IMSVA 9 Sender Policy Framework

Configuration Guide

1. Introduction

SPF (Sender Policy Framework) is an open standard which provides solutions to resist sender
address forgery. Organizations who want to adopt SPF are required to publish DNS records for the
hosts that are used in “MAIL FROM” and “HELO” identities so that recipients can identify whether
a host is authorized to send email messages for the domain by querying these records. The
complete specifications of SPF are documented in RFC 4408. For a simple introduction, visit
http://www.openspf.org/Introduction.
This document guides you on how to integrate SPF checking for IMSVA 8.2. This solution makes
use of the Postfix SMTP access policy delegation mechanism. A script will be used to do SPF
checking and report specific actions to Postfix. Postfix then takes the appropriate action. For
further details, visit http://www.postfix.org/SMTPD_POLICY_README.html.

2. Enable/Disable

 To Enable SPF
1. Modify your Postfix settings to inject SPF checking to the Postfix email message flow.
Postfix has two main configuration files: master.cf and main.cf. The master.cf configuration file
defines how a client program connects to a service, and what daemon program runs when a
service is requested. The Postfix main.cf configuration file specifies a subset of all the parameters
that controls the operation of the Postfix mail system.
In /opt/trend/imss/postfix/etc/postfix/master.cf, remove the comments for the following so that
the SPF script will be launched by Postfix when needed.
SPFPolicyd unix - n n - 0 spawn
user=imss argv=/opt/trend/imss/postfix/etc/postfix/SPFPolicyd/SPFPolicyd.py

In /opt/trend/imss/postfix/etc/postfix/main.cf, remove the comments for

“smtpd_sender_restrictions” to let Postfix perform an SPF check after receiving a “MAIL FROM”
command.
smtpd_sender_restrictions =
check_policy_service unix:private/SPFPolicyd

NOTE: For there is already one specify on smtpd_sender_restrictions by default in IMSVA9.0, so

just need add values like following.
smtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:999, check_policy_service unix:private/SPFPolicyd

By default, Postfix stops the SPF check process after 1000 seconds. This is too short for a policy
daemon that may need to run for as long as the SMTP server process that talks to it. To extend
the time for the SPF check process, remove the comments for the following in main.cf.
SPFPolicyd_time_limit = 3600

2. Restart the Postfix service, to make all the modifications take effect, using the following
command:
# postfix restart

The logs of the SPF check script are written to /var/log/maillog, with a leading “SPFPolicyd” in
front of each line in the log.

To verify that SPF checking works, send an email message that can pass an IMSVA scan. If the
message contains “Received-SPF” in the header, the SPF check script is working correctly.

 To Disable SPF
To disable SPF checking, insert comments for the entries added in the previous section to
master.cf and main.cf. Then restart the Postfix service.

3. Configuration

The file config.ini, under the same folder as the script, is the main configuration file. The format
for the file is as follows:
# Comments…
[section1]
Key1 = value1

[section2]
Key2 = value1, value2

3.1. Basic Configuration

The table below describes detailed uses of all keys in config.ini.’

NOTE: Possible values are separated by pipes “|”. Underlined values are default values. For
parameters that can have multiple values, use a comma or space to separate them. For example:
example.com, example2.com.

