Even though spammers may not have thought to do the email forgery yet, I’m publishing SPF txt record in dns.
# dig txt ipv6.kutukupret.com +short "v=spf1 ip6:2001:470:19:13c::2 -all"
I don’t even know whose gonna validate my spf record anyway 😀 But for the sake of my curiousity, i’m continue developing SPF on my ipv6 postfix smtp. first i need to publish spf txt record
ipv6.kutukupret.com. 86400 IN SPF "v=spf1 ip6:2001:470:19:13c::2 -all"
for the scanner, i’m using postfix-policyd-spf-perl, can be download at http://www.openspf.org/Software The following Perl version and packages are required for running postfix-policyd-spf-perl: Perl 5.6 NetAddr-IP 4 Mail-SPF (not Mail-SPF-Query) perl-Net-DNS >= 0.65 perl-Net-IP >= 1.25 Test the postfix-policyd-spf-perl script, just make sure it works with ipv6 address.
# ./postfix-policyd-spf-perl request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=mx.ipv6.kutukupret.com queue_id= instance=71b0.45e2f5f1.d4da1.0 sender=henet@ipv6.kutukupret.com recipient=hari.h@ipv6.kutukupret.com client_address=2001:470:19:13c::2 client_name=another.domain.tld action=PREPEND Received-SPF: pass (ipv6.kutukupret.com: 2001:470:19:13c::2 is authorized to use 'henet@ipv6.kutukupret.com' in 'mfrom' identity (mechanism 'ip6:2001:470:19:13C::2' matched)) receiver=unknown; identity=mailfrom; envelope-from="henet@ipv6.kutukupret.com"; helo=mx.ipv6.kutukupret.com; client-ip="2001:470:19:13c::2"
as we can see, if i sent from my ip/client_address which published in dns, it’ll passed do it again with different ip/client_address
# ./postfix-policyd-spf-perl request=smtpd_access_policy protocol_state=RCPT protocol_name=SMTP helo_name=mx.ipv6.kutukupret.com queue_id= instance=71b0.45e2f5f1.d4da1.0 sender=henet@ipv6.kutukupret.com recipient=hari.h@ipv6.kutukupret.com client_address=2001:4860:c004::68 client_name=another.domain.tld action=550 Please see http://www.openspf.org/Why?s=mfrom;id=henet%40ipv6.kutukupret.com;ip=2001%3A4860%3Ac004%3A%3A68;r=unknown
rejected!!, 2001:4860:c004::68 is not me.
Installing
1. Copy postfix-policyd-spf-perl to /usr/local/bin/policyd-spf-perl
2. Add the following to /etc/postfix/master.cf:
policy unix - n n - 0 spawn user=nobody argv=/usr/local/lib/policyd-spf-perl
3. Configure the Postfix policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions = ... reject_unauth_destination check_policy_service unix:private/policy ...
NOTES: Specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. The user ‘nobody’ is used in this example. This is appropriate if you do not have any other services running as nobody. If you do, create a dedicated user for this service and use it instead.
4. Add “policy_time_limit = 3600” to main.cf
5. Restart Postfix. example spf log
Aug 8 15:31:19 fire sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (0) Aug 8 15:31:19 fire sqlgrey: grey: domain awl match: updating 4f8(2001:4f8:3:7:2e0:81ff:fe52:9ab6), netbsd.org Aug 8 15:31:20 fire postfix/policy-spf[25069]: : SPF none (No applicable sender policy available): Envelope-from: bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org Aug 8 15:31:20 fire postfix/policy-spf[25069]: handler sender_policy_framework: is decisive. Aug 8 15:31:20 fire postfix/policy-spf[25069]: : Policy action=PREPEND Received-SPF: none (netbsd.org: No applicable sender policy available) receiver=unknown; identity=mailfrom; envelope-from="bounces-netbsd-users-owner-hari.h=ipv6.kutukupret.com@NetBSD.org"; helo=mail.netbsd.org; client-ip="2001:4f8:3:7:2e0:81ff:fe52:9ab6"
netbsd.org not publishing spf record.
This helped me to accomplish my project with ease 😛
As an alternative, you can link libspf2 to postfix directly:
http://blog.vx.sk/archives/10-SPF-patch-for-Postfix-271.html
i’ve visit your blog, seems interesting, not testing it yet though.
i’l try it when i got spare time.. 🙂
You should be using the DNS SPF RR-type, not a TXT record.
RFC 4408: The use of TXT was meant as a transitional device until SPF gained its own record type assignment, which happened back in 2006 when the IANA acted on the request. This is 2010: No SPF records should be using TXT RR-types (unless also represented by an SPF RR-type), and even then, the TXT record is deprecated.
thanks for your comment, i guess you’re right about that.