Postfix: How to accept email with valid SPF but unresolvable hostname

emailemail-serverpostfixspamspf

I have configured my Postfix to reject email sent from hosts without PTR record and hostnames that don't have A record. I found there are legitimate mail servers with valid SPF records which don't have A record for their hostname. As a result the legitimate emails were rejected.

Is there a way to configure Postfix to accept email with valid SPF record even if there's no A record for the hostname or there's no PTR record for the IP address?

Best Answer

This could be possible if check_policy_service responded permit (from access(5) other actions) instead of neutral accept action OK vs. reject action reject. That would need modification to the SPF policy service policyd-spf.conf. Although I have never actually tried this, based on the manpage it seems that Pass condition for both HELO and MAIL FROM allows using ANY action defined in access(5). Resulting configuratoin parameters in policyd-spf.conf:

HELO_pass_restriction = permit
Mail_From_pass_restriction = permit

Now, the order of the restrictions starts to matter as SPF policy service answers:

reject on SPF Fail
permit on SPF Pass
neutral OK on all other conditions including errors, Softfail, Neutral and no SPF.

Then, the Postfix main.cf can have all your restrictions in this kind of order:

smtpd_recipient_restrictions =
    permit_mynetworks,

    [checks done regardless of SPF],

    check_policy_service unix:private/policy-spf,

    [checks done only if SPF didn't either Pass or Fail],

    permit

Both permit and reject are first matches mentioned in smtpd_recipient_restrictions

Restrictions are applied in the order as specified; the first restriction that matches wins

while the neutral response from any restriction causes moving to the next one.

Best Answer

Related Solutions

How to configure Postfix to send bulk email at a “reasonable” rate per scond

Linux – Configure PostFix to only accept email from gmail

Related Topic