submission: Prospective SPF checking.

Cf. http://www.openspf.org/Best_Practices/Outbound .

2 files changed, 20 insertions, 0 deletions

diff --git a/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2 b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
new file mode 100644
index 0000000..2cc1074
--- /dev/null
+++ b/roles/MSA/templates/etc/postfix-policyd-spf-python/policyd-spf.conf.j2
@@ -0,0 +1,18 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+debugLevel = 1
+TestOnly = 1
+
+HELO_reject = Softfail
+Mail_From_reject = Softfail
+
+PermError_reject = False
+TempError_Defer = False
+
+# We're just trying to keep our outgoing IPs clean of SPF violations,
+# not seeking 100% accurate reports.  While it's possible that the
+# message is routed through a different IP (eg, IPv4 vs v6), giving a
+# potentially inaccurate prospective report, it's quite unlikely in
+# practice.
+Prospective = {{ lookup('pipe', 'dig outgoing.fripost.org A +short | sort | head -n1') }}
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index a48a327..65a0339 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -33,40 +33,41 @@ multi_instance_enable = yes
 mydestination        =
 local_transport      = error:5.1.1 Mailbox unavailable
 alias_maps           =
 alias_database       =
 local_recipient_maps =
 
 message_size_limit  = 67108864
 recipient_delimiter = +
 
 # Forward everything to our internal outgoing proxy
 relayhost     = [{{ postfix_instance.out.addr | ipaddr }}]:{{ postfix_instance.out.port }}
 relay_domains =
 
 
 # Don't rewrite remote headers
 local_header_rewrite_clients     =
 # Avoid splitting the envelope and scanning messages multiple times
 smtp_destination_recipient_limit = 1000
 # Tolerate occasional high latency
 smtp_data_done_timeout           = 1200s
+policyd-spf_time_limit           = $ipc_timeout
 
 # Anonymize the (authenticated) sender; pass the mail to the antivirus
 header_checks  = pcre:$config_directory/anonymize_sender.pcre
 #content_filter = amavisfeed:unix:public/amavisfeed-antivirus
 
 
 # TLS
 smtp_tls_security_level         = none
 smtpd_tls_security_level        = encrypt
 smtpd_tls_ciphers               = high
 smtpd_tls_protocols             = !SSLv2, !SSLv3
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = $config_directory/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = $config_directory/ssl/smtp.fripost.org.key
 smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database=
 smtpd_tls_received_header       = yes
 
 # SASL
 smtpd_sasl_auth_enable          = yes
@@ -90,33 +91,34 @@ address_verify_relayhost             =
 address_verify_sender_ttl            = 8069m
 address_verify_negative_refresh_time = 5m
 unverified_recipient_defer_code      = 250
 unverified_recipient_reject_code     = 550
 address_verify_map                   = lmdb:$data_directory/verify_cache
 address_verify_default_transport     = smtp_verify
 
 smtpd_client_restrictions =
     permit_sasl_authenticated
     reject
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
     reject_invalid_helo_hostname
 
 smtpd_sender_login_maps   = socketmap:unix:private/sender-login:sender_login
 smtpd_sender_restrictions =
     reject_non_fqdn_sender
     reject_unknown_sender_domain
     check_sender_access lmdb:$config_directory/check_sender_access
+    check_policy_service unix:private/policyd-spf
     reject_known_sender_login_mismatch
 
 smtpd_relay_restrictions =
     reject_non_fqdn_recipient
     reject_unknown_recipient_domain
     reject_unverified_recipient
     permit_sasl_authenticated
     reject
 
 smtpd_data_restrictions =
     reject_unauth_pipelining
 
 # vim: set filetype=pfmain :