feat(spf): conduct spf check for inbound smtp

NOTE: currently a failed SPF check does not block the message.
currently set to add header for testing purposes.

MR !6

dockerfile

@@ -74,7 +74,9 @@ RUN apt update && DEBIAN_FRONTEND=noninteractive apt -y --no-install-recommends
       libio-lockedfile-perl \
         # DKIM
       opendkim=2.11.0~beta2-4 \
-      opendkim-tools=2.11.0~beta2-4
+      opendkim-tools=2.11.0~beta2-4 \
+        # SPF
+      postfix-policyd-spf-python=2.9.2-1
 
 
 # Cleanup, remove cron jobs not required
@@ -187,7 +189,9 @@ RUN postconf -e "maillog_file=/var/log/postfix.log" \
   && postconf -e "smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
   && postconf -e "smtp_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
   && postconf -e "smtpd_tls_mandatory_ciphers=high" \
-  && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1"
+  && postconf -e "smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
+     # SPF postfix Settings
+  && postconf -e "policyd-spf_time_limit=3600"
     
 EXPOSE 25 587 993 4190
 

include/etc/postfix-policyd-spf-python/policyd-spf.conf

@@ -0,0 +1,16 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+# or https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html
+
+debugLevel = 1 
+TestOnly = 1
+
+# Don't bounce mail (False). to bounce mail set to False
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+

include/etc/postfix/master.cf

@@ -14,7 +14,7 @@ smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       -       smtpd
   -o syslog_name=postfix/inbound
   -o smtpd_tls_security_level=may
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,permit_auth_destination,reject
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,permit_auth_destination,reject
 
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
@@ -63,6 +63,8 @@ amavis unix -      -       n     -       2  smtp
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
   -o content_filter=
 
+policyd-spf unix -     n       n       -       2       spawn
+  user=policyd-spf argv=/usr/bin/policyd-spf
 
 #spamassassin unix -     n       n       -       -       pipe 
 #  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

test/docker-compose.yml

@@ -83,7 +83,7 @@ services:
     restart: unless-stopped
     cpus: 2
     mem_limit: 512MB
-    hostname: mail.nofusscomputing.com
+    hostname: test.example.org
     volumes:
       - mail_store:/srv/mail:rw
       - mail_ssl:/certs