PureMessage for UNIX: Enabling SPF in PureMessage

  • Article ID: 37093
  • Rating:
  • 3 customers rated this article 1.7 out of 6
  • Updated: 05 Jun 2012

RFC 4408 describes SPF as a protocol that domain owners can employ to authorize hosts to use their domain name in the "MAIL FROM" or "HELO" identity. Compliant domain holders publish Sender Policy Framework (SPF) records specifying which hosts are permitted to use their names. Compliant mail receivers use the published SPF records to test the authorization of sending Mail Transfer Agents (MTAs) using a given "HELO" or "MAIL FROM" identity during a mail transaction.

The Sophos Anti-Spam Engine supports SPF lookups.

Requirements

In order to enable SPF support in PureMessage for UNIX, you must have correctly configured your internal hosts and trusted relays.

Note: Enabling SPF checks will cause at least one extra DNS request per message processed.

Enabling the SPF Plugin

The following instructions assume PureMessage is installed in /opt/pmx. If it is not, configure according to your current installation directory.

By default, SPF support is disabled. To enable it:

1. Edit the file /opt/pmx/etc/spam.d/spf.conf so that it is similar to the following:

<plugin spf>

skip_spf_checks = 0

</plugin>

2. Save the file, then restart your milters:

$ pmx-milter restart

Your message log should indicate that the SPF rules have fired. For example:

2007-04-05T15:29:42 q=46157856_23536_2_1 f=example@badhost.com
t=<you@yourdomain.com> h=SPF_FAIL h=... Size=1112 fur=1.2.3.4 vs p=0.076 r=localhost
tm=0.33 a=a/eom

2007-04-05T15:31:07 q=461578A9_23536_3_1 f=example@goodhost.com
t=<you@yourdomain.com> h=SPF_PASS h=... Size=1110 i fur=9.8.7.6 vs p=0.076 r=localhost
tm=2.21 a=a/eom

Disabling the SPF Plugin

To disable SPF support:

1. Edit the file /opt/pmx/etc/spam.d/spf.conf so that it is similar to the following:

<plugin spf>

skip_spf_checks = 1

</plugin>

2. Save the file, and then restart your milters:

$ pmx-milter restart

Rule Names

The following rules are exposed by the SPF plugin. Descriptions are taken from RFC 4408 <http://www.openspf.org/RFC_4408#op-result>.

SPF_NONE

A result of "None" means that no records were published by the domain or that no checkable sender domain could be determined from the given identity. The checking software cannot ascertain whether the client host is authorized.

SPF_NEUTRAL

The domain owner has explicitly stated that he cannot or does not want to assert whether the IP address is authorized. A "Neutral" result must be treated exactly like a "None" result (the distinction exists only for informational purposes). Treating "Neutral" more harshly than "None" would discourage domain owners from testing the use of SPF records.

SPF_PASS

A "Pass" result means that the client is authorized to inject mail with the given identity. The domain can now, in the sense of reputation, be considered responsible for sending the message. Further policy checks can now proceed with confidence in the legitimate use of the identity.

SPF_FAIL

A "Fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. The checking software can choose to mark the mail based on this or to reject the mail outright.

SPF_SOFTFAIL

A "SoftFail" result should be treated as somewhere between a "Fail" and a "Neutral". The domain determines the host is not authorized but is not willing to make that strong of a statement. Receiving software should not reject the message based solely on this result, but may subject the message to closer scrutiny than normal.

SPF_ERROR

An error occurred while performing the SPF lookup.

SPF_UNKNOWN

The SPF lookup returned an unrecognized result.

Weighting the Rules

Although you can adjust rule weights on the Anti-Spam Rules page of the Policy tab in the PureMessage Manager, it is recommended that a weight of zero be maintained for all SPF settings, and that you use the Spam rule hit test in the policy instead. This test should be placed after the Spam probability rule. Appropriate actions can be configured as well. For example, you could quarantine the message and log it with a keyword.

See Also

RFC 4408 <http://www.openspf.org/RFC_4408>

The OpenSPF web site http://www.openspf.org/

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments