Home / server / Questions / 963228
Accepted
davidgo
Asked: 2019-04-16 22:24:06 +0800 CST

How to build a whitelist of domains we ignore SPF check for in Postfix

  • 772

My question would seem to be the opposite of How to setup postfix to check SPF record only for domains that i want to check -

How would I go about modifying my Postfix server so that it checks SPF for incoming emails by default, but allows me to retain a whitelist of domains that can bypass the check?

My main.conf file includes a stanza :

smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031,
                permit_mynetworks, 
                permit_sasl_authenticated,
                reject_unauth_destination,
                check_policy_service unix:private/spfpolicy

(10031 is policyd, btw)

My master.conf file includes a stanza :

spfpolicy       unix    -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
postfix

1 Answers

  1. Best Answer

    I'm using this method.

    I have a list with white-listed and black-listed domains:

    /etc/postfix/sender_checks

    example.com REJECT Spam detected
example.org REJECT Spam detected
example.net OK

    This file has to be hashed when it is changed.

    postmap /etc/postfix/sender_checks

    The hash map is referenced with check_sender_access in the smtpd_recipient_restrictions directive:

    smtpd_recipient_restrictions =
  reject_invalid_hostname
  reject_unknown_recipient_domain
  reject_unauth_pipelining
  reject_non_fqdn_sender
  reject_unknown_sender_domain
  reject_non_fqdn_recipient
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  check_sender_access hash:/etc/postfix/sender_checks
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client b.barracudacentral.org,
  reject_rbl_client dnsbl-1.uceprotect.net,
  check_policy_service unix:private/policy-spf,
  check_recipient_access hash:/etc/postfix/custom_replies

    You can move the check_sender_access check further to the front if you need to.

    • 2