Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:mail_c6:mta_10 [18.03.2014 13:19. ] – [SRS - Sender Rewriting Scheme] django
+++ centos:mail_c6:mta_10 [22.07.2019 15:07. ] (aktuell) – Externe Bearbeitung 127.0.0.1
@@ Zeile 1: / Zeile 1: @@
 ====== SPF - Sender Policy Framework ======
 {{:centos:mail_c6:spf-logo-medium.png?nolink |SPF Logo}}
-Mit Hilfe von SPF((**S**ender **P**olicy **F**rameworks)) kann definiert werden, welche Mailserver für welche Domains eMails verschickt werden (können), oder nicht, oder anders ausgedrückt, soll das Fälschen von Absender-Angaben mit Hilfe von SPF erschwert werden. Genauer gesagt schreibt das SPF fest, welcher MTA((**M**ail **T**ransport **A**gent)) abgehend für den Versandt von e-Mails einer Domain zugelassen ist. Wichtige Hinweise zu SPF findet man bei Bedarf im **[[https://www.ietf.org/rfc/rfc4408.txt|RFC 4408]]** oder auch auf der Webseite von **[[http://www.openspf.org|openspf.org]]**.
+Mit Hilfe von SPF((**S**ender **P**olicy **F**rameworks)) kann definiert werden, welche Mailserver für welche Domains eMails verschickt werden (können), oder nicht, oder anders ausgedrückt, soll das Fälschen von Absender-Angaben mit Hilfe von SPF erschwert werden. Genauer gesagt schreibt das SPF fest, welcher MTA((**M**ail **T**ransport **A**gent)) abgehend für den Versandt von e-Mails einer Domain zugelassen ist. Wichtige Hinweise zu SPF findet man bei Bedarf in der überarbeiteten Version **[[https://www.ietf.org/rfc/rfc6652.txt|RFC 6652]]**((RFC 6652 aktualisiert [[https://www.ietf.org/rfc/rfc4408.txt|RFC 4408]])) oder auch auf der Webseite von **[[http://www.openspf.org|openspf.org]]**.
 Mit SPF soll hauptsächlich Absenderadressfälschungen verhindert werden, nicht jedoch direkt Spam zu bekämpfen. Dieses here Ziel wirft bei genauerer Betrachtung viele Fragen auf und erzeugt bei manchen Mailserver-Betreibern nicht gerade viel Begeisterungsstürme. Probleme tauchen mit unter bei Mailumleitungen, Mailinglisten und/oder WebFormularen auf. Auch wird bei sehr konservativen SPF-Definition die Möglichkeit verhindert, eMails mit eigener Absender-eMail-Adresse über einen dritten Rechner zu versenden. Es wäre also nur möglich eMails auch über den Mail-Server zu versenden, auf dem auch das Postfach liegt! Speziell auch Beim Versand über ein z.B. WebFormular, oder eine Web-Grußkarte über einen Drittanbieter wäre dann **kein Versand** mehr möglich!
@@ Zeile 55: / Zeile 55: @@
   * **include** Einbinden einer weiteren SPF-Abfrage.
-In der Regel wird man bei der Definition folgenden Festlegung treffen: //**eMails werden normalerweise immer von den IP-Adressen des zuständigen Mailserver versandt, können aber auch von anderen Servern verschickt werden.**// Als SPF-Record ergibt das dann "//**v=spf1 ip4:217.91.103.190/32 mx ?all**//" im Falle des Mailservers **mx01.nausch.org** mit der IP-Adresse: **217.91.103.190**
+In der Regel wird man bei der Definition folgenden Festlegung treffen: //**eMails werden normalerweise immer von den IP-Adressen des zuständigen Mailserver versandt, können aber auch von anderen Servern verschickt werden.**// Als SPF-Record ergibt das dann "//**v=spf1 mx ?all**//" im Falle des Mailservers **mx01.nausch.org**.
 Wir tragen also bei unserem zuständigen DNS entsprechend die richtigen Daten ein.
-   nausch.org                              IN      TXT     "v=spf1 ip4:217.91.103.190/32 mx ?all"
+   nausch.org                              IN      TXT     "v=spf1 mx ?all"
 Über die URL [[http://www.kitterman.com/spf/validate.html|SPF Record Testing Tools]] kann man online bei Bedarf testen, ob der SPF-Eintrag soweit richtig ist.
 ===== SPF-Bewertung bei der Mailannahme =====
-Neben der Befragung von [[centos:mail_c6:mta_3?&#access-dateien|Black-/White-Listen]], dem Nutzen von  [[centos:mail_c6:spam_1| Greylisting]] oder [[centos:mail_c6:spam_2|policyd-weight]], können wir **SPF** bei der Bewertung von eingehenden Sendungen heranziehen. Wir greifen bei der SPF-Bewertung auf den Postfix Poliyd-Daemon **pypolicyd-spf** einem Python-Script zurück. Wir finden diesen Daemon im [[centos:epel6|EPEL-Repository]].
+Neben der Befragung von [[centos:mail_c6:mta_3?&#access-dateien|Black-/White-Listen]], dem Nutzen von  [[centos:mail_c6:spam_1| Greylisting]] oder [[centos:mail_c6:spam_2|policyd-weight]], können wir auch **SPF** bei der Bewertung von eingehenden Sendungen heranziehen.
-==== Installation ====
+<WRAP round tip> \\ Auf den ersten Blick erscheint der Postfix Poliyd-Daemon **pypolicyd-spf** aus dem [[centos:epel6|EPEL-Repository]] eine leicht zu installierende und vielversprechende Möglichkeit zu sein. Betrachtet man **SPF** alleine, stimmt dies auch.
-Das RPM-Paket aus dem EPEL-Repository installieren wir am einfachsten mittels **yum**.
-   # yum install pypolicyd-spf
-Was uns das Paket alles mitbringt, zeigt uns wie immer der Aufruf von **rpm -qil <paketname>**
+Möchte man aber hingegen später **[[centos:mail_c6:mta_13|DMARC]]** bei der Bewertung von **[[centos:mail_c6:mta_10|SPF]] __und__ [[centos:mail_c6:mta_9|DKIM]]** einsetzen, so weicht man besser auf den SPF-Milter **smf-spf**.
-   # rpm -qil pypolicyd-spf
-<code>Name        : pypolicyd-spf                Relocations: (not relocatable)
-Version     : 1.2                               Vendor: Fedora Project
-Release     : 3.el6                         Build Date: Mon 12 Aug 2013 04:54:00 AM CEST
-Install Date: Sun 16 Mar 2014 10:33:12 AM CET      Build Host: buildvm-05.phx2.fedoraproject.org
-Group       : Unspecified                   Source RPM: pypolicyd-spf-1.2-3.el6.src.rpm
-Size        : 102907                           License: ASL 2.0
-Signature   : RSA/8, Wed 14 Aug 2013 05:28:11 PM CEST, Key ID 3b49df2a0608b895
-Packager    : Fedora Project
-URL         : https://launchpad.net/pypolicyd-spf
-Summary     : SPF Policy Server for Postfix (Python implementation)
-Description :
-pypolicyd-spf is a Postfix policy engine for Sender Policy Framework (SPF)
-checking. It is implemented in pure Python and uses the python-spf (pyspf)
-module.
