Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

postfix-policyd-spf-perl with postfix help?

  

 
SPF help RSS feed   Index | Next | Previous | View Threaded


roj at mvb

Jun 9, 2008, 4:09 AM

Post #1 of 12 (3638 views)
Permalink
postfix-policyd-spf-perl with postfix help?
Hello,

I am using postfix-policyd-spf-perl-2.005 with postfix-2.2 and
perl-5.8.5 on RHEL4, configured as described in this guide:
http://www.howtoforge.com/postfix_spf and restarted the postfix service.

However, if I try to send mail through the mailserver with a fake
sender-address (e.g. a @hotmail.com or something) which has SPF records,
fake mails are not getting denied.

If I do "perl /usr/lib/postfix/postfix-policyd-spf-perl" and then type
in the fake info, it denies like:

action=PREPEND Received-SPF: softfail (hotmail.com: Sender is not
authorized by default to use 'hotmail.com' in 'helo' identity, however
domain is not currently prepared for false failures (mechanism '~all'
matched)) receiver=my.server.com; identity=helo; helo=hotmail.com;
client-ip=<the-IP-address>

I don't see any errors or such in the logs, but it seems like postfix is
not using this mechanism for validation for some reason.

Can anyone help me get this working?

Best regards,
jack


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 9, 2008, 4:26 AM

Post #2 of 12 (3504 views)
Permalink
Re: postfix-policyd-spf-perl with postfix help? [In reply to]
On Monday 09 June 2008 07:09, Ronni Jensen wrote:
> Hello,
>
> I am using postfix-policyd-spf-perl-2.005 with postfix-2.2 and
> perl-5.8.5 on RHEL4, configured as described in this guide:
> http://www.howtoforge.com/postfix_spf and restarted the postfix service.
>
> However, if I try to send mail through the mailserver with a fake
> sender-address (e.g. a @hotmail.com or something) which has SPF records,
> fake mails are not getting denied.
>
> If I do "perl /usr/lib/postfix/postfix-policyd-spf-perl" and then type
> in the fake info, it denies like:
>
> action=PREPEND Received-SPF: softfail (hotmail.com: Sender is not
> authorized by default to use 'hotmail.com' in 'helo' identity, however
> domain is not currently prepared for false failures (mechanism '~all'
> matched)) receiver=my.server.com; identity=helo; helo=hotmail.com;
> client-ip=<the-IP-address>
>
> I don't see any errors or such in the logs, but it seems like postfix is
> not using this mechanism for validation for some reason.
>
> Can anyone help me get this working?
>
This is correct behavior. The Hotmail does not publish a record that would
allow for SPF based rejection. Try it with a domain (such as mine if you
want) that has an SPF record ending in -all and see what result you get then.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


roj at mvb

Jun 9, 2008, 4:48 AM

Post #3 of 12 (3516 views)
Permalink
SV: postfix-policyd-spf-perl with postfix help? [In reply to]
Ah, of course, Scott..

Anyway, tried with your domain, postfix says:

Jun 9 13:40:49 postfix/smtpd[5780]: 92535200201:
client=unknown[<my-ip>]
Jun 9 13:40:55 postfix/cleanup[13604]: 92535200201:
message-id=<20080609114049.92535200201 [at] my>
Jun 9 13:40:55 postfix/qmgr[28644]: 92535200201:
from=<test [at] kitterman>, size=347, nrcpt=1 (queue active)
Jun 9 13:40:56 postfix/smtp[13645]: 92535200201:
to=<my [at] address-at-gmail>,
relay=gmail-smtp-in.l.google.com[209.85.135.114], delay=15, status=sent
(250 2.0.0 OK)
Jun 9 13:40:56 postfix/qmgr[28644]: 92535200201: removed

This test mail also arrived fine :/

Any ideas?

Best regards,
jack

-----Oprindelig meddelelse-----
Fra: Scott Kitterman [mailto:scott [at] kitterman]
Sendt: 9. juni 2008 13:26
Til: spf-help [at] v2
Emne: Re: [spf-help] postfix-policyd-spf-perl with postfix help?

