POSTFIX-ADD-POLICY(8) System Manager's Manual POSTFIX-ADD-POLICY(8)NAME
postfix-add-policy - add policy service to Postfix master.cf
SYNOPSIS
postfix-add-policy [policy name...] [username...] [argv...]
DESCRIPTION
The postfix-add-policy(8) command adds an smtp policy server named policy name running using username and called as argv to etc/post-
fix/master.cf to facilitate integration of SMTP policy servers such as postgrey or postfix-policyd-spf-perl. The configuration is based on
the Postfix SMTPD_POLICY_README. Adminstrators should verify it is appropriate for their requirements.
The original file is copied prior to modification and left in /etc/postfix to make it possible to revert changes easily.
Available in the Debian package for Postfix version 2.5.3 and later.
DIAGNOSTICS
If the given policy name already appears in the master.cf, a message will be printed to standard out and master.cf will not be modified.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
The postfix-add-policy(8) command should use this, but it currently doesn't. It is hard coded to /etc/postfix. This should be
changed.
CONFIGURATION PARAMETERS
None
FILES
/etc/postfix/master.cf
SEE ALSO postconf(5), Postfix configuration
LICENSE
This software is licensed under the MIT open source license.
AUTHOR(S)
Scott Kitterman
<scott@kitterman.com>
POSTFIX-ADD-POLICY(8)
Check Out this Related Man Page
postfix-policyd-spf-perl(1) General Commands Manual postfix-policyd-spf-perl(1)NAME
postfix-policyd-spf-perl - pure-Perl Postfix policy server for SPF checking
VERSION
2.008
USAGE
Usage:
policyd-spf-perl [-v]
OTHER DOCUMENTATION
This documentation assumes you have read Postfix's README_FILES/ SMTPD_POLICY_README.
SYNOPSIS
postfix-policyd-spf-perl is a Postfix SMTP policy server for SPF checking. It is implemented in pure Perl and uses the Mail::SPF CPAN mod-
ule. Note that Mail::SPF is a complete re-implementation of SPF based on the final SPF RFC, RFC 4408. It shares no code with the older
Mail::SPF::Query that was the original SPF development implementation.
This version of the policy server always checks HELO before Mail From (older versions just checked HELO if Mail From was null). It will
reject mail that fails either Mail From or HELO SPF checks. It will defer mail if there is a temporary SPF error and the message would
othersise be permitted (DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From will not be checked.
If the message is not rejected or deferred, the policy server will PREPEND the appropriate SPF Received header. If Mail From is anything
other than completely empty (i.e. <>) then the Mail From result will be used for SPF Received (e.g. Mail From None even if HELO is Pass).
The policy server skips SPF checks for connections from the localhost (127.) and instead prepends and logs 'SPF skipped - localhost is
always allowed.' If you have relays that you want to skip SPF checks for, you can add them to relay_addresses on line 78 using standard
CIDR notation in a space separated list. For these addresses, 'X-Comment: SPF skipped for whitelisted relay' is prepended and logged.
Error conditions within the policy server (that don't result in a crash) or from Mail::SPF will return DUNNO.
DESCRIPTION
Logging is sent to syslogd.
Each time a Postfix SMTP server process is started it connects to the policy service socket and Postfix runs one instance of this Perls
script. By default, a Postfix SMTP server process terminates after 100 seconds of idle time, or after serving 100 clients. Thus, the cost
of starting this Perl script is smoothed over time.
The default policy_time_limit is 1000 seconds. This may be too short for some SMTP transactions to complete. As recommended in SMTPD_POL-
ICY_README, this should be extended to 3600 seconds. To do so, set "policy_time_limit = 3600" in /etc/postfix/main.cf.
TESTING THE POLICY DAEMON
Testing the policy daemon
To test the policy daemon by hand, execute:
% /usr/sbin/postfix-policyd-spf-perl
Each query is a bunch of attributes. Order does not matter, and the server uses only a few of all the attributes shown below:
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=some.domain.tld
queue_id=
instance=71b0.45e2f5f1.d4da1.0
sender=foo@bar.tld
recipient=bar@foo.tld
client_address=1.2.3.4
client_name=another.domain.tld
[empty line]
The policy daemon will answer in the same style, with an attribute list followed by a empty line:
action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
receiver=bar@foo.tld
[empty line]
To test HELO checking sender should be empty:
sender=
... More attributes...
[empty line]
If you want more detail in the system logs change $VERBOSE to 1.
POSTFIX INTEGRATION
1. Add the following to /etc/postfix/master.cf:
spfcheck unix - n n - 0 spawn
user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl
2. Configure the Postfix SPF policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_policy_service unix:private/spfcheck
...
spfcheck_time_limit = 3600
NOTE: Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
3. Set up machines which you expect to legitimately forward mail to this
server (see description in synopsis). This should typically include
the IP addresses which backup Mail eXchangers, and known non-SRS
forwarders will use to submit mail to this server (i.e. the source IPs
of the other servers).
4. Restart Postfix.
5. Verify correct backup MX operation (if applicable).
SEE ALSO
libmail-spf-perl, <http://www.openspf.org>
AUTHORS
This version of policyd-spf-perl was written by Meng Weng Wong <mengwong+spf@pobox.com> and updated for libmail-spf-perl by Scott Kitterman
<scott@kitterman.com> and Julian Mehnle <julian@mehnle.net>.
This man-page was written by Scott Kitterman <scott@kitterman.com>.
2012-01-19 postfix-policyd-spf-perl(1)