postfix-mta: Milter for SPF?

Question

Is it possible to use a milter under postfix to implement SPF?

It seems to me that this would not be possible, because of the way that postfix manages milters.

According do the postfix docs, the milter goes here in the message-processing chain:

Network => postfix smptd process => MILTER => postfix smtpd process => etc.

Given that the milter gets its message from the postfix smtpd, the milter will see its initial connection coming from postfix's IP address. This would mean that the milter has no knowledge of the original sender's IP address.

SPF needs the sender's IP, so it seems like it would be impossible to perform a proper SPF validation from within a postfix milter.

This seems to be exactly what is happening when I install a test milter into my postfix server.

Am I correct about this, or has anyone been able to implement SPF via a postfix milter?

Thanks in advance.

For SPF verification, you don't need milter, a policy service is enough and trivial to setup. — AnrDaemon, Feb 22 '19 at 20:05

score 0 · Answer 1 · answered Apr 27 '16 at 18:39

0

Sendmail/Postfix executes callback provided by given milter during incoming SMTP session. Postfix may reject some SMTP command based on results of the callbacks.

Postfix before-queue Milter support

Postfix implements support for the Sendmail version 8 Milter (mail filter) protocol. This protocol is used by applications that run outside the MTA to inspect SMTP events (CONNECT, DISCONNECT), SMTP commands (HELO, MAIL FROM, etc.) as well as mail content (headers and body). All this happens before mail is queued.

https://en.wikipedia.org/wiki/Milter

answered Apr 27 '16 at 18:39

AnFi

10,493
3
23
47

Yes, this is all part of the postfix Milter documentation, which I read before posting my original query. The question has to do specifically with whether the sender's IP address is available to a Miilter running under postfix. The IP address that postfix supplies to the Milter is the address of the postfix prequeue SMTPD process which passes the message to the Milter, not that of the original sender. The original sender's IP address is needed for proper SPF processing. If I could get the sender's IP address into the Milter, this would be enough information for the Milter to implement SPF. – HippoMan Apr 28 '16 at 12:08
See {client_addr} -> http://www.postfix.org/MILTER_README.html . It contains IP address of the remote end of SMTP TCP connection served by MTA/postfix/sendmail. Anyway there are milter based implementations of SPF checks -> http://www.openspf.org/Software – AnFi Apr 28 '16 at 13:26

HippoMan · Accepted Answer · 2016-04-28T16:57:42.067

OK. I understand the issue better now. Apparently, the milter implementation I'm using is not properly setting {client_addr}. I will assume that my issue is that of the underlying milter implementation that I'm using (a recent version of pymilter).

Also, I figured out that I can work around this issue as follows: postfix puts the client's hostname and IP address into the topmost "Received" header that it sets before sending the message to the milter. I can therefore parse this first "Received" header in the milter to get the client address that I need for SPF.

postfix-mta: Milter for SPF?

2 Answers2