![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2024-06-11
介紹
Each time a Postfix SMTP server process is started it connects to the policy service socket and
Postfix runs one instance of this Python script.
By default, a Postfix SMTP server process terminates after 100 seconds of idle time,
or after serving 100 clients. Thus, the cost of starting this
Python script is smoothed over time
目錄
- Install
- Postfix Settings
- Logs
Install
Centos 6
yum install pypolicyd-spf # epel
Configure File
/etc/python-policyd-spf/policyd-spf.conf
Program Location
/usr/libexec/postfix/policyd-spf
Help
- man policyd-spf
- man policyd-spf.conf
Ubuntu 20.04
apt install postfix-policyd-spf-python
Configure File
/etc/postfix-policyd-spf-python/policyd-spf.conf
Setting(policyd-spf.conf)
# Centos 7
/etc/python-policyd-spf/policyd-spf.conf
# My Settings HELO_reject = No_Check Mail_From_reject = Fail TestOnly = 0 PermError_reject = False TempError_Defer = False # local address # An "x-header" is prepended indicating SPF checks were skipped skip_addresses = 127.0.0.0/8,192.168.0.0/16 # trusted relays(mx server) # An x-header is prepended indicating the IP was whitelisted Whitelist = x.x.x.x,y.y.y.y # 0, then the policy server logs errors only. # 1, just basic policy results and errors generated through the policy server # ... # 4, logs the complete data set received by Postfix via the policy interface debugLevel = 0
說明
HELO_reject
No_Check - Never check HELO
Mail_From_reject
Fail (default) - Reject on Mail From Fail
PermError_reject
False - Treat PermError the same as no SPF record at all
TempError_Defer
False - Treat TempError the same as no SPF record at all
當 debuglevel 不是 0 時, 在 log 會有
... policyd-spf[8543]: Starting ... policyd-spf[8543]: Read line: "request=smtpd_access_policy" ... policyd-spf[8543]: Read line: "protocol_state=RCPT" ... policyd-spf[8543]: Read line: "protocol_name=SMTP" ... policyd-spf[8543]: Read line: "client_address=R.R.R.R"
Postfix Settings
/etc/postfix/master.cf
# Centos
# policyd-spf
policyd-spf unix - n n - 0 spawn
user=nobody argv=/usr/libexec/postfix/policyd-spf# Debain
# policyd-spf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf/etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks, permit_inet_interfaces, permit_sasl_authenticated, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override_whitelist, check_policy_service unix:private/policyd-spf, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, # timeout of checking a SPF record policyd-spf_time_limit = 60
postfix reload
Checking
ls -l /var/spool/postfix/private/policyd-spf
srw-rw-rw- 1 postfix postfix 0 Jun 11 17:55 /var/spool/postfix/private/policyd-spf
Logs
# reject 的 log
... postfix/smtpd[27956]: NOQUEUE: reject: RCPT from ssss.ctinets.com[s.s.s.s]: 550 5.7.1 <postmaster@mydomain>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=sender@domain;ip=s.s.s.s;r=postmas... from=<sender@domain> to=<postmaster@mydomain> proto=ESMTP helo=<[192.168.88.150]>
