Even though spammers may not have thought to do the email forgery yet, I’m publishing SPF txt record in dns.
# dig txt ipv6.kutukupret.com +short "v=spf1 ip6:2001:470:19:13c::2 -all"
I don’t even know whose gonna validate my spf record anyway 
But for the sake of my curiousity, i’m continue developing SPF on my ipv6 postfix smtp. first i need to publish spf txt record
ipv6.kutukupret.com. 86400 IN SPF "v=spf1 ip6:2001:470:19:13c::2 -all"
for the scanner, i’m using postfix-policyd-spf-perl, can be download at http://www.openspf.org/Software The following Perl version and packages are required for running postfix-policyd-spf-perl: Perl 5.6 NetAddr-IP 4 Mail-SPF (not Mail-SPF-Query) perl-Net-DNS >= 0.65 perl-Net-IP >= 1.25 Test the postfix-policyd-spf-perl script, just make sure it works with ipv6 address.
# ./postfix-policyd-spf-perl request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=mx.ipv6.kutukupret.com queue_id= instance=71b0.45e2f5f1.d4da1.0 sender=henet@ipv6.kutukupret.com recipient=hari.h@ipv6.kutukupret.com client_address=2001:470:19:13c::2 client_name=another.domain.tld action=PREPEND Received-SPF: pass (ipv6.kutukupret.com: 2001:470:19:13c::2 is authorized to use 'henet@ipv6.kutukupret.com' in 'mfrom' identity (mechanism 'ip6:2001:470:19:13C::2' matched)) receiver=unknown; identity=mailfrom; envelope-from="henet@ipv6.kutukupret.com"; helo=mx.ipv6.kutukupret.com; client-ip="2001:470:19:13c::2"
as we can see, if i sent from my ip/client_address which published in dns, it’ll passed do it again with different ip/client_address
# ./postfix-policyd-spf-perl request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=mx.ipv6.kutukupret.com queue_id= instance=71b0.45e2f5f1.d4da1.0 sender=henet@ipv6.kutukupret.com recipient=hari.h@ipv6.kutukupret.com client_address=2001:4860:c004::68 client_name=another.domain.tld action=550 Please see http://www.openspf.org/Why?s=mfrom;id=henet%40ipv6.kutukupret.com;ip=2001%3A4860%3Ac004%3A%3A68;r=unknown
rejected!!, 2001:4860:c004::68 is not me.
Installing
1. Copy postfix-policyd-spf-perl to /usr/local/bin/policyd-spf-perl
2. Add the following to /etc/postfix/master.cf:
policy unix - n n - 0 spawn
user=nobody argv=/usr/local/lib/policyd-spf-perl
3. Configure the Postfix policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_unauth_destination
check_policy_service unix:private/policy
...
NOTES: Specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. The user ‘nobody’ is used in this example. This is appropriate if you do not have any other services running as nobody. If you do, create a dedicated user for this service and use it instead.
4. Add “policy_time_limit = 3600″ to main.cf
5. Restart Postfix. example spf log
Aug 8 15:31:19 fire sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (0) Aug 8 15:31:19 fire sqlgrey: grey: domain awl match: updating 4f8(2001:4f8:3:7:2e0:81ff:fe52:9ab6), netbsd.org Aug 8 15:31:20 fire postfix/policy-spf[25069]: : SPF none (No applicable sender policy available): Envelope-from: bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org Aug 8 15:31:20 fire postfix/policy-spf[25069]: handler sender_policy_framework: is decisive. Aug 8 15:31:20 fire postfix/policy-spf[25069]: : Policy action=PREPEND Received-SPF: none (netbsd.org: No applicable sender policy available) receiver=unknown; identity=mailfrom; envelope-from="bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org"; helo=mail.netbsd.org; client-ip="2001:4f8:3:7:2e0:81ff:fe52:9ab6"
netbsd.org not publishing spf record.
You may also want to read these posts:
- Howto make postfix listening on IPv6
- Postfix IPv6 + sqlgrey
- Postfix IPv6 + RBL + BIND9 as DNSBL
- Centos 5 and IPv6 (IPv6-in-IPv4 tunneling)
- postfix 2.8-20100213 postscreen
- Postfix + Centos + Policyd V2 + MySQL
- Extract ipv6 prefix in python
- Postfix Bind Sender Outgoing IP, Based On GeoIP Location
- Most Commonly Used ipv6 Command In My Windows XP Workstation
- IPv6 without tunnel broker on linux
Follow me on Twitter
This helped me to accomplish my project with ease
As an alternative, you can link libspf2 to postfix directly:
http://blog.vx.sk/archives/10-SPF-patch-for-Postfix-271.html
i’ve visit your blog, seems interesting, not testing it yet though.
i’l try it when i got spare time..
You should be using the DNS SPF RR-type, not a TXT record.
RFC 4408: The use of TXT was meant as a transitional device until SPF gained its own record type assignment, which happened back in 2006 when the IANA acted on the request. This is 2010: No SPF records should be using TXT RR-types (unless also represented by an SPF RR-type), and even then, the TXT record is deprecated.
thanks for your comment, i guess you’re right about that.