Section Parameter Value Description

The SMTP response code if email
<text> | 550 Service messages are blocked. Both the
unavailable; SPF response code “550” and message
check unsuccessful can be customized. The response
block_res
and transaction code can be any valid 3 digits
closed due to the starting with 5. Do not forget the
organization's policy. blank space between the response
code and the message.
Specifies if the HELO/EHLO identity
needs to do a SPF check. The
check_helo yes | no HELO/EHLO identity will be checked
if the MAILFROM identity is empty
or invalid.
Specifies an enforcement list of
domains. Email messages from
these domains will have actions
<comma or space applied to them defined in
enforce_domain separated list of “enforce_actions” section. You can
domains> add domains that are frequently
forged by spammers and apply
globals
stricter actions, to better protect
your mail system.
Specifies an enforcement list of IP
addresses. The usage is similar to
“enforce_domain”. Currently only IP
v4 is supported. You can use a
<comma or space
enforce_ip specific format <x.x.x.x> to exactly
separated list of IPs>
match an IP address or the subnet
mask pattern <x.x.x.x>/<subnet
mask length> to match a series of IP
addresses.
Defines the log level. There are 5
log levels.
0: no log > no log will be generated.
1: normal > provides basic
log_level 0|1|2|3|4 information for administration and
maintenance.
2: detailed > detailed information,
including original SPF check results.
3: diagnostic > all information of
 level 1 and 2 logs, plus
configurations in use.
4: debug > most detailed, only
recommended when trouble
shooting.
SPF queries can return 7 kinds of
results: pass, neutral, softfail, fail,
none, temperror and permerror.
The parameters with the same
names define the corresponding
actions. The available actions are:
bypass, tempblock and block.
bypass | tempblock Bypass: means the SPF check is not
pass
| block performed
Tempblock: returns a 4XX SMTP
response to temporarily block the
mail.
Block: returns a 5XX response to
block the mail.
Pass: means the host is allowed to
send messages for this domain.
bypass | tempblock Neutral means the validity of this
neutral
| block host is not specified.
Softfail means the host is not
bypass | tempblock
softfail allowed to send messages but is in
| block
transition.
bypass | tempblock Fail means the host is not allowed
fail
| block to send messages.
None means the domain does not
bypass | tempblock
none have an SPF record or the SPF
| block
record does not have a result.
Temperror means a temporary
bypass | tempblock
temperror error has occurred. For example:
| block
network connections lost.
Permerror means a permanent
bypass | tempblock
permerror error has occurred For example:
| block
SPF record invalid format.
Specify whether to insert a
“Received-SPF” header in your
messages.
prepend_header yes | no
Trend Micro recommends adding
this header for further
administration or analysis of
 messages.
The SMTP response code if
<text> | 451 Service
temporarily blocking the messages.
temporarily
Both the response code “451” and
unavailable; SPF
message can be customized. The
tempblock_res check unsuccessful
response code can be any valid 3
and transaction
digits starting with 4. Do forget the
closed due to the
blank space between the response
organization's policy.
code and message.
Specify an approved list of domains.
<comma or space
Messages from these domains will
white_domain separated list of
bypass the SPF check. You can add
domains>
trusted domains to this list.
Specify an approved list of domains.
<comma or space
Messages from these addresses will
white_ip separated list of IPs>
bypass the SPF check. You can add
| 127.0.0.1
trusted domains to this list.
enforce_actions Parameters under the
“enforce_actions” section define
bypass | tempblock the actions for domains and IP
pass
| block addresses in the enforcement list.
Follows the same behavior as
global actions.
bypass | tempblock
neutral Same as above.
| block
bypass | tempblock
softfail Same as above.
| block
bypass | tempblock
fail Same as above.
| block
bypass | tempblock
none Same as above.
| block
bypass | tempblock
temperror Same as above.
| block
bypass | tempblock
permerror Same as above.
| block

3.2. Configure Domain-Specific Actions

Sometimes you may want to apply specific actions to some domains. For example, the domain
example.com has a published SPF record and never sends messages using hosts not in the SPF
record. So you want to block messages if they do not come from the hosts in the SPF record. You
can add a section in config.ini to block those messages.
[<domain>.com]
none=block
Now if the SPF query result is none, the message will be blocked. Actions for other query results
are kept the same as the global actions. You can also override actions for other query results if
needed.
Wildcards are supported. For example, you can use “*.example.com” to define actions for
example.com and all its sub-domains. The SPF check automatically searches for the best matched
domains. If the sender is “postmaster@example.com”, the SPF check will first look for
“[example.com]”, if this section does not exist, it will look for “[*.example.com]” next.
The priority of this section is lower than approved list and enforcement list.

3.3. Using SPF with Cloud Pre-Filter

If you are using Cloud Pre-Filter, a little more configuration is needed. Cloud Pre-Filter actually
works as a proxy, so messages passed from Cloud Pre-Filter may not pass an SPF check. You have
to add the IP addresses of Cloud Pre-Filter to the approved list. If you enabled Cloud Pre-Filter,
open the file “/opt/trend/imss/postfix/etc/postfix/NRSAllowAccessList”, and add the IP addresses
in this file to “white_ip”, so messages from Cloud Pre-Filter will not be subjected to an SPF check.
There may be many IP addresses for Cloud Pre-Filter, so you can make use of the subnet format
(<IP address>/<subnet mask length>) to save time.

How to create a policy to Quarantine/tag SPF

checking fail mail
If you do not want postfix reject SPF checking fail mails. You can create a policy to tag or
quarantine SPF checking fail mails.
1. Open the file : /opt/trend/imss/postfix/etc/postfix/SPFPolicyd/config.ini
2. Change the action for fail/softfail to bypass:
fail=bypass
softfail=bypass
Comment : when the action set to bypass, postfix will not reject the mail, it will insert SPF
checking result in the mail header. So we can create a policy to catch the failed mail

3. On IMSVA UI create a policy:

-on “policy >policy list” create a policy
-On “Scanning Conditions” set as following:
- Create SPF fail key word:

- SPFFail keyword
There are two kinds of fail:1. SoftFail;2. Fail Create the keyword you want.
-follow the policy creation wizard. Set the preferred action(“Tag subject”, Quarantine ….)

Others:
1. In some environment, DNS may have performance issue. If you encounter this issue, you can
set smtpd_policy_service_timeout to 600 (or higher) to make sure query is not timeout.
- In main.cf, set smtpd_policy_service_timeout=600s
- postfix reload