On Monday 09 June 2008 07:09, Ronni Jensen wrote:
> Hello,
>
> I am using postfix-policyd-spf-perl-2.005 with postfix-2.2 and
> perl-5.8.5 on RHEL4, configured as described in this guide:
> http://www.howtoforge.com/postfix_spf and restarted the postfix
service.
>
> However, if I try to send mail through the mailserver with a fake
> sender-address (e.g. a @hotmail.com or something) which has SPF
records,
> fake mails are not getting denied.
>
> If I do "perl /usr/lib/postfix/postfix-policyd-spf-perl" and then type
> in the fake info, it denies like:
>
> action=PREPEND Received-SPF: softfail (hotmail.com: Sender is not
> authorized by default to use 'hotmail.com' in 'helo' identity, however
> domain is not currently prepared for false failures (mechanism '~all'
> matched)) receiver=my.server.com; identity=helo; helo=hotmail.com;
> client-ip=<the-IP-address>
>
> I don't see any errors or such in the logs, but it seems like postfix
is
> not using this mechanism for validation for some reason.
>
> Can anyone help me get this working?
>
This is correct behavior. The Hotmail does not publish a record that
would
allow for SPF based rejection. Try it with a domain (such as mine if
you
want) that has an SPF record ending in -all and see what result you get
then.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 9, 2008, 5:46 AM

Post #4 of 12 (3500 views)
Permalink
Re: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
On Monday 09 June 2008 07:48, Ronni Jensen wrote:
> Ah, of course, Scott..
>
> Anyway, tried with your domain, postfix says:
>
> Jun 9 13:40:49 postfix/smtpd[5780]: 92535200201:
> client=unknown[<my-ip>]
> Jun 9 13:40:55 postfix/cleanup[13604]: 92535200201:
> message-id=<20080609114049.92535200201 [at] my>
> Jun 9 13:40:55 postfix/qmgr[28644]: 92535200201:
> from=<test [at] kitterman>, size=347, nrcpt=1 (queue active)
> Jun 9 13:40:56 postfix/smtp[13645]: 92535200201:
> to=<my [at] address-at-gmail>,
> relay=gmail-smtp-in.l.google.com[209.85.135.114], delay=15, status=sent
> (250 2.0.0 OK)
> Jun 9 13:40:56 postfix/qmgr[28644]: 92535200201: removed
>
> This test mail also arrived fine :/
>
> Any ideas?

Please attach the output of postconf -n and let me have a look at that.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


roj at mvb

Jun 9, 2008, 11:02 PM

Post #5 of 12 (3476 views)
Permalink
SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
This is the restrictions part:

---------- [SNIP] ----
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender

smtpd_client_restrictions = hash:/etc/postfix/access,
permit_mynetworks,
reject_unknown_client,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
permit

permit_mx_backup_networks = $mynetworks

smtpd_recipient_restrictions = check_recipient_access
regexp:/etc/postfix/reject,
permit_mynetworks,
permit_mx_backup,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unauth_destination,
check_policy_service unix:private/policy,
reject
--------- [/SNIP] --------

That's the relevant part, right? You see any problems there?

/jack


-----Oprindelig meddelelse-----
Fra: Scott Kitterman [mailto:scott [at] kitterman]
Sendt: 9. juni 2008 14:46
Til: spf-help [at] v2
Emne: Re: SV: [spf-help] postfix-policyd-spf-perl with postfix help?

On Monday 09 June 2008 07:48, Ronni Jensen wrote:
> Ah, of course, Scott..
>
> Anyway, tried with your domain, postfix says:
>
> Jun 9 13:40:49 postfix/smtpd[5780]: 92535200201:
> client=unknown[<my-ip>]
> Jun 9 13:40:55 postfix/cleanup[13604]: 92535200201:
> message-id=<20080609114049.92535200201 [at] my>
> Jun 9 13:40:55 postfix/qmgr[28644]: 92535200201:
> from=<test [at] kitterman>, size=347, nrcpt=1 (queue active)
> Jun 9 13:40:56 postfix/smtp[13645]: 92535200201:
> to=<my [at] address-at-gmail>,
> relay=gmail-smtp-in.l.google.com[209.85.135.114], delay=15,
status=sent
> (250 2.0.0 OK)
> Jun 9 13:40:56 postfix/qmgr[28644]: 92535200201: removed
>
> This test mail also arrived fine :/
>
> Any ideas?