-This SPF policy server implementation provides flexible options for different
+</WRAP>
-receiver policies and sender whitelisting to enable it to support a very wide
-range of requirements.
-/etc/python-policyd-spf
-/etc/python-policyd-spf/policyd-spf.conf
-/usr/lib/python2.6/site-packages/policydspfsupp.py
-/usr/lib/python2.6/site-packages/policydspfsupp.pyc
-/usr/lib/python2.6/site-packages/policydspfsupp.pyo
-/usr/lib/python2.6/site-packages/policydspfuser.py
-/usr/lib/python2.6/site-packages/policydspfuser.pyc
-/usr/lib/python2.6/site-packages/policydspfuser.pyo
-/usr/lib/python2.6/site-packages/pypolicyd_spf-1.2-py2.6.egg-info
-/usr/libexec/postfix/policyd-spf
-/usr/share/doc/pypolicyd-spf-1.2
-/usr/share/doc/pypolicyd-spf-1.2/CHANGES
-/usr/share/doc/pypolicyd-spf-1.2/COPYING
-/usr/share/doc/pypolicyd-spf-1.2/README
-/usr/share/doc/pypolicyd-spf-1.2/README.per_user_whitelisting
-/usr/share/doc/pypolicyd-spf-1.2/policyd-spf.conf.commented
-/usr/share/man/man1/policyd-spf.1.gz
-/usr/share/man/man5/policyd-spf.conf.5.gz
-/usr/share/man/man5/policyd-spf.peruser.5.gz
-</code>
-==== Hinweise zur Konfiguration ====
+==== Installation ====
-Hilfreiche Hinweise zur nötigen Konfiguration finden wir reichlich bei dem gut Dokumentiertem Projekt. Erste Anlaufstelle ist hierbei die Datei **README**.
+Als laden wir uns das aktuelle RPM auf unseren Server.
-   # less /usr/share/doc/pypolicyd-spf-1.2/README
+   # cd /usr/local/src/packages
-<code>Python Postfix Policy for SPF (python-policy-spf) 1.2
-Python based policy daemon for Postfix SPF checking
-Tumgreyspf source
- Copyright © 2004-2005, Sean Reifschneider, tummy.com, ltd.
- <jafo@tummy.com>
-python-policyd-spf changes
- Copyright © 2007-2012 Scott Kitterman <scott@kitterman.com>
-<https://launchpad.net/pypolicyd-spf>
-Documentation inputs:
- Copyright © 2004-2005, Sean Reifschneider, tummy.com, ltd.
- <jafo@tummy.com>
--2004 Meng Weng Wong <mengwong@pobox.com> from postfix-policyd-spf-perl
- Copyright © 2007-2013 Scott Kitterman <scott@kitterman.com>
-   Licensed under the Apache License, Version 2.0 (the "License");
+   # wget http://repository.nausch.org/public/x86_64/smf-spf-2.0.4-1.el6.x86_64.rpm
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-       http://www.apache.org/licenses/LICENSE-2.0
+Dann installieren wir das Paket.
+   # yum localinstall smf-spf-2.0.4-1.el6.x86_64.rpm
-   Unless required by applicable law or agreed to in writing, software
+Altenativ können wir das Paket natürlich auch direkt von [[http://repository.nausch.org/public/|Djangos Repository]] aus installieren.
-   distributed under the License is distributed on an "AS IS" BASIS,
+   # yum localinstall http://repository.nausch.org/public/x86_64/smf-spf-2.0.4-1.el6.x86_64.rpm
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-=================
+Ein Update des Paketes geht entsprechend der Installation.
+   # yum localupdate http://repository.nausch.org/public/x86_64/smf-spf-2.0.4-1.el6.x86_64.rpm
-This is python-policyd-spf, an external policy checker for the postfix mail
+Was uns das Paket alles mitbringt, zeigt uns wie immer der Aufruf von **rpm -qil <paketname>**
-server.  It will use pyspf to check SPF records to determine if email should
+   # rpm -qil smf-spf
-be rejected by your server.
+<code>Name        : smf-spf                      Relocations: (not relocatable)
+Version     : 2.0.4                             Vendor: django
-To install from the tar.gz (if this software has been packaged for your
+Release     : 1.el6                         Build Date: Tue 01 Apr 2014 10:39:14 PM CEST
-distribution, the packaged version is recommended and should be installed
+Install Date: Tue 01 Apr 2014 10:41:43 PM CEST      Build Host: vml010039.intra.nausch.org
-using your normal distribution packaging tools):
+Group       : System Environment/Daemons    Source RPM: smf-spf-2.0.4-1.el6.src.rpm
+Size        : 50591                            License: GPLv2+
-.  Extract the package from the tarball (tar -xvvzf ...)
+Signature   : (none)
-.  Enter the package directory (cd ...)
+Packager    : Django <django@nausch.org>
-.  python setup.py build
+URL         : http://smfs.sourceforge.net/smf-spf.html
-.  As root python setup.py install
+Summary     : Mail filter for Sender Policy Framework verification
+Description :
-It requires Python (python2.6, python2.7, or python3.2+), the pyspf
+smf-spf is a lightweight, fast and reliable Sendmail milter that implements the
-(python-spf) library version 2.0 or higher, and (for Python versions before
+Sender Policy Framework technology with the help of the libspf2 library. It
-python3.3, the ipaddr module - for python3.3 and later the built-in ipaddress
+checks SPF records to make sure that e-mail messages are authorized by the
-module is used).  If pyspf not available through your packaging system, it can
+domain that it is coming from. It's an alternative for the spfmilter,
-be downloaded from:
+spf-milter, and milter-spiff milters.
+/etc/mail/smfs
-http://sourceforge.net/projects/pymilter/
+/etc/mail/smfs/smf-spf.conf
+/etc/rc.d/init.d/smf-spf
-If ipaddr not available through your packaging system, it can be downloaded
+/usr/sbin/smf-spf
-from:
+/usr/share/doc/smf-spf-2.0.4
+/usr/share/doc/smf-spf-2.0.4/COPYING
-http://code.google.com/p/ipaddr-py/downloads/list
+/usr/share/doc/smf-spf-2.0.4/ChangeLog
+/usr/share/doc/smf-spf-2.0.4/README.md
-To use the optional RFC 5451 Authentication-Results header, the authres module
+/var/run/smfs
-is also needed.  It can be downloaded from pypi or from:
+/var/run/smfs/smf-spf.sock
-https://launchpad.net/authentication-results-python
-Nothing is configured by default, so this will not interact with Postfix until
-it has been set up.
-See man 1 policyd-spf for information on setting up and using this policy
-server.
-See man 5 policyd-spf.conf for configuration file information.
 </code>
-=== policyd-spf ===
+==== Konfiguration ====
-      # man policyd-spf
+Die Konfiguration des **smf-spf**-Daemons gestaltet sich vergleichsweise einfach und erfolgt lediglich mit Hilfe Der Datei //**/etc/mail/smfs/smf-spf.conf**//. In der Default-Konfiguration wird der Daemon über einen UNIX-Datei-Socket angesprochen. Diesen Parameter **Socket** weisen wir einem localen Port zu, über den wir später von Postfix aus, den SPF-Milter ansprechen wollen.
