spamasassisn 3.2 and follow will use this header for spam scoring so there is no need to configure a separate SPF check in these Spa-
massassin versions. See Spamassassin documentation for details.
Default Mail From rejection/deferal criteria are, by design, conservative. Default HELO check actions are to reject mail with other than
Pass/None. HELO records are much simpler than Mail From records and rejecting based on HELO checking does not present a false positive
risk. These settings are a matter of local policy and should be adjusted to meet the requirements of site administrators. See policyd-
spf.conf(5) for configuration file details.
LOGGING
Policyd-spf will log messages to syslog about it's activities. The "debugLevel" value in "policyd-spf.conf" can be increased to get addi-
tional information to be logged. When set to a value of "0", only test results (SPF hits/misses) are logged. Results will be returned to
Postfix and logged as a warning by Postfix also. For logging by this policy server, look for "policyd-spf" in your mail log files.
TESTING THE POLICY DAEMON
Testing the policy daemon
To test the policy daemon by hand, execute:
policyd-spf
Each query is a bunch of attributes. Order does not matter, and the daemon uses only a few of all the attributes shown below:
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=some.domain.tld
queue_id=8045F2AB23
instance=12345.6789
sender=foo@bar.tld
recipient=bar@foo.tld
client_address=1.2.3.4
client_name=another.domain.tld
[empty line]
The policy daemon will answer in the same style, with an attribute list followed by a empty line:
action=dunno
[empty line]
POSTFIX INTEGRATION
1. Add the following to /etc/postfix/master.cf:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
NOTE: Check the path to both the installed Python interpreter and
policyd-spf. These vary from system to system. To use non-default
settings, you must also add the config file (see above and
policyd-spf.conf(5) for details).
2. Configure the Postfix policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_policy_service unix:private/policyd-spf
...
policyd-spf_time_limit = 3600
NOTE: Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
3. Reload Postfix.
SEE ALSO policyd-spf.conf(5), policyd-spf.peruser(5), python-spf, <http://www.openspf.org>, RFC 4408
AUTHORS
This version of python-policyd-spf was written by Copyright (C) 2007-2012 Scott Kitterman <scott@kitterman.com>. It is derived from Tum-
greyspf, written by Sean Reifschneider, tummy.com, ltd <jafo@tummy.com>. Portions of the documentation were written by Meng Weng Wong
<mengwong@pobox.com>.
This man-page was created by Scott Kitterman <scott@kitterman.com>.
2012-03-17 policy-spf(1)