OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: SPF implementation not working

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Jun 01 2009 - 08:29:48 CDT

Paul Cocker wrote:
> I'm trying to implement SPF on our Postfix 2.3.3 installation running on
> CentOS 5.2 and have been using the "Sender address verification for all
> e-mail" article on the postfix site. We're also using a Barracuda filter
> and SPF verification hasn't been leading to false positives so we're
> happy to enable it for everything.

The article you refer to is about sending address verification
probes, not SPF. You have not enabled SPF in postfix. Note
that some sites consider the address probes you have enabled a
form of abuse - if you send too many of them them, they will
blacklist you. You might want to turn that feature back off.

To check SPF records in postfix, you need either a milter or a
policy service. There exists a library and patch to add SPF
to postfix, but that software is not recommended - use a
milter or policy service. Here's the relevant postfix
documentation:
http://www.postfix.org/MILTER_README.html
http://www.postfix.org/SMTPD_POLICY_README.html

and here are some commonly used software:
http://sourceforge.net/projects/sid-milter/
http://www.postfix.org/addon.html#policy
http://www.openspf.org/Software

   -- Noel Jones

>
> I believe that the config below should do the trick:
>
>
> address_verify_map = btree:/var/lib/postfix/verify
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> disable_vrfy_command = yes
> html_directory = no
> inet_interfaces = all
> local_recipient_maps =
> local_transport = error:local mail delivery is disabled
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination =
> mynetworks = 100.100.100.0/24
> myorigin = domain2.co.uk
> newaliases_path = /usr/bin/newaliases.postfix
> parent_domain_matches_subdomains =
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> relay_domains = domain1.co.uk, domain2.co.uk, domain3.co.uk
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESTMP
> smtpd_sender_restrictions = permit_mynetworks check_sender_access
> hash:/etc/postfix/sender_access reject_unknown_sender_domain
> reject_unverified_sender
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>
>
> And here is the SPF chunk from main.cf
>
> # Enable SPF
>
> smtpd_sender_restrictions =
> permit_mynetworks
> check_sender_access hash:/etc/postfix/sender_access
> reject_unknown_sender_domain
> reject_unverified_sender
>
> # Postfix 2.6 and later.
> #unverified_sender_reject_reason = Address verification failed
>
> # Note 1: Be sure to read the "Caching" section below!
> # Note 2: Avoid hash files here. Use btree instead.
> address_verify_map = btree:/var/lib/postfix/verify
>
>
> However SPF does not appear to be functioning. I have verified that the
> verify.db file is writable and indeed it has grown, and sender_access.db
> exists as specified.
>
> I'm not sure how to proceed. At the least I guess I need to know what a
> rejection on the grounds above would look like in the logs so I can see
> if it's isolated cases or a total failure of my configuration.
>
> I should note that the SPF failures I'm looking at are against our own
> domain, checks which work on our Barracuda, thus proving that the SPF
> record itself is good.
>
> Here is an example
>
> Jun 1 10:54:38 hostname postfix/smtpd[27747]: 419581F800F7:
> client=unknown[163.13.128.190]
> Jun 1 10:54:39 hostname postfix/cleanup[28028]: 419581F800F7:
> message-id=<221000364829142.CUEPWRFOXJAQFJV[163.13.128.190]>
> Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7:
> from=<paul.cockertntpost.co.uk>, size=2545, nrcpt=1 (queue active)
> Jun 1 10:54:39 hostname postfix/smtp[27372]: 419581F800F7:
> to=<paul.cockertntpost.co.uk>,
> relay=hostname2.domain.co.uk[100.100.100.101]:25, delay=1.3,
> delays=1.3/0/0.01/0.04, dsn=5.0.0, status=bounced (host
> hostname2.domain.co.uk[100.100.100.101] said: 554 Service unavailable;
> Client host [hostname.domain2.co.uk] blocked using Barracuda Reputation;
> http://bbl.barracudacentral.com/q.cgi?ip=163.13.128.190 (in reply to end
> of DATA command))
> Jun 1 10:54:39 hostname postfix/bounce[27728]: 419581F800F7: sender
> non-delivery notification: 47E5F1F800F9
> Jun 1 10:54:39 hostname postfix/qmgr[26216]: 419581F800F7: removed
>
>
> The mail is passed from the postfix mail server to the Barracuda server
> without being rejected, despite the forged from field and invalid IP.
>
> Paul Cocker
> _____________________________________________________________________
>
> Please consider the environment, think before you print.
>
> TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.