Please attach the output of postconf -n and let me have a look at that.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 10, 2008, 11:53 AM

Post #6 of 12 (3466 views)
Permalink
Re: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
On Tuesday 10 June 2008 02:02, Ronni Jensen wrote:
> This is the restrictions part:
>
> ---------- [SNIP] ----
> smtpd_sender_restrictions = reject_unknown_sender_domain,
> reject_non_fqdn_sender
>
> smtpd_client_restrictions = hash:/etc/postfix/access,
> permit_mynetworks,
> reject_unknown_client,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> permit
>
> permit_mx_backup_networks = $mynetworks
>
> smtpd_recipient_restrictions = check_recipient_access
> regexp:/etc/postfix/reject,
> permit_mynetworks,

At this point you've permitted mail from within your network to be sent.

> permit_mx_backup,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unauth_destination,
> check_policy_service unix:private/policy,

This is where the policy server enters into it, so it never gets called for
outbound mail. This is what you want.

> reject
> --------- [/SNIP] --------
>
> That's the relevant part, right? You see any problems there?
>
> /jack

It looks like you have everything set up correctly. You need to see if it's
working on inbound mail, not outbound.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


roj at mvb

Jun 11, 2008, 4:35 AM

Post #7 of 12 (3463 views)
Permalink
SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
Would it be more right to move the policy server up before
"permit_mx_backup"?

permit_mx_backup is to ensure that customers/domains within my network
are permitted MX backup.. but SPF policy should be checked before MX
backup is actually allowed on inbound mail, shouldn't it? Otherwise,
inbound mail that actually should have been denied due to policies are
granted MX backup without SPF check first.

/jack

-----Oprindelig meddelelse-----
Fra: Scott Kitterman [mailto:scott [at] kitterman]
Sendt: 10. juni 2008 20:54
Til: spf-help [at] v2
Emne: Re: SV: SV: [spf-help] postfix-policyd-spf-perl with postfix help?

On Tuesday 10 June 2008 02:02, Ronni Jensen wrote:
> This is the restrictions part:
>
> ---------- [SNIP] ----
> smtpd_sender_restrictions = reject_unknown_sender_domain,
> reject_non_fqdn_sender
>
> smtpd_client_restrictions = hash:/etc/postfix/access,
> permit_mynetworks,
> reject_unknown_client,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> permit
>
> permit_mx_backup_networks = $mynetworks
>
> smtpd_recipient_restrictions = check_recipient_access
> regexp:/etc/postfix/reject,
> permit_mynetworks,

At this point you've permitted mail from within your network to be sent.

> permit_mx_backup,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_non_fqdn_sender,
> reject_unknown_sender_domain,
> reject_unauth_destination,
> check_policy_service unix:private/policy,

This is where the policy server enters into it, so it never gets called
for
outbound mail. This is what you want.

> reject
> --------- [/SNIP] --------
>
> That's the relevant part, right? You see any problems there?
>
> /jack

It looks like you have everything set up correctly. You need to see if
it's
working on inbound mail, not outbound.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 11, 2008, 4:57 AM

Post #8 of 12 (3484 views)
Permalink
Re: SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
On Wednesday 11 June 2008 07:35, Ronni Jensen wrote:
> Would it be more right to move the policy server up before
> "permit_mx_backup"?
>
> permit_mx_backup is to ensure that customers/domains within my network
> are permitted MX backup.. but SPF policy should be checked before MX
> backup is actually allowed on inbound mail, shouldn't it? Otherwise,
> inbound mail that actually should have been denied due to policies are
> granted MX backup without SPF check first.

I assume that is the list of secondary MX servers that should be allowed to
relay to this box. No. You don't want to check SPF on mail that's relayed
from your secondary MX.

SPF checks have to happen at the border between your network and the senders'.
In the case of a secondary MX, it's on the secondary MX. Any relayed
messages you check for SPF will show as coming from the relay and not from a
correct IP address for that domain.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


roj at mvb

Jun 11, 2008, 5:21 AM

Post #9 of 12 (3469 views)
Permalink
SV: SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
Hi Scott,

The real problem that this SPF thing spawns from is that spammers try to
relay through my SMTP servers (which also serves mx-backup for servers
within our network).

