feat(spf): conduct spf check for inbound smtp

NOTE: currently a failed SPF check does not block the message.
currently set to add header for testing purposes.

MR !6

include/etc/postfix-policyd-spf-python/policyd-spf.conf

@@ -0,0 +1,16 @@
+#  For a fully commented sample config file see policyd-spf.conf.commented
+# or https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html
+
+debugLevel = 1 
+TestOnly = 1
+
+# Don't bounce mail (False). to bounce mail set to False
+HELO_reject = False
+Mail_From_reject = False
+
+PermError_reject = False
+TempError_Defer = False
+
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+

include/etc/postfix/master.cf

@@ -14,7 +14,7 @@ smtp      inet  n       -       y       -       1       postscreen
 smtpd     pass  -       -       y       -       -       smtpd
   -o syslog_name=postfix/inbound
   -o smtpd_tls_security_level=may
-  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_destination,permit_auth_destination,reject
+  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unknown_sender_domain,reject_unauth_destination,check_policy_service,unix:private/policyd-spf,permit_auth_destination,reject
 
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
@@ -63,6 +63,8 @@ amavis unix -      -       n     -       2  smtp
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
   -o content_filter=
 
+policyd-spf unix -     n       n       -       2       spawn
+  user=policyd-spf argv=/usr/bin/policyd-spf
 
 #spamassassin unix -     n       n       -       -       pipe 
 #  user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}