Gentoo Linux: SPF Filtering for Postfix

Sender Policy Framework (SPF) is a method of preventing domain-name spoofing in emails, for domains that bother to correctly setup an SPF record in their DNS.  Frequently, SPF filtering is listed as a way of preventing SPAM.  However, these days it really does very little to reduce SPAM - it simply makes it more difficult for a spammer to spoof a domain (making their SPAM appear to come from that domain).  Most spammers will simply send their SPAM either from a compromised computer in a domain, or spoof a domain that is lacking a functional SPF setup.

Although SPF filtering will contribute very little to reducing SPAM on your mail server, you should still configure SPF filtering.  This will help prevent spoofing of domains which have valid SPF records and give your users some assurance that mail received from those domains is legitimate.  The setup is very straightforward as you will see below.

As a clarification, this article describes how to filter mail from other domains that have been configured for SPF (in their DNS records).  Even if your domain is not configured for SPF, you can still use this setup on your mail server.  This article does not describe how to configure your domain for SPF - it describes how to filter mail received from domains that have already been configured for SPF.  (But, if you have not already configured SPF for your domains, you should! - see the Wikipedia article)

There are several implementations of SPF filtering, in various languages, some already included in Gentoo.  My preference was to use the Perl implementation from the SPF homepage at http://www.openspf.org.

Installation is straightforward, with two possible options:

  • you can install the script by hand, using the simple steps shown below.
  • you can install the script using my ebuild.

Manual installation

Download the tar file from the downloads page.  You should now have a tar file:

postfix-policyd-spf-perl-<version>.tar.gz

where <version> is the version number of the file (2.010 at the time of this writing).

Extract the tarfile:

cd /tmp
tar xvpfz postfix-policyd-spf-perl-<version>.tar.gz

Copy the script into place:

cd postfix-policyd-spf-perl-<version>
cp postfix-policyd-spf-perl /usr/local/sbin/spfpolicy

(you can now remove the extracted tar file).

Create a new 'spfpolicy' unprivileged user for the daemon to run as:

useradd -M -r -d /dev/null -s /sbin/nologin spfpolicy

Package installation

If you would prefer to have spfpolicy installed as a package, you can use my ebuild which performs all of the above steps.  If you choose to use the ebuild, install it into your portage overlay directory in the standard way:

mkdir -p $PORTDIR_OVERLAY/mail-filter/spfpolicy
cp spfpolicy-<version>.ebuild $PORTDIR_OVERLAY/mail-filter/spfpolicy
cd $PORTDIR_OVERLAY/mail-filter/spfpolicy
ebuild spfpolicy-<version>.ebuild digest
emerge spfpolicy

where PORTDIR_OVERLAY is set the same as you have set in your /etc/make.conf (or /etc/portage/make.conf if using newer layout).

Configuration

Once the program is installed and the new user created, now activate the policy in your Postfix configuration:

Update the master.cf to use provide the new policy:

spfpolicy unix  -       n       n       -       0       spawn
  user=spfpolicy argv=/usr/sbin/spfpolicy

The above shows the location the ebuild installed the script to.  If you installed by hand, change the location to where you installed the script to (/usr/local/sbin/spfpolicy in my example).

Update the main.cf to use the new policy:

smtpd_recipient_restrictions =
  ...
  reject_unauth_destination,
  check_policy_service unix:private/spfpolicy,

Reload postfix:

/etc/init.d/postfix reload

If everything has gone well, you should now see lines like the following in your log file (/var/log/main.info):

Sep  5 12:55:31 your.hostname postfix/policy-spf[12127]: Policy action=PREPEND
Received-SPF: none (some.domain: No applicable sender policy available)
receiver=your.hostname; identity=mailfrom; envelope-from="from@some.domain";
helo=smtp.some.domain; client-ip=1.2.3.4

You are now SPF filtering your incoming mail!