Postfix SPF readme
-------------------

SPF patch by Dean Strik, partly based on Jef Poskanzer's spfmilter
Official site:    http://www.ipnet6.org/postfix/spf/
License:          Secure Mailer License (Postfix License)

----

This document describes how to configure Postfix to use SPF ("Sender
Policy Framework") validation. It does not describe the function or
design of SPF itself. Refer to one or more of the websites listed at
the end of this text for more information.

The actual SPF validation is offloaded to a special library called
libspf2. It is therefore necessary that you install libspf2 on your
system. You can find libspf2 either in your usual package repository or
at http://www.libspf2.org/.

To build Postfix, after installing libspf2, use something like:

    % make tidy
    % make makefiles CCARGS="-I/usr/local/include" \
        AUXLIBS="-L/usr/local/lib -lspf2"
    % make

The pathnames here are the default pathnames used by libspf2's
installation procedure, which is not documented here.

SPF sender validation is implemented using a standard Postfix
restriction, called "reject_spf_invalid_sender". This means that you
can put this restriction in e.g. your smtpd_recipient_restrictions.
For more information on how to do this, consult your Postfix
documentation.

Postfix will by default add a mail header, Received-SPF:, to any mail
passing the SPF validation. This information can be useful for the
recipient of the message. You can disable this behaviour by setting
'spf_received_header = no'.

By default, Postfix will reject mail with invalid sender credentials.
You can however choose to prevent this from happening, and let the mail
pass, by setting 'spf_mark_only = yes'. The Received-SPF: header
(if enabled, see above) will show that the mail failed the test.

You can set the numerical SMTP response code when rejecting mails
due to SPF rule violations by changing the value of the
'spf_reject_code' variable (default: 550).

If a site does provide SPF DNS records yet no explanation, a generic
explanation will be used, with a URL to visit for more information.
You can override this generic explanation by setting the spf_explanation
setting, e.g.:

    spf_explanation = "%{h} [%{i}] is not allowed to send mail for %{s}"

See the SPF reference sites for information about the format used.

It is also possible to set a local policy using the spf_local_policy
setting. Currently the format is not documented here.

There exists a global SPF whitelist on trusted-forwarder.org. You can
enable use of this global whitelist by setting the variable
'spf_global_whitelist = yes'.

----

Bugs/problems/reports: the author of this patch, Dean Strik, can be
contacted at <dean@ipnet6.org>. If reporting a problem, please send
the output of
    postconf -d spf_patch_version spf_libspf2_version
with your report.

Site address: downloads and information with regard to this patch can
be found at http://www.ipnet6.org/postfix/spf/

Links:
	http://www.ipnet6.org/postfix/spf/	- Patch home page
	http://spf.pobox.com/			- SPF background
	http://www.libspf2.org/			- LibSPF2 site
	http://www.trusted-forwarder.org/	- Global whitelist
	http://www.postfix.org/			- Postfix home page

[Dean Strik <dean@ipnet6.org>, 5 Jul 2004]