-<code>policy-spf(1)                                                    policy-spf(1)
-NAME
+Mit unserem Editor der Wahl, z.B. **vim** bearbeiten wir diese Konfigurationsdatei.
-       python-policyd-spf - pure-Python Postfix policy daemon for SPF checking
+   # vim /etc/mail/smfs/smf-spf.conf
-VERSION
+<file bash /etc/mail/smfs/smf-spf.conf># /etc/mail/smfs/smf-spf.conf
-.1.1
+#
+# smf-spf configuration file v2.0.2 (it's read at start)
+#
-USAGE
+# Whitelist by a sender IP address
-       NOTE: Depending on the packaging and distribution, the exact path to the executable may vary.
+#
+# The syntax is an IP address followed by a slash
+# and a CIDR netmask (if the netmask is omitted, /32 is assumed)
+#
+WhitelistIP	127.0.0.0/8
+WhitelistIP	10.0.0.0/8
+# Django : 2014-02-26
+# nicht benutzte (private) Netzbereiche entfernt
+# WhitelistIP	172.16.0.0/12
+# WhitelistIP	192.168.0.0/16
-       $ policyd-spf (Start using installed config file)
+# Whitelist by a sender PTR record (reverse DNS record)
+#
+# Performs a case insensitive substring match
+#
+#WhitelistPTR	.friendlydomain.tld
+#WhitelistPTR	friendlyhost.friendlydomain.tld
-       $ policyd-spf -h (Display usage message)
+# Whitelist by an envelope sender e-Mail address
+#
+# Performs a case insensitive substring match
+#
+#WhitelistFrom	friend@
+#WhitelistFrom	@friendlydomain.tld
+#WhitelistFrom	friend@friendlydomain.tld
-       $ policyd-spf /etc/policyd-spf/policyd-spf.conf (Config file name to use)
+# Whitelist by an envelope recipient e-Mail address
+#
+# Performs a case insensitive substring match
+#
+#WhitelistTo	postmaster@
+#WhitelistTo	@yourspamloverdomain.tld
+#WhitelistTo	spamlover@yourdomain.tld
-       Configuration options are described in the sample configuration file provided with the pack-
+# Refuse e-Mail messages at SPF Fail results (RFC-4408)
-       age (policyd-spf.conf.commented) and in policyd-spf.conf(5).  The provided setup.py installs
+#
-       an uncommented configuration file in /etc/policyd-spf/.
+# Default: on
+#
+#RefuseFail	on	# (on|off)
+#RefuseFail	off
-       Additionally, whitelisting certain IP addresses or IP addresses used by listed domains from
-       SPF checks is supported.  Skipping SPF checks for local submission or trusted relays is also
-       provided.  The sample configuration file and policyd-spf.conf(5) shows the format to use.
-OTHER DOCUMENTATION
+# Subject tagging of e-Mail messages at SPF SoftFail
-       This documentation assumes you have read Postfix’s README_FILES/ SMTPD_POLICY_README and are
+# and Fail (if RefuseFail set to off) results
-       generally familiar with Sender Policy Framework (SPF).  See RFC 4408 for details.
+#
+# Default: on
+#
+#TagSubject	on	# (on|off)
-       See man 5 policyd-spf.conf for configuration file information.
+# Subject tagging string
+#
+# Default: [SPF:fail]
+#
+#Tag		[SPF:fail]
-       man 5 policyd-spf.peruser provides documentation on setting up and using different configura-
+# Build a standard Received-SPF: header
-       tion options on a per user (mail reciepient) basis.
+#
+# Default: on
+#
+#AddHeader	on	# (on|off)
-SYNOPSIS
+# Quarantine of e-Mail messages at SPF SoftFail
-       python-policyd-spf is a Postfix SMTPd policy daemon for SPF checking.  It is implemented in
+# and Fail (if RefuseFail set to off) results
-       pure Python and uses the pyspf module.  The SPF web site is http://www.openspf.org/.  The
+#
-       Postfix configuration must be changed to check SPF.
+# Default: off
+#
+#Quarantine	off	# (on|off)
-DESCRIPTION
+# Quarantine mailbox
-       Logging is sent to syslogd.
+#
+# Default: postmaster
+#
+#QuarantineBox	postmaster
+#QuarantineBox	spambox@yourdomain.tld
-       Each time a Postfix SMTP server process is started it connects to the policy service socket
+# In-memory cache engine TTL settings
-       and Postfix runs one instance of this Python script.  By default, a Postfix SMTP server pro-
+#
-       cess terminates after 100 seconds of idle time, or after serving 100 clients.  Thus, the cost
+# The time is given in seconds, except if a unit is given:
-       of starting this Python script is smoothed over time
+# m for minutes, h for hours, and d for days
+# Specify zero to disable caching
+#
+# Default: 1h
+#
+#TTL		1h
-       The default policy_time_limit is 1000 seconds.  This may be too short for some SMTP transac-
+# Run as a selected user (smf-spf must be started by root)
-       tions to complete.  As recommended in SMTPD_POLICY_README, this should be extended to 3600
+#
-       seconds.  To do so, set "policy_time_limit = 3600" in /etc/postfix/main.cf.
+# Default: smfs
+#
+#User		smfs
-       Messages that get a Fail SPF result will be rejected.  Messages that get a Permerror are, by
+# Socket used to communicate with Sendmail daemon
-       default, treated as if they had no SPF record.  Messages that get a Temperror result are, by
+#
-       default, treated as if they had no SPF record, but can (and probably should) be deferred if
+# Default: unix:/var/run/smfs/smf-spf.sock
-       otherwise permitted.  Messages that get other SPF results (Pass, None, Neutral, Softfail)
+#
-       will have the SPF Received header prepended.  Note: Spamasassisn 3.2 and follow will use this
+#Socket		unix:/var/run/smfs/smf-spf.sock
-       header for spam scoring so there is no need to configure a separate SPF check in these Spa-
+# Django : 2014-03-25
-       massassin versions.  See Spamassassin documentation for details.
+Socket inet:10010@127.0.0.1
-       Default Mail From rejection/deferal criteria are, by design, conservative.  Default HELO
+# Facility for logging via Syslog daemon
-       check actions are to reject mail with other than Pass/None. HELO records are much simpler
+#
-       than Mail From records and rejecting based on HELO checking does not present a false positive
+# Default: mail
-       risk.  These settings are a matter of local policy and should be adjusted to meet the
+#
-       requirements of site administrators.  See policyd-spf.conf(5) for configuration file details.
+#Syslog		mail	# (daemon|mail|local0...local7)
-LOGGING
-       Policyd-spf will log messages to syslog about it’s activities.  The "debugLevel" value in
-       "policyd-spf.conf" can be increased to get additional information to be logged.  When set to
-       a value of "0", only test results (SPF hits/misses) are logged.  Results will be returned to
-       Postfix and logged as a warning by Postfix also.  For logging by this policy server, look for
-       "policyd-spf" in your mail log files.
-TESTING THE POLICY DAEMON
+</file>
-       Testing the policy daemon
-       To test the policy daemon by hand, execute:
+In der Konfigurationsdatei **main.cf** unseres Postfix-Mailserver tragen wir nun noch am Ende nachfolgende Zeilen ein.
