Prev: Local E-Mail checking?
Next: postfix and mailman
From: Noel Jones on 15 Mar 2010 13:38
On 3/15/2010 12:18 PM, Security Admin (NetSec) wrote:
> Running Postfix as a mail gateway, version 2.6.5 and am finally getting
> around to implementing SPF in Postfix. I thought the TXT record in DNS
> would suffice which is how I have been running it.
>
> Found this how-to link http://www.howtoforge.com/postfix_spf
>
> Is this the proper way or is another recommended?

Enabling SPF for your domain only requires adding a DNS TXT
record, no modifications to postfix are required.

If you want to check/verify SPF of incoming mail with postfix,
you should use a policy service or a milter.

Either of the openspf.org policy services should work well, as
does the sendmail-spf-milter. At a quick glance the
howtoforge instructions look reasonable.
Warning: following a how-to is no substitute for reading the
official documentation.

Unless you're planning on rejecting all mail that fails SPF
(which will likely reject some legit mail), you might find it
more useful to to use a scoring method such as SpamAssassin
that looks at SPF and other factors before deciding if mail is
good or not.

-- Noel Jones

From: Wietse Venema on 15 Mar 2010 13:41
Security Admin (NetSec):
> Running Postfix as a mail gateway, version 2.6.5 and am finally
> getting around to implementing SPF in Postfix. I thought the
> TXT record in DNS would suffice which is how I have been running
> it.
>
> Found this how-to link http://www.howtoforge.com/postfix_spf
>
> Is this the proper way or is another recommended?

Postfix implements DKIM SPF and other authentication technologies
via plugins only. For SPF, you can use a policy plugin, or a Milter
plugin.

The Postfix 2.6 and later Milter interface also supports sender
address replacement which is needed for SRS.

Wietse

From: Erik Logtenberg on 15 Mar 2010 15:12
On 03/15/2010 06:18 PM, Security Admin (NetSec) wrote:
> Running Postfix as a mail gateway, version 2.6.5 and am finally getting
> around to implementing SPF in Postfix. I thought the TXT record in DNS
> would suffice which is how I have been running it.

Please note that according to RFC4408 (SPF), section 3.1.1 (DNS Resource
Record Types) the preferred DNS RR is "SPF" (code 99), not "TXT". The
TXT record is only meant for temporary use for the time period when
there are still nameservers operational that don't support the SPF RR yet.

> An SPF-compliant domain name SHOULD have SPF records of both RR
> types. A compliant domain name MUST have a record of at least one
> type. If a domain has records of both types, they MUST have
> identical content. For example, instead of publishing just one
> record as in Section 3.1 above, it is better to publish:
>
> example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
> example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"

Given current state of things, I would recommend using both. Make sure
they contain exactly the same information though.

 | 
Pages: 1
Prev: Local E-Mail checking?
Next: postfix and mailman