While spammers use fake sender e-mailaddresses and try to send mail to
recipients that are not within $mynetworks, they get denied and a bounce
message is sent back to that fake sender-address. Because this is often
yahoo.com, hotmail.com og similar sender-addresses, my SMTP servers risk
being blacklisted due to user complaints (the "victims" of fake
sender-addresses) at these domains.

This is the issue I actually am trying to eliminate in the most
efficient way..

/jack

-----Oprindelig meddelelse-----
Fra: Scott Kitterman [mailto:scott [at] kitterman]
Sendt: 11. juni 2008 13:58
Til: spf-help [at] v2
Emne: Re: SV: SV: SV: [spf-help] postfix-policyd-spf-perl with postfix
help?

On Wednesday 11 June 2008 07:35, Ronni Jensen wrote:
> Would it be more right to move the policy server up before
> "permit_mx_backup"?
>
> permit_mx_backup is to ensure that customers/domains within my network
> are permitted MX backup.. but SPF policy should be checked before MX
> backup is actually allowed on inbound mail, shouldn't it? Otherwise,
> inbound mail that actually should have been denied due to policies are
> granted MX backup without SPF check first.

I assume that is the list of secondary MX servers that should be allowed
to
relay to this box. No. You don't want to check SPF on mail that's
relayed
from your secondary MX.

SPF checks have to happen at the border between your network and the
senders'.
In the case of a secondary MX, it's on the secondary MX. Any relayed
messages you check for SPF will show as coming from the relay and not
from a
correct IP address for that domain.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 11, 2008, 5:58 AM

Post #10 of 12 (3467 views)
Permalink
Re: SV: SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
On Wednesday 11 June 2008 08:21, Ronni Jensen wrote:
> Hi Scott,
>
> The real problem that this SPF thing spawns from is that spammers try to
> relay through my SMTP servers (which also serves mx-backup for servers
> within our network).
>
> While spammers use fake sender e-mailaddresses and try to send mail to
> recipients that are not within $mynetworks, they get denied and a bounce
> message is sent back to that fake sender-address. Because this is often
> yahoo.com, hotmail.com og similar sender-addresses, my SMTP servers risk
> being blacklisted due to user complaints (the "victims" of fake
> sender-addresses) at these domains.
>
> This is the issue I actually am trying to eliminate in the most
> efficient way..

Then you need to check SPF and do full recipient validation on those servers.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


roj at mvb

Jun 11, 2008, 6:18 AM

Post #11 of 12 (3471 views)
Permalink
SV: SV: SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
So if I move the policy server on top of smtpd_recipient_restrictions
clause before "permit_mynetworks", both inbound and outbound mail will
be SPF checked..

Would that do the trick or cause other problems?

/jack

-----Oprindelig meddelelse-----
Fra: Scott Kitterman [mailto:scott [at] kitterman]
Sendt: 11. juni 2008 14:58
Til: spf-help [at] v2
Emne: Re: SV: SV: SV: SV: [spf-help] postfix-policyd-spf-perl with
postfix help?

On Wednesday 11 June 2008 08:21, Ronni Jensen wrote:
> Hi Scott,
>
> The real problem that this SPF thing spawns from is that spammers try
to
> relay through my SMTP servers (which also serves mx-backup for servers
> within our network).
>
> While spammers use fake sender e-mailaddresses and try to send mail to
> recipients that are not within $mynetworks, they get denied and a
bounce
> message is sent back to that fake sender-address. Because this is
often
> yahoo.com, hotmail.com og similar sender-addresses, my SMTP servers
risk
> being blacklisted due to user complaints (the "victims" of fake
> sender-addresses) at these domains.
>
> This is the issue I actually am trying to eliminate in the most
> efficient way..

Then you need to check SPF and do full recipient validation on those
servers.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Jun 11, 2008, 6:38 AM

Post #12 of 12 (3465 views)
Permalink
Re: SV: SV: SV: SV: SV: postfix-policyd-spf-perl with postfix help? [In reply to]
On Wednesday 11 June 2008 09:18, Ronni Jensen wrote:
> So if I move the policy server on top of smtpd_recipient_restrictions
> clause before "permit_mynetworks", both inbound and outbound mail will
> be SPF checked..
>
> Would that do the trick or cause other problems?

You need to check it on each server after permit_mynetworks.

If you check it on outbound mail, it'll check SPF based on each workstation's
IP. This is not what you want.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.