+   # vim /etc/postfix/main.cf
+<file bash /etc/postfix/main.cf>...
-           policyd-spf
-       Each query is a bunch of attributes.  Order does not matter, and the daemon uses only a few
-       of all the attributes shown below:
-           request=smtpd_access_policy
-           protocol_state=RCPT
-           protocol_name=SMTP
-           helo_name=some.domain.tld
-           queue_id=8045F2AB23
-           instance=12345.6789
-           sender=foo@bar.tld
-           recipient=bar@foo.tld
-           client_address=1.2.3.4
-           client_name=another.domain.tld
-           [empty line]
-       The policy daemon will answer in the same style, with an attribute list followed by a empty
-       line:
-           action=dunno
-           [empty line]
-POSTFIX INTEGRATION
-. Add the following to /etc/postfix/master.cf:
-               policyd-spf  unix  -       n       n       -       0       spawn
-                   user=nobody argv=/usr/bin/policyd-spf
-           NOTE: Check the path to both the installed Python interpreter and
-                 policyd-spf.  These vary from system to system.  To use non-default
-                 settings, you must also add the config file (see above and
-                 policyd-spf.conf(5) for details).  If you run other services with
-                 user nobody, create a dedicated user for this policy server and use
-                 that instead.
-. Configure the Postfix policy service in /etc/postfix/main.cf:
-               smtpd_recipient_restrictions =
-                   ...
-                   reject_unauth_destination
-                   check_policy_service unix:private/policyd-spf
-                   ...
-               policyd-spf_time_limit = 3600
-           NOTE:  Specify check_policy_service AFTER reject_unauth_destination or
-                  else your system can become an open relay.
-. Reload Postfix.
-SEE ALSO
-       policyd-spf.conf(5), policyd-spf.peruser(5), python-spf, <http://www.openspf.org>, RFC 4408
-AUTHORS
-       This version of python-policyd-spf was written by Copyright © 2007-2012 Scott Kitterman
-       <scott@kitterman.com>.  It is derived from Tumgreyspf, written by Sean Reifschneider,
-       tummy.com, ltd <jafo@tummy.com>. Portions of the documentation were written by Meng Weng Wong
-       <mengwong@pobox.com>.
-       This man-page was created by Scott Kitterman <scott@kitterman.com>.
--03-17                     policy-spf(1)
-</code>
-=== policyd-spf.conf ===
-   # man 5 policyd-spf.conf
-<code>policy-spf.conf(5)                                          policy-spf.conf(5)
-NAME
-       python-policyd-spf - pure-Python Postfix policy daemon for SPF checking
-VERSION
-.1.1
-USAGE
-       Usage:
-         policyd-spf [/etc/policyd-spf/policyd-spf.conf]
-OTHER DOCUMENTATION
-       This documentation assumes you have read Postfix’s README_FILES/ SMTPD_POLICY_README and are
-       generally familiar with Sender Policy Framework (SPF).  See RFC 4408 for details.
-       man 1 policyd-spf provides general operation documentation for this package.
-       man 5 policyd-spf.peruser provides documentation on setting up and using different configura-
-       tion options on a per user (mail reciepient) basis.
-SYNOPSIS
-       python-policyd-spf operates with a default installed configuration file and set of default
-       configuration options that are used if the configuration file cannot be found.  These options
-       can be changed by changing the installed configuration files or through giving a path to an
-       alternate configuration file.
-DESCRIPTION
-       Configuration options are described here and in the configuration file provided with the
-       package.  The provided setup.py installs this configuration file in /etc/policyd-spf/.
-       Additionally, whitelisting certain IP addresses from SPF checks is supported.  This man page
-       and the sample configuration file show the format to use.  These options can be adjusted on a
-       per user (mail recipient) basis.  Details on per user settings can be found in policyd-
-       spf.peruser(5).
-OPTIONS
-LOGGING
-       "debugLevel" controls the amount of information logged by the policy server.
-       The default, 1, logs no debugging messages, just basic SPF results and errors generated
-       through the policy server.  This value can be increased up to 5 (values higher than 5 will
-       not cause an error, but will not log any additional information).
-       debug level 2 adds a log message if no client address (IP address from which the connection
-       was made), Mail From addresss, or HELO/EHLO name is received by the policy server, and logs
-       SPF results for each Mail From and HELO check.
-       debug level 3 generates a log message each time the policy server starts and each time it
-       exits, as well as logging a copy of the exact header returned to Postfix to be prepended into
-       the message.  Each time the policy server starts, debug level 3 also logs the configuration
-       information used by the policy server.
-       debug level 4 logs the complete data set received by Postfix via the policy interface and
-       when the end of the entry is read.
-       debug level 5 is used to debug config file processing and can only be set in code and not via
-       the config file.
-       If debug level is 0, then the policy server logs errors only.
-       Default:
-       debugLevel = 1
-TEST OPERATION
-       The policy server can operate in a test only mode. This allows you to see the potential
-       impact of SPF checking in your mail logs without rejecting mail.  Headers are prepended in
-       messages, but message delivery is not affected. This mode is not enabled by default.  To
-       enable it, set defaultSeedOnly = 0.
-       Default:
-       defaultSeedOnly = 1
-HELO/EHLO CHECKING
-       HELO check rejection policy options are:
-       SPF_Not_Pass (default) - Reject if result not Pass, None, or Temperror (alternatively put,
-       reject if the SPF result is Fail, Softfail, Neutral, PermError). Unlike Mail From checking,
-       there are no standard e-mail use cases where a HELO check should not Pass if there is an SPF
-       record for the HELO name (transparent forwarding, for example, is not an issue). Technically
-       this option is not fully RFC 4408 compliant since the SPF check for the Mail From identity is
-       mandatory and Neutral and None results must be treated the same.  HELO/EHLO is known first in
-       the SMTP dialogue and there is no practical reason to waste resources on Mail From checks if
-       the HELO check will already cause the message to be rejected. These deviations should not
-       cause interoperability problems when used for HELO.
-       Softfail - Reject on HELO Softfail or Fail.  Technically this option is not fully RFC 4408
-       compliant since the Mail From identity is mandatory, but HELO/ EHLO is known first in the
-       SMTP dialogue and there is no practical reason to waste resources on Mail From checks if the
-       HELO check will already cause the message to be rejected.
-       Fail - Reject only on HELO Fail.  Technically this option is not fully RFC 4408 compliant
-       since the Mail From identity is mandatory, but HELO/EHLO is known first in the SMTP dialogue
-       and there is no practical reason to waste resources on Mail From checks if the HELO check
-       will already cause the message to be rejected.
-       Null - Only reject HELO Fail for Null sender (SPF Classic).  This is the approach used by the
-       pre-RFC 4408 reference implementation and many of the pre- RFC specifications.  Use of at
-       least this option (SPF_Not_Pass or Fail) are preferred) is highly recommended.
-       False - Never reject on HELO, append header only. This is useful for post-SMTP spam filters
-       such as SpamAssassin.
-       No_Check - Never check HELO.  This is only recommended if you are calling the policy server
-       twice (once for HELO checks and once for Mail From) with two different configuration files.
-       This approach is useful to get both the HELO and Mail From headers prepended to a message.
