Wayne Werner asked:
I’m running postfix 3.1 and I just got some email from 18.104.22.168 that said it came from gmail. A quick lookup shows that unless Google has been sold to ChinaNet, that’s probably a lie.
Most of the spam that I get comes from a mismatched IP and domain name – is there a way to configure postfix to say something like, “Only accept email from gmail/yahoo/outlook/hotmail addresses if it comes from these IP addresses”?
I’ve read the postfix docs time and time again, but I don’t recall seeing that as a possibility.
The installation will vary a bit depending on your Linux distribution, but in general you’ll do what’s in Ubuntu’s tutorial:
In /etc/postfix/main.cf you will need to add the following line (it doesn’t matter where, usually they get added to the end.
policy-spf_time_limit = 3600s
This changed the ups the policy time limit so the policy server won’t time out while a message is still being processed.
Add this section to /etc/postfix/master.cf for the Python script
policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf
or for the Perl script
policy-spf unix – n n – – spawn
Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:
smtpd_recipient_restrictions = ... permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy-spf ...
Note: Put the policy service after reject_unauth_destination to prevent unexpected responses from the policy service from making your system an open relay (this is recommended for all policy services). Moreover, put the policy service after you permit local senders. You only want SPF to check inbound mail from the internet, not outbound mail from your users.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.