diff --git a/defaults/main.yml b/defaults/main.yml index ca9a798..a51cbdc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -93,10 +93,14 @@ postfix_spf_policy_helo_reject: 'SPF_Not_Pass' # Mail_From_reject = Fail - Reject on Mail From Fail (default) # Mail_From_reject = False - Never reject/defer on Mail From, append header only # Mail_From_reject = No_Check - Never check Mail From/Return Path. +# * It is recommended to keep the default value, and manage specific cases setting +# postfix_spf_policy_reject_not_pass_domains postfix_spf_policy_mail_from_reject: 'Fail' # CIDR notation, 192.168.0.0/31,192.168.1.12 postfix_spf_policy_whitelist: '' postfix_spf_policy_domain_whitelist: '' +# Using this option, a list of domains can be defined for special processing when messages do not Pass SPF. This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all. Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result). If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com' +postfix_spf_policy_reject_not_pass_domains: '' postfix_spf_policy_lookup_time: 20 postfix_spf_policy_void_limit: 2 diff --git a/templates/policyd-spf.conf.j2 b/templates/policyd-spf.conf.j2 index dbe123b..bdcbde0 100644 --- a/templates/policyd-spf.conf.j2 +++ b/templates/policyd-spf.conf.j2 @@ -16,5 +16,9 @@ Whitelist = {{ postfix_spf_policy_whitelist }} {% if postfix_spf_policy_domain_whitelist != '' %} Domain_Whitelist = {{ postfix_spf_policy_domain_whitelist }} {% endif %} +{% if postfix_spf_policy_reject_not_pass_domains != '' %} +Reject_Not_Pass_Domains = {{ postfix_spf_policy_reject_not_pass_domains }} +{% endif %} + Lookup_Time = {{ postfix_spf_policy_lookup_time }} Void_Limit = {{ postfix_spf_policy_void_limit }}