-       Default:
-       HELO_reject = SPF_Not_Pass
-HELO/EHLO PASS RESTRICTION
-       HELO Pass Restriction allows integration with other Postfix access controls by provding a
-       user supplied name of a postfix access restriction to be applied to a message when the HELO
-       checking result is Pass.  The indicated restriction must be an action as defined for a Post-
-       fix SMTP server access table access(5) and explained in the Postfix RESTRICTION CLASS README.
-       The README.per_user_whitelisting file provided with this distribution provides examples.
-       Note: A helo pass restriction will be the returned result even if the mail from result would
-       cause the message to be rejected.
-       Example:
-       HELO_pass_restriction = helo_passed_spf
-       Default:
-       None
-Mail From CHECKING
-       Mail From rejection policy options are:
-       SPF_Not_Pass - Reject if result not Pass/None/Tempfail. This option is not RFC 4408 compliant
-       since the mail with an SPF Neutral result is treated differently than mail with no SPF record
-       and Softfail results are not supposed to cause mail rejection.  Global use of this option is
-       not recommended. Use per-domain if needed (per-domain usage described below).
-       Softfail - Reject on HELO Softfail or Fail.  Technically this option is not fully RFC 4408
-       compliant since Softfail results are not supposed to cause mail rejection.  Global use of
-       this option is not recommended. Use per-domain if needed (per-domain usage described below).
-       Fail (default) - Reject on Mail From Fail.
-       False - Never reject on Mail From, append header only.  This is useful for post-SMTP spam
-       filters such as SpamAssassin.
-       No_Check - Never check Mail From/Return Path.  This is only recommended if you are calling
-       the policy server twice (once for HELO checks and once for Mail From) with two different con-
-       figuration files.  This approach is useful to get both the HELO and Mail From headers
-       prepended to a message.  It could also be used to do HELO checking only (because HELO check-
-       ing has a lower false positive risk than Mail From checking), but this approach would not be
-       fully RFC 4408 compliant since the Mail From identity is mandatory.
-       Default:
-       Mail_From_reject = Fail
-Mail From PASS RESTRICTION
-       Mail From Pass Restriction allows integration with other Postfix access contlols by provding
-       a user supplied name of a postfix access restriction to be applied to a message when the HELO
-       checking result is Pass.  The indicated restriction must be an action as defined for a Post-
-       fix SMTP server access table access(5) and explained in the Postfix RESTRICTION CLASS README.
-       Note: A mail from pass restriction will be the returned result even if the helo result would
-       cause the message to be rejected.
-       Example:
-       mail_from_pass_restriction = mfrom_passed_spf
-       Default:
-       None
-Limit Rejections To Domains That Send No Mail
-       No_Mail - Only reject when SPF indicates the host/domain sends no mail. This option will only
-       cause mail to be rejected if the HELO/Mail From record is "v=spf1 -all".  This option is use-
-       ful for rejecting mail in situations where the tolerance for rejecting wanted mail is very
-       low. It operates on both HELO and Mail From identities if set.
-       Default:
-       No_Mail = False
-Domain Specific Receiver Policy
-       Using this option, a list of domains can be defined for special processing when messages do
-       not Pass SPF.  This can be useful for commonly spoofed domains that are not yet publishing
-       SPF records with -all.  Specifically, if mail from a domain in this list has a Neutral/Soft-
-       fail result, it will be rejected (as if it had a Fail result).  This option is not supported
-       by RFC 4408, but if needed, it is better to do it on a per-domain basis rather than globally.
-       Example:
-       Reject_Not_Pass_Domains = aol.com,hotmail.com
-       Default:
-       None
-Permanent Error Processing
-       Policy for rejecting due to SPF PermError options are:
-       True - Reject the message if the SPF result (for HELO or Mail From) is PermError.  This has a
-       higher short-term false positive risk, but does result in senders getting feedback that they
-       have a problem with their SPF record.
-       False - Treat PermError the same as no SPF record at all.  This is consistet with the pre-RFC
-       usage (the pre-RFC name for this error was "Unknown").
-       This is a global option that affects both HELO and Mail From scopes when checks for that
-       scope are enabled. The only per scope setting that can over-ride this is
-       Mail_From/HELO_reject = False/
-       Default:
-       PermError_reject = False
-Temporary Error Processing
-       Policy for deferring messages due to SPF TempError options are:
-       True - Defer the message if the SPF result (for HELO or Mail From) is TempError.  This is the
-       traditional usage and has proven useful in reducing acceptance of unwanted messages.  Some-
-       times spam senders do not retry.  Sometimes by the time a message is retried the sending IP
-       has made it onto a DNS RBL and can then be rejected.  This is not the default because it is
-       possible for some DNS errors that are classified as "Temporary" per RFC 4408 to be permanent
-       in the sense that they require operator intervention to correct.
-       This is a global option that affects both HELO and Mail From scopes when checks for that
-       scope are enabled. The only per scope setting that can over-ride this is
-       Mail_From/HELO_reject = False/
-       False - Treat TempError the same as no SPF record at all.  This is the default to minimize
-       false positive risk.
-       Default:
-       TempError_Defer = False
-Prospective SPF Check
-       Prospective SPF checking - Check to see if mail sent from the defined IP address would pass.
-       This is useful for outbound MTAs to avoid sending mail that would Fail SPF checks when
-       received.  Disable HELO checking when using this option.  It’s only potentially useful for
-       Mail From checking. SPF Received headers are not added when this option is used.
-       Prospective = 192.168.0.4
-       Default:
-       None
-LOCAL SPF BYPASS LIST
-       Do not check SPF for localhost addresses - add to skip addresses to skip SPF for internal
-       networks if desired. Defaults are standard IPv4 and IPv6 localhost addresses. This can also
-       be used, to allow mail from local clients submitting mail to an MTA also acting as a Mail
-       Submission Agent (MSA) to be skipped.  An x-header is prepended indicating SPF checks were
-       skipped due to a local address.  This is a trace header only.  Note the lack of spaces in the
-       list.
-       Default:
-       skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
-SPF IP WHITELIST
-       A comma separated CIDR Notation list of IP addresses to skip SPF checks for.  Use this list
-       to whitelist trusted relays (such as a secondary MX and trusted forwarders).  An x-header is
-       prepended indicating the IP was whitelisted against SPF checks.  This is a trace header only.
-       Note the lack of spaces in the list.
-       Example:
-       Whitelist = 192.168.0.0/31,192.168.1.0/30
-       Default:
-       None
-SPF DOMAIN WHITELIST
-       Domain_Whitelist: List of domains whose sending IPs should be whitelisted from SPF checks.
-       Use this to list trusted forwarders by domain name.  Client IP addresses are tested against
-       SPF records published by the listed domains.  This is useful for large forwarders with com-
-       plex outbound infrastructures and SPF records.  This option is less scalable than the SPF IP
-       Whitelist.  An x-header is prepended indicating the IP was whitelisted against SPF checks.
-       This is a trace header only.  This option does nothing if the domain does not have an SPF
-       record.  In this case use the SPF IP Whitelist described above or Domain_Whitelist_PTR
-       (below). Note the lack of spaces in the list.
