PerlStalker’s SysAdmin Notes

Notes from the life of a systems administrator

Courier and SPF

Originally posted at [2005-02-23 Wed 15:01]

SPF is a protocol to try to provide some defense against domain spoofing. You can turn on SPF checks in courier-mta by adding various things to bofh.

You might want to begin by reading the SPF RFC and the Courier SPF docs.

1 Possible Keywords (descriptions from the RFC):

“none” A result of None means that no records were published by the domain. The checking software cannot ascertain if the client host is authorized or not.
“neutral” A Neutral result MUST be treated exactly like a None result.
“pass” A Pass result means that the client is authorized to inject mail with the given “Mail From” identity. Further policy checks, such as reputation, or black and/or white listing, can now proceed with confidence based on the “Mail From” identity. A Fail result is an explicit statement that the client is not
“fail” authorized to use the domain in the “Mail From” identity. The checking software can choose to mark the mail based on this, or to reject the mail outright.
“softfail” A SoftFail result should be treated as somewhere between a Fail and a Neutral. This value is used by domains as an intermediate state during roll-out of publishing records. The domain believes the host isn’t authorized but isn’t willing to make that strong of a statement. Receiving software SHOULD NOT reject the message based on this result, but MAY subject the message to closer scrutiny.
“error” indicates an error during lookup; an MTA SHOULD reject the message using a transient failure code, such as 450.
“unknown” indicates incomplete processing: an MTA MUST proceed as if a domain did not publish SPF data.

2 Courier Specific keywords:

“off” SPF verification disabled (default);
“all” Turn all checks in informational mode (no mail is rejected) Status is put into ‘Received-SPF:’ header.
“mailfromok” Skip ‘From:’ check if MAILFROM passes. BOFHSPFFROM only.

Courier will only accept for specified keywords and will reject all others. Always include pass,none for checks.

3 The SPF Checks

3.1 Verify ‘HELO’ domain.

Recommended: pass,none,softfail,neutral,unknown

opt BOFHSPFHELO=pass,none,softfail,neutral,unknown,error
#opt BOFHSPFHELO=all

3.2 Verify return address from ‘MAIL FROM’ command

#opt BOFHSPFMAILFROM=pass,none,softfail,neutral,unknown
opt BOFHSPFMAILFROM=all

3.3 Verify ‘From:’ header

One should not reject on BOFHSPFFROM failure. From the courier site:

A conservative policy should not reject failed SPF checks from the From: header, because it can be counterproductive in some situations. This is because when a sender from a domain with a published SPF policy sends a message to a mailing list, the message goes through the mailing list processor’s IP address, and it will fail the SPF check unless the domain SPF explicitly authorizes the mailing list processor’s IP address.

#opt BOFHSPFFROM=pass,none,softfail,neutral,unknown,mailfromok
opt BOFHSPFFROM=all
#opt BOFHSPFFROM=off

3.4 Other Options

Which keywords (results) cause a permanent error (rather than a temp error)

Recommended: fail,softfail (default)

opt BOFHSPFHARDERROR=fail,softfail

Turn off SPF checks for hosts w/ RELAYCLIENT set

opt BOFHSPFTRUSTME=1

Disables custom reject messages (provided by the DNS for the domain) Note: Turning this off has some security implications.

opt BOFHSPFNOVERBOSE=1

Comments