Postfix SPF readme ------------------- SPF patch by Dean Strik, partly based on Shevek's spfmilter code. Official site: http://www.ipnet6.org/postfix/spf/ License: Secure Mailer License (Postfix License) ---- This document describes how to configure Postfix to use SPF ("Sender Policy Framework") validation. It does not describe the function or design of SPF itself. Refer to one or more of the websites listed at the end of this text for more information. The actual SPF validation is offloaded to a special library called libspf2. It is therefore necessary that you install libspf2 on your system. You can find libspf2 either in your usual package repository or at http://www.libspf2.org/. To build Postfix, after installing libspf2, use something like: % make tidy % make makefiles CCARGS="-I/usr/local/include" \ AUXLIBS="-L/usr/local/lib -lspf2" % make The pathnames here are the default pathnames used by libspf2's installation procedure, which is not documented here. SPF sender validation is implemented using a standard Postfix restriction, called "reject_spf_invalid_sender". This means that you can put this restriction in e.g. your smtpd_recipient_restrictions. For more information on how to do this, consult your Postfix documentation. Postfix will by default add a mail header, Received-SPF:, to any mail passing the SPF validation. This information can be useful for the recipient of the message. You can disable this behaviour by setting 'spf_received_header = no'. By default, Postfix will reject mail with invalid sender credentials. You can however choose to prevent this from happening, and let the mail pass, by setting 'spf_mark_only = yes'. The Received-SPF: header (if enabled, see above) will show that the mail failed the test. You can set the numerical SMTP response code when rejecting mails due to SPF rule violations by changing the value of the 'spf_reject_code' variable (default: 550). If a site does provide SPF DNS records yet no explanation, a generic explanation will be used, with a URL to visit for more information. You can override this generic explanation by setting the spf_explanation setting, e.g.: spf_explanation = ""%{h} [%{i}] is not allowed to send mail for %{s}" See the SPF reference sites for information about the format used. It is also possible to set a local policy using the spf_local_policy setting. Currently the format is not documented here. There exists a global SPF whitelist on trusted-forwarder.org. You can enable use of this global whitelist by setting the variable 'spf_global_whitelist = yes'. ---- Bugs/problems/reports: the author of this patch, Dean Strik, can be contacted at . Site address: downloads and information with regard to this patch can be found at http://www.ipnet6.org/postfix/spf/ Links: http://www.ipnet6.org/postfix/spf/ - Patch home page http://spf.pobox.com/ - SPF background http://www.libspf2.org/ - LibSPF2 site http://www.trusted-forwarder.org/ - Global whitelist [Dean Strik , 5 Jul 2004]