-       Example:
-       Domain_Whitelist = pobox.com,trustedforwarder.org
-       Default:
-       None
-PTR DOMAIN WHITELIST
-       Domain_Whitelist_PTR: List of domains (and subdomains)  whose sending IPs should be
-       whitelisted from SPF checks based on PTR match of the domain. Use this to list trusted for-
-       warders by domain name if they do not publish SPF records.  Client IP addresses PTR names are
-       tested to see if they match the listed domains.  This is useful for large forwarders with
-       complex outbound infrastructures, but no SPF records and predictable host naming. Matching is
-       done using the same rules as the SPF PTR mechanism as described in RFC 4408.  List the parent
-       domain and all subdomains will match. This option is less scalable than the SPF IP Whitelist.
-       An x-header is prepended indicating the IP was whitelisted against SPF checks.  This is a
-       trace header only.  This option does nothing if the host does not have a PTR record record.
-       In this case use the SPF IP Whitelist described above. Note the lack of spaces in the list.
-       Example:
-       Domain_Whitelist_PTR = yahoo.com,yahoogroups.com
-       Default:
-       None
-RESULTS HEADER
-       The standard method for documenting SPF results in a message (for consumption by downstream
-       processes) is the Received-SPF header defined in RFC 4408. This is the default header to use.
-       Results can also be documented in the Authentication-Results header defined by RFC 5451. The
-       default is Received-SPF (SPF), but inclusion of Authentication-Results (AR) headers as an
-       alternative to Received-SPF can be specified.
-       If there is a requirement to prepend both Received-SPF and Authentication- Results headers,
-       then it must be done by processing the message with more than one instance of the policy
-       server using different configuration files with different Header_Type settings.
-       Examples:
-       Header_Type = SPF or Header_Type = AR
-       Default:
-       SPF
-Authentications Results Authentication Identifier
-       Every Authentication-Results header field has an authentication identifier field (’Auth-
-       serv_Id’). This is similar in syntax to a fully-qualified domain name. See policyd-spf.conf.5
-       and RFC 5451 paragraph 2.3 for details.  Default is None.  Authserv-Id must be provided if
-       Header_Type ’AR’ is used.
-       The authentication identifier field provides a unique identifier that refers to the authenti-
-       cating service within a given administrative domain. The identifier MUST be unique to that
-       domain.  This identifier is intended to be machine-readable and not necessarily meaningful to
-       users.
-       Example:
-       Authserv_Id = mx.example.com
-SEE ALSO
-       man 1 policyd-spf, man 5 policyd-spf.peruser, python-spf, <http://www.openspf.net>, RFC 4408,
-       RFC 5451
-AUTHORS
-       This version of pypolicyd-spf was written by Copyright © 2007-2012, Scott Kitterman
-       <scott@kitterman.com>.  It is derived from Tumgreyspf, written by Sean Reifschneider,
-       tummy.com, ltd <jafo@tummy.com>. Portions of the documentation were written by Meng Weng Wong
-       <mengwong@pobox.com>.
-       This man-page was created by Scott Kitterman <scott@kitterman.com>.
--03-17                policy-spf.conf(5)
-</code>
-=== policyd-spf.peruser ===
-   # man 5 policyd-spf.peruser
-<code>policy-spf.peruser(5)                                    policy-spf.peruser(5)
-NAME
-       python-policyd-spf - pure-Python Postfix policy daemon for SPF checking
-VERSION
-.0
-USAGE
-       Usage:
-         policyd-spf [/etc/policyd-spf/policyd-spf.conf]
-OTHER DOCUMENTATION
-       This documentation assumes you have read Postfix’s README_FILES/ SMTPD_POLICY_README and are
-       generally familiar with Sender Policy Framework (SPF).  See RFC 4408 for details.
-       man 1 policyd-spf provides general operation documentation for this package.
-       See man 5 policyd-spf.conf for configuration file information.
-SYNOPSIS
-       python-policyd-spf operates with a default installed configuration file and set of default
-       configuration options that are used if the configuration file cannot be found.  These options
-       can be changed by changing the installed configuration files or through giving a path to an
-       alternate configuration file.
-       Additionally, different configurations can be provided on a per user basis.  This man page
-       describes setup and user of per user (mail recipient) configurations.  Currently these con-
-       figurations can either be stored in a text file or a Berkeley DB (libdb) datase.  If there is
-       sufficient interest, other data storage methods may be supported in the future.
-DESCRIPTION
-       Use of per-user configuration is defined in the application configuration file with the set-
-       ting "Per_User".  The value of the setting gives the type and location of the per-user con-
-       figuration information.  Currently supported types are text and bsddb.  User is defined an
-       email address of a recipient of the message.
-       All options available at the application level (See man 5 policyd-spf.conf) can be adjusted
-       on a per-user basis.  Per-user checks can only be done as part of smtpd_recipient_restric-
-       tions.  Per-user actions are not possible at other stages of the SMTP dialogue.  The user is
-       not yet known for smtpd_client_restrictions, smtpd_helo_restrictions, or
-       smtpd_sender_restrictions.  If used during smtpd_data_restrictions or
-       smtpd_end_of_data_restrictions, the entire message will be available only if the message was
-       only to a single recipient.  If per-user configurations are used when recipient information
-       is not available, warnings will be logged and the per-user information will be ignored.
-       In addition to specifying individual users, regular expression matching is also available,
-       but may have performance implications since the entire user table has to be traversed for
-       each message recipient.
-OPTIONS
-Text Per-User Configuration File
-       The text file option is useful for testing and when only a small number of users require per-
-       user configurations.  It is specified in the main configuration file:
-       "Per_User = text,/etc/pypolicyd-spf/userconf"
-       Lines beginning with "#" are treated as comments and ignored.  The location of the file is
-       determined by the system administrator. No default file is provided in or installed by the
-       package.
-       The configuration of the file is a comma separated combination of user and configuration
-       information, with one line per user’s configuration information (NOTE: due to man page for-
-       mating requirements, these lines are wrapped - in the config file, it must be one line per
-       user):
-       postmaster@example.com,Mail_From_reject=No_Check|PermEr-
-       ror_reject=False|HELO_reject=SPF_Not_Pass|defaultSeedOnly=1|debu-
-       gLevel=5|skip_addresses=127.0.0.0/8,::ffff:127.0.0.0//104,::1//128|TempError_Defer=False
-       strict@example.com,PermError_rejec=True|HELO_reject=SPF_Not_Pass|TempError_Defer=True
-       It is not necessary to specify all configuration parameters for each user, only those that
-       are different than the overall configuration need to be specified.
-       If the specified per user configuration file is missing, an error is logged and the global
-       configuration is used instead.
-SEE ALSO
-       man 1 policyd-spf, man 5 policyd-spf.conf, python-spf, <http://www.openspf.org>, RFC 4408
-AUTHORS
-       This version of pypolicyd-spf was written by Copyright © 2007-2011, Scott Kitterman
-       <scott@kitterman.com>.  It is derived from Tumgreyspf, written by Sean Reifschneider,
-       tummy.com, ltd <jafo@tummy.com>.
-       This man-page was created by Scott Kitterman <scott@kitterman.com>.
