6

I have configured my Postfix to reject email sent from hosts without PTR record and hostnames that don't have A record. I found there are legitimate mail servers with valid SPF records which don't have A record for their hostname. As a result the legitimate emails were rejected.

Is there a way to configure Postfix to accept email with valid SPF record even if there's no A record for the hostname or there's no PTR record for the IP address?

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
LinuxBabe
  • 985
  • 6
  • 9
  • You mean is there a way to remove the configuration you already put in? – 84104 May 25 '18 at 02:53
  • @84104 I mean I want postfix to first check SPF record, if SPF pass, accept email, don't check PTR or A record. If no SPF record, then check PTR record and A record. If no PTR record or A record, reject the email. – LinuxBabe May 25 '18 at 03:40
  • SPF alone is not a panacea when it comes to filtering out spam. It helps to protect against address spoofing, but not spam. – VL-80 May 25 '18 at 13:44

2 Answers2

8

This could be possible if check_policy_service responded permit (from access(5) other actions) instead of neutral accept action OK vs. reject action reject. That would need modification to the SPF policy service policyd-spf.conf. Although I have never actually tried this, based on the manpage it seems that Pass condition for both HELO and MAIL FROM allows using ANY action defined in access(5). Resulting configuratoin parameters in policyd-spf.conf:

HELO_pass_restriction = permit
Mail_From_pass_restriction = permit

Now, the order of the restrictions starts to matter as SPF policy service answers:

  • reject on SPF Fail
  • permit on SPF Pass
  • neutral OK on all other conditions including errors, Softfail, Neutral and no SPF.

Then, the Postfix main.cf can have all your restrictions in this kind of order:

smtpd_recipient_restrictions =
    permit_mynetworks,

    [checks done regardless of SPF],

    check_policy_service unix:private/policy-spf,

    [checks done only if SPF didn't either Pass or Fail],

    permit

Both permit and reject are first matches mentioned in smtpd_recipient_restrictions

Restrictions are applied in the order as specified; the first restriction that matches wins

while the neutral response from any restriction causes moving to the next one.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I've never tried this because my preferred order wouldn't make sense with direct `permit` on SPF `Pass`. My order: 1) Generic tests. 2) Local access lists. 3) SPF 4) hand picked RBLs, widest first. This way I can limit unnecessary RBL checks. – Esa Jokinen May 25 '18 at 08:45
4

Quote from the Postfix documentation:

Restrictions are applied in the order as specified; the first restriction that matches wins

So no, it's not possible. If only one of the restrictions matches it results in the mail being rejected, the order doesn't matter.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
  • That's with `policyd-spf` default configuration: you can't do this with Postfix configuration alone. However, see from my answer how this might be possible by modifying `policyd-spf.conf`. – Esa Jokinen May 25 '18 at 08:23