SPF :: Qmail & SpamAssassins

Justec · February 12, 2006, 1:32am

I wanted to create one thread with all the SPF stuff b/c I was getting confused.

SPF :: www.openspf.org
SPF is a way of checking the MX record IP is vaild to be the sender on an email for a particular domain. There is 2 parts to SPF…

Step 1
One is publishing your SPF records on your DNS. This allows other server running SPF module to check that if they get an email from someone@yourdomain.com that it is really someone sending from you mail server and not a spammer just using your address. You can learn how to setup the DNS TXT records on the SPF website and they also have a nice wizard that can help you http://www.openspf.org/wizard.html. If you haven’t already you should definately setup you DNS SPF records so keep people from sending email based on your domain.

Related Threads:
How to setup TXT records with Iworx
http://interworx.com/forums/showthread.php?t=460&highlight=spf

Step 2
The second part of SPF is running the module on your mail server so you can check that the mail your receive from someone@outsidedomain.com are really that person at outsidedomain.com.

So far I understand there are 2 ways to implement SPF which is similar to how you can block emails via SA(SpamAssassin) at SMTP level and LOCAL DELIVERY level.

Method 1 - SpamAssassin Integration:
You can have SA scan the emails using SPF plugin to increase the “spam points”. This would be a good method to have and maybe the more flexable of the two. This one seems pretty easy to implement and I dont see it affecting Iworx at all.

From the other thread Paul mentions that this can be installed by:
You can try installing the missing perl module through cpan like this:
perl -MCPAN -e “install Mail::SPF”

I haven’t tested this, but seems easy enough. I did start to try it, but that command wanted to create a directory in my /root folder to setup the CPAN stuff and I didn’t want to install something to just compile one thing, but maybe its the best way, not sure.

The other way to do it is manually. I found these instructions on how to install Mail::SPF::Query:

wget http://spf.pobox.com/Mail-SPF-Query-1.997.tar.gz
tar xvzf Mail-SPF-Query-1.997.tar.gz
cd Mail-SPF-Query-1.997
perl Makefile.PL
make
make test
make install

That also seems pretty easy to do without using the cpan stuff.

Related Threads:
SPF & SpamAssassin Info
http://interworx.com/forums/showthread.php?t=1095
SPF & SpamAssassin Error
http://interworx.com/forums/showthread.php?t=1037

Method 2 - Qmail (SMTP level) Integration
I am not sure if patching Qmail with SPF could cause any problems with Iworx, so I wouldn’t try this until someone from Iworx replies to this thread
The other method is using Qmail itself to block at SMTP level. You can patch Qmail to make it understand SPF and block emails before ever downloading them to your server or wasting CPU time scanning them with SA.

From OpenSPF downloads page http://www.openspf.org/downloads.html it gives you the options for Qmail patching.

http://www.libspf.org/
http://www.libspf2.org/
http://www.saout.de/misc/spf/

The last link is an implementation of the libspf (I think its on libspf2, not sure though) for Qmail in a patch form. The process on that page to apply the patch seems pretty painless, but again I think I would wait for someone from Iworx to comment before proceding.

I don’t see any reason why you couldn’t setup both methods, but at this point I dont see why you would need to setup the SA method if you have Qmail doing the checks at SMTP level.

Please share your thoughts on this!

system · February 20, 2006, 10:51pm

Can explain what make spf exactly, in simple words?

i apreciate so much : )

Justec · February 27, 2006, 10:39pm

You can get all the info you need from the website, but in simple terms it basically is a way of checking wether the @domain.com part of the email is coming from a valid server.

Example:
Your domain is domain.com. You only have one server that sends email with that @domain.com. This server has the IP x.x.x.x. You send me an email from user@domain.com using SMTP server x.x.x.x. When my server gets this message it will check your DNS info for a special TXT record that says the only server that should be sending an email with @domain.com is x.x.x.x. My server then knows that it got the email from a valid server.

Now… same example, but instead of you sending me an email some spammer sends me an email from user@domain.com using SMTP server y.y.y.y. Again my server would check the DNS records for domain.com and it would tell my server that only x.x.x.x should be sending email with @domain.com. At this point my server knows this is a fake email and can drop it silently, mark it as spam, etc.

Hope this helps!

Also this is a good bump, maybe someone from Iworx can comment? I am really interested in getting this setup. It seems like this idea has been around for a few years, but is finally starting to get some traction and therefore i think its worth looking into espcially if its easy to implement. Just want to get some opinions on what i have in my first post before proceeding.

I do have a test box that will be up until March 10 so I could give it a try on that and see what happens

system · February 27, 2006, 10:49pm

Yeah !!
Absolutly great tool !!
I hoppe Interworx repply soon.
Justec I think its good idea if you open ticket directly with interworx,and then back here for confirm and put HOW TO INSTALL : )

Justec · April 26, 2007, 1:44pm

Bump of an old post

Any comments on this? I never implemented this with qmail, would be cool if this could maybe make it into 3.0 if it works and doesn’t add complexity. I think doing it at the Qmail level is a lot better than SA.

IWorx-Paul · April 26, 2007, 2:02pm

Hi Justin,

the qmail we provide is actually already patched to do some SPF checking. The configuration for this is not yet enabled in NodeWorx, and we haven’t done any significant testing with it so far, but if you’d like to check it out, feel free.

The first thing you can play with is the spfbehavior control file. From the docs:

/var/qmail/control/spfbehavior
Use this to turn on SPF checking. The default value is 0 (off).
You can specify a value between 0 and 6:

0: Never do SPF lookups, don’t create Received-SPF headers
1: Only create Received-SPF headers, never block
2: Use temporary errors when you have DNS lookup problems
3: Reject mails when SPF resolves to fail (deny)
4: Reject mails when SPF resolves to softfail
5: Reject mails when SPF resolves to neutral
6: Reject mails when SPF does not resolve to pass
Values bigger than 3 are strongly discouraged, you probably want to go with 2 or 3.
Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules.

For more configuration options, check out the patch website: qmail SPF (Sender Policy Framework) patch

Justec · April 26, 2007, 9:36pm

Cool, I will def. check this out. Thanks for the update!

Ok, I see the file is set to 1 now and that explains the stuff I saw in my mail headers when I was testing scanmail on my exchange server.

Received-SPF: pass (justechnology.com: SPF record at _spf.google.com designates 209.85.132.247 as permitted sender)

So 3 should only block message that have a valid SPF record that does not match, if someone hasn’t implemented the SPF record it will not block it.