--03-17             policy-spf.peruser(5)
-</code>
-==== Konfiguration ====
-Im RPM-Paket wird zwar eine Konfigurationsdatei schon an die richtige Stelle //**/etc/python-policyd-spf**// kopiert, aber die Vorgabedatei kommentierte Musterdatei **policyd-spf.conf.commented** im Verzeichnis //**/usr/share/doc/pypolicyd-spf-1.2/**// enthält doch wesentliche Hinweise und Tips.
-Wir kopieren uns also daher diese Musterdatei an die richtige Stelle im Verzeichnis //**/etc/**//.
-   # cp /usr/share/doc/pypolicyd-spf-1.2/policyd-spf.conf.commented /etc/python-policyd-spf/policyd-spf.conf -y
-Anschließende bearbeiten wir diese Datei mit unserem Editor der Wahl. Als wichtigen ersten Schrittsetzen wir die Option //**defaultSeedOnly**// auf den wert **0**. Somit ist schon mal sichergestellt, dass wir bis zum endgültigen Produktivbetrieb die Annahme von Mails fälschlicher weise ablehnen. Fernen Passen wir noch den Loglevel und die Angaben zum eigenen Netzwerk/IP-Adressbereich an.
-   # vim /etc/python-policyd-spf/policyd-spf.conf
-<file bash /etc/python-policyd-spf/policyd-spf.conf>#  Amount of debugging information logged.  0 logs no debugging messages
-#  5 includes all debug messages.
 # Django : 2014-03-16
-# default: debugLevel = 1
+# SPF-Check via SMF-SPF-Milter einbinden.
-debugLevel = 1debugLevel = 5
+smtpd_milters = inet:127.0.0.1:10010
-#  If set to 0, no messages are rejected by SPF.  This allows you to see the
+...
-#  potential impact of SPF checking in your mail logs without rejecting mail.
+</file>
-# Django : 2014-03-16
-# default: defaultSeedOnly = 1
-defaultSeedOnly = 0
-#  HELO check rejection policy. Options are:
+==== Programmstart ====
-#  HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
+=== erster manueller Start ===
-#  HELO_reject = Softfail - Reject if result Softfail and Fail
+Nun können wir das erste mal den Daemon anstarten.
-#  HELO_reject = Fail - Reject on HELO Fail
+   # service smf-spf start
-#  HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
-#  HELO_reject = False - Never reject/defer on HELO, append header only.
-#  HELO_reject = No_Check - Never check HELO.
-HELO_reject = SPF_Not_Pass
-#  HELO pass restriction policy.
+  Starting smf-spf:                                          [  OK  ]
-#  HELO_pass_restriction = helo_passed_spf - Apply the given restriction when
-#    the HELO checking result is Pass.  The given restriction must be an
-#    action as defined for a Postfix SMTP server access table access(5).
-#HELO_pass_restriction
-#  Mail From rejection policy.  Options are:
+In der Prozessliste finden wir nun unseren Prozess smf-spf, der mit den Rechten des Users smf läuft:
-#  Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
+   # ps auxw | grep smf-spf
-#  Mail_From_reject = Softfail - Reject if result Softfail and Fail
-#  Mail_From_reject = Fail - Reject on Mail From Fail (default)
-#  Mail_From_reject = False - Never reject/defer on Mail From, append header only
-#  Mail_From_reject = No_Check - Never check Mail From/Return Path.
-Mail_From_reject = Fail
-#  Reject only from domains that send no mail. Options are:
+  smfs     28462  0.0  0.1 179240   948 ?        Ssl  14:43   0:00 smf-spf
-#  No_Mail = False - Normal SPF record processing (default)
-#  No_Mail = True - Only reject for "v=spf1 -all" records
-#  Mail From pass restriction policy.
+Mittels lsof können wir nun noch überprüfen, welcher Port von Daemon verwendet wird.
-#  Mail_From_pass_restriction = mfrom_passed_spf - Apply the given
+   # lsof -i :10010
-#    restriction when the Mail From checking result is Pass.  The given
-#    restriction must be an action as defined for a Postfix SMTP server
-#    access table access(5).
-#Mail_From_pass_restriction
-#  Reject mail for Netural/Softfail results for these domains.
+  COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
-#  Recevier policy option to reject mail from certain domains when SPF is not
+  smf-spf 28462 smfs    4u  IPv4 2597844      0t0  TCP localhost:rxapi (LISTEN)
-#  Pass/None even if their SPF record does not produce a Fail result.  This
-#  Option does not change the effect of PermError_reject or TempError_Defer
-#  Reject_Not_Pass_Domains = aol.com,hotmail.com
-#  Policy for rejecting due to SPF PermError.  Options are:
+=== automatisches Starten des Dienste beim Systemstart  ===
-#  PermError_reject = True
+Damit der smf-spf-Daemon automatisch bei jedem Systemstart startet, denn ohne laufenden **smf-spf-daemon** verweigert nun unser **postfix** die Annahme der Nachrichten, kann die Einrichtung des Start-Scripte über folgenden Befehle erreicht werden:
-#  PermError_reject = False
+   # chkconfig smf-spf on
-PermError_reject = False
-#  Policy for deferring messages due to SPF TempError.  Options are:
+Die Überprüfungung ob der Dienst (Daemon) smf-spfwirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehle erreicht werden:
-#  TempError_Defer = True
+   # chkconfig --list | grep smf-spf*
-#  TempError_Defer = False
-TempError_Defer = False
-#  Prospective SPF checking - Check to see if mail sent from the defined IP
+  smf-spf        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
-#  address would pass.
-#  Prospective = 192.168.0.4
-#  Do not check SPF for localhost addresses - add to skip addresses to
+Wichtig sind jeweils die Schalter **on** bei den Runleveln - **2 3 4 5**.
-#  skip SPF for internal networks if desired. Defaults are standard IPv4 and
-#  IPv6 localhost addresses.
-# Django : 2014-03-16
-# default: skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
-skip_addresses = 127.0.0.1/32,10.0.0.0/24,10.0.10.0/28
-#  Whitelist: CIDR Notation list of IP addresses not to check SPF for.
+Anschließend starten wir unseren Postfix-Mailserver einmal durch, damit unsere zuvor eingetragene Konfigurationsänderung aktiv werden kann.
-#  Example (default is no whitelist):
+   # service postfix condrestart
-#  Whitelist = 192.168.0.0/31,192.168.1.12
-#  Domain_Whitelist: List of domains whose sending IPs (defined by passing
+  Shutting down postfix:                                     [  OK  ]
-#  their SPF check should be whitelisted from SPF.
+  Starting postfix:                                          [  OK  ]
-#  Example (default is no domain whitelist):
-#  Domain_Whitelist = pobox.com,trustedforwarder.org
-# Domain_Whitelist_PTR: List of domains to whitelist against SPF checks base
-# on PTR match.
-# Example (default is no PTR whitelist)
-# Domain_Whitelist_PTR = yahoo.com
-# Type of header to insert to document SPF result. Can be RFC 4408
-# Received-SPF (SPF) or RFC 5451 Authentication Results (AR). It cannot be
-# both.
-# Examples: (default is Received-SPF):
-# Header_Type = AR
-# Header_Type = SPF
-# Every Authentication-Results header field has an authentication identifier
-# field ('Authserv_Id'). This is similar in syntax to a fully-qualified domain
-# name. See policyd-spf.conf.5 and RFC 5451 paragraph 2.3 for details.
