Also manage Reject_Not_Pass_Domains.

2021-12-05 16:35:33 +01:00 · 2021-12-05 16:35:33 +01:00 · 8936990a19
parent 5193048476
commit 8936990a19
2 changed files with 8 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -93,10 +93,14 @@ postfix_spf_policy_helo_reject: 'SPF_Not_Pass'
 #  Mail_From_reject = Fail - Reject on Mail From Fail (default)
 #  Mail_From_reject = False - Never reject/defer on Mail From, append header only
 #  Mail_From_reject = No_Check - Never check Mail From/Return Path.
+#  * It is recommended to keep the default value, and manage specific cases setting
+#  postfix_spf_policy_reject_not_pass_domains
 postfix_spf_policy_mail_from_reject: 'Fail'
 # CIDR notation, 192.168.0.0/31,192.168.1.12
 postfix_spf_policy_whitelist: ''
 postfix_spf_policy_domain_whitelist: ''
+# Using this option, a list of domains can be defined for special processing when messages do not Pass SPF.  This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all.  Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result).  If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com'
+postfix_spf_policy_reject_not_pass_domains: ''
 postfix_spf_policy_lookup_time: 20
 postfix_spf_policy_void_limit: 2

--- a/templates/policyd-spf.conf.j2
+++ b/templates/policyd-spf.conf.j2
@ -16,5 +16,9 @@ Whitelist = {{ postfix_spf_policy_whitelist }}
 {% if postfix_spf_policy_domain_whitelist != '' %}
 Domain_Whitelist = {{ postfix_spf_policy_domain_whitelist }}
 {% endif %}
+{% if postfix_spf_policy_reject_not_pass_domains != '' %}
+Reject_Not_Pass_Domains = {{ postfix_spf_policy_reject_not_pass_domains }}
+{% endif %}
+
 Lookup_Time = {{ postfix_spf_policy_lookup_time }}
 Void_Limit = {{ postfix_spf_policy_void_limit }}