Is it possible to require certain domains to come from certain IPs in postfix?

Wayne Werner asked:

I’m running postfix 3.1 and I just got some email from 183.8.202.206 that said it came from gmail. A quick lookup shows that unless Google has been sold to ChinaNet, that’s probably a lie.

Most of the spam that I get comes from a mismatched IP and domain name – is there a way to configure postfix to say something like, “Only accept email from gmail/yahoo/outlook/hotmail addresses if it comes from these IP addresses”?

I’ve read the postfix docs time and time again, but I don’t recall seeing that as a possibility.

My answer:


This is the problem that SPF solves, and you can integrate it into Postfix with one of two SPF validating daemons for Postfix. The Python version is probably the best choice.

The installation will vary a bit depending on your Linux distribution, but in general you’ll do what’s in Ubuntu’s tutorial:

In /etc/postfix/main.cf you will need to add the following line (it doesn’t matter where, usually they get added to the end.

policy-spf_time_limit = 3600s

This changed the ups the policy time limit so the policy server won’t time out while a message is still being processed.

Add this section to /etc/postfix/master.cf for the Python script

policy-spf  unix  -       n       n       -       -       spawn
     user=nobody argv=/usr/bin/policyd-spf

or for the Perl script
policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Finally, you need to add the policy service to your smtpd_recipient_restrictions in file /etc/postfix/main.cf:

smtpd_recipient_restrictions =
     ...
     permit_sasl_authenticated
     permit_mynetworks
     reject_unauth_destination
     check_policy_service unix:private/policy-spf
     ...

Note: Put the policy service after reject_unauth_destination to prevent unexpected responses from the policy service from making your system an open relay (this is recommended for all policy services). Moreover, put the policy service after you permit local senders. You only want SPF to check inbound mail from the internet, not outbound mail from your users.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.