-# Default is None.  Authserv-Id must be provided if Header_Type 'AR' is used.
-# Authserv_Id = mx.example.com
-</file>
-In der Konfigurationsdatei **master.cf** unseres Postfix-Mailserver tragen wir nun nachfolgende Zeilen ein.
-   #
-<file bash /etc/postfix/master.cf>...
-# Django : 2014-03-16
-# SPF-Check
-policy     unix  -       n       n       -       -       spawn
-        user=nobody argv=/usr/libexec/postfix/policyd-spf
-#
-...
-</file>
-In der Konfigurationsdatei **main.cf** unseres Postfix-Mailserver ergänzen wir nun noch unsere **smtpd_recipient_restrictions** und tragen von den **//RBL-Checks//** noch ein.
-   # vim /etc/postfix/main.cf
-<file bash /etc/postfix/main.cf>...
-# Django : 2014-03-16
-# SPF Check
-        check_policy_service unix:private/policy,
-# policy_time_limit = 3600,
-...
-</file>
-Anschließend starten wir unseren Postfix-Mailserver einmal durch, damit unsere Konfigurationsänderungen aktiv werden.
 ==== Tests und Logging ====
-Zum Testen schicken wir uns von einem fremden Mailserver aus, der einen gültigen SPF-Record vorweisen kann eine eMail an unseren Mailserver und beobachten unser Maillog. Beim gesetzten **Loglevel 5** wird entsprechend ausfürlich berichtet.
+Zum Testen schicken wir uns von einem fremden Mailserver aus, der einen gültigen SPF-Record vorweisen kann eine eMail an unseren Mailserver und beobachten unser Maillog.
    # less /var/log/maillog
-<code>Mar 16 12:17:01 vml000080 policyd-spf[12354]: Starting
+  Mar 26 14:27:32 vml000080 smf-spf[26416]: SPF pass: 200.46.208.138, lists.horde.org, lists.horde.org, <horde-bounces@lists.horde.org>
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "request=smtpd_access_policy"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "protocol_state=RCPT"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "protocol_name=ESMTP"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "client_address=80.241.60.212"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "client_name=mx1.mailbox.org"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "reverse_client_name=mx1.mailbox.org"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "helo_name=mx1.mailbox.org"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "sender=n3rd@mailbox.org"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "recipient=django@nausch.org"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "recipient_count=0"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "queue_id="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "instance=2fef.5325882d.9ad5b.0"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "size=2054"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "etrn_domain="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "stress="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "sasl_method="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "sasl_username="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "sasl_sender="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "ccert_subject="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "ccert_issuer="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "ccert_fingerprint="
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "encryption_protocol=TLSv1.2"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "encryption_cipher=AECDH-AES256-SHA"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: "encryption_keysize=256"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Read line: ""
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Found the end of entry
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Config: {'Mail_From_reject': 'Fail', 'PermError_reject': 'False',, 'HELO_reject': 'SPF_Not_Pass', 'Header_Type': 'SPF', 'defaultSeedOnly': 0, 'debugLevel': 5, 'skip_addresses': '127.0.0.1/32,10.0.0.0/24', 'TempError_Defer': 'False'}
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Cached data for this instance: []
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: spfcheck: pyspf result: "['None', '', 'helo']"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: None; identity=helo; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'mailfrom']"
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Pass; identity=mailfrom; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-Mar 16 12:17:01 vml000080 policyd-spf[12354]: Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-</code>
-Im Mailheader der empfangenen eMail findet sich dann auch ein entsprechender Eintrag:
+Damit nicht bei jeder Anfrage, der SPF-Record beim DNS abgerufen werden muss, cacht der Daemon auch entsprechend den SPF-Record. Wir sehen dann bei der Nutzung dieser gecachten Daten im maillog.
-  Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
+  Mar 26 14:40:18 vml000080 smf-spf[26416]: SPF none (cached): 72.26.200.202, mail.centos.org, mail.centos.org, <centos-bounces@centos.org>
-Bei einem produktiven System wird man meist mit dem **Loglevel=1** ausreichende Informationen vorfinden.
+Natürlich wird ein Fehler beim Überprüfen des SPF-records auch im maillog vermerkt.
-<code>Mar 16 13:19:05 vml000080 policyd-spf[14906]: Config: {'Mail_From_reject': 'Fail', 'PermError_reject': 'False', 'HELO_reject': 'SPF_Not_Pass', 'Header_Type': 'SPF', 'defaultSeedOnly': 0, 'debugLevel': 3, 'skip_addresses': '127.0.0.1/32,10.0.0.0/24', 'TempError_Defer': 'False'}
+  Dec 15 14:39:49 vml000080 smf-spf[1501]: SPF fail: ip=88.217.171.167, fqdn=mx1.tachtler.net, helo=mx1.tachtler.net, from=<newsletter@aktuell.erwinmueller.de>
-Mar 16 13:19:05 vml000080 policyd-spf[14906]: spfcheck: pyspf result: "['None', '', 'helo']"
-Mar 16 13:19:05 vml000080 policyd-spf[14906]: None; identity=helo; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-Mar 16 13:19:05 vml000080 policyd-spf[14906]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'mailfrom']"
-Mar 16 13:19:05 vml000080 policyd-spf[14906]: Pass; identity=mailfrom; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-Mar 16 13:19:05 vml000080 policyd-spf[14906]: Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=80.241.60.212; helo=mx1.mailbox.org; envelope-from=n3rd@mailbox.org; receiver=django@nausch.org
-</code>
+Im Mailheader der empfangenen eMail findet sich dann auch die entsprechenden Einträge:
+  Authentication-Results: mx01.nausch.org; spf=fail smtp.mailfrom=<newsletter@aktuell.erwinmueller.de> smtp.helo=mx1.tachtler.net
 ===== SRS - Sender Rewriting Scheme =====
-Zu Beginn dieses Artikels wurde bereits darauf hingewiesen, dass mit unter Probleme bei Mailumleitungen und/oder WebFormularen auftauchen können. Mit **SRS**((**S**ender **R**ewriting **S**cheme)) kann ein Mailserver die eMail-Adresse im Envelop umschreiben und anpassen. Eine genauere Beschreibung zu SRS ist im Kapitel **[[centos:mail_c6:mta_14|SRS - Sender Rewriting Scheme]] zu finden.
+Zu Beginn dieses Artikels wurde bereits darauf hingewiesen, dass mit unter Probleme bei Mailumleitungen und/oder WebFormularen auftauchen können. Mit **SRS**((**S**ender **R**ewriting **S**cheme)) kann ein Mailserver die eMail-Adresse im Envelop umschreiben und anpassen. Eine genauere Beschreibung zu SRS ist im Kapitel **[[centos:mail_c6:mta_14|SRS - Sender Rewriting Scheme]]** zu finden.
+====== Links ======
+  * **[[[[centos:mail_c6:mta_14|Weiter zum Kapitel >>SRS - Sender Rewriting Scheme unter CentOS 6<<]]**
+  * **[[centos:mail_c6:start|Zurück zum Kapitel >>Mailserverinstallation unter CentOS 6<<]]**
+  * **[[wiki:start|Zurück zu >>Projekte und Themenkapitel<<]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-FIXME //... coming soon...// FIXME