I have configured my Postfix to reject email sent from hosts without PTR record and hostnames that don't have A record. I found there are legitimate mail servers with valid SPF records which don't have A record for their hostname. As a result the legitimate emails were rejected.
Is there a way to configure Postfix to accept email with valid SPF record even if there's no A record for the hostname or there's no PTR record for the IP address?
Best Answer
This could be possible if
check_policy_service
respondedpermit
(fromaccess(5)
other actions) instead of neutral accept actionOK
vs. reject actionreject
. That would need modification to the SPF policy servicepolicyd-spf.conf
. Although I have never actually tried this, based on the manpage it seems thatPass
condition for bothHELO
andMAIL FROM
allows using ANY action defined inaccess(5)
. Resulting configuratoin parameters inpolicyd-spf.conf
:Now, the order of the restrictions starts to matter as SPF policy service answers:
reject
on SPFFail
permit
on SPFPass
OK
on all other conditions including errors,Softfail
,Neutral
and no SPF.Then, the Postfix
main.cf
can have all your restrictions in this kind of order:Both
permit
andreject
are first matches mentioned insmtpd_recipient_restrictions
while the neutral response from any restriction causes moving to the next one.