From 8936990a19bd138218149c00b3148e25a9d716ac Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sun, 5 Dec 2021 16:35:33 +0100 Subject: [PATCH] Also manage Reject_Not_Pass_Domains. --- defaults/main.yml | 4 ++++ templates/policyd-spf.conf.j2 | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index ca9a798..a51cbdc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -93,10 +93,14 @@ postfix_spf_policy_helo_reject: 'SPF_Not_Pass' # Mail_From_reject = Fail - Reject on Mail From Fail (default) # Mail_From_reject = False - Never reject/defer on Mail From, append header only # Mail_From_reject = No_Check - Never check Mail From/Return Path. +# * It is recommended to keep the default value, and manage specific cases setting +# postfix_spf_policy_reject_not_pass_domains postfix_spf_policy_mail_from_reject: 'Fail' # CIDR notation, 192.168.0.0/31,192.168.1.12 postfix_spf_policy_whitelist: '' postfix_spf_policy_domain_whitelist: '' +# Using this option, a list of domains can be defined for special processing when messages do not Pass SPF. This can be useful for commonly spoofed domains that are not yet publishing SPF records with -all. Specifically, if mail from a domain in this list has a Neutral/Softfail result, it will be rejected (as if it had a Fail result). If needed, it is better to do it on a per-domain basis rather than globally. es: 'gmail.com,aol.com,hotmail.com' +postfix_spf_policy_reject_not_pass_domains: '' postfix_spf_policy_lookup_time: 20 postfix_spf_policy_void_limit: 2 diff --git a/templates/policyd-spf.conf.j2 b/templates/policyd-spf.conf.j2 index dbe123b..bdcbde0 100644 --- a/templates/policyd-spf.conf.j2 +++ b/templates/policyd-spf.conf.j2 @@ -16,5 +16,9 @@ Whitelist = {{ postfix_spf_policy_whitelist }} {% if postfix_spf_policy_domain_whitelist != '' %} Domain_Whitelist = {{ postfix_spf_policy_domain_whitelist }} {% endif %} +{% if postfix_spf_policy_reject_not_pass_domains != '' %} +Reject_Not_Pass_Domains = {{ postfix_spf_policy_reject_not_pass_domains }} +{% endif %} + Lookup_Time = {{ postfix_spf_policy_lookup_time }} Void_Limit = {{ postfix_spf_policy_void_limit }}