Tag Archives: spam

turn on spf filtering with postfix and centos 7

After running my new server for a while, I was noticing an unusually-high level of bogus email arriving in my inbox – mail that was being spoofed to look like it was coming from myself (to myself).

After a great deal of research, I learned there is a component of the DNS specification that allows for TEXT or SPF records. Sender Policy Framework was developed to help mail servers identify whether or not messages are being sent by authorized servers for their representative domains.

While there is a huge amount of stuff that could be added into a SPF record, what I am using for my domains is:

"v=spf1 mx -all"

Note: some DNS providers (like Digital Ocean) will make you use a TEXT record instead of a dedicated SPF record (which my registrar / DNS provider Pairnic supports).

If they require it be via TEXT record, it’ll look something like this: TXT @ "v=spf1 a include:_spf.google.com ~all"

Starting with this old how-to I found for CentOS 6, I added the policy daemon for Postfix (though it’s now in Python and not Perl) thusly:

yum install pypolicyd-spf

(I already had the EPEL yum repository installed – to get it setup, follow their directions, found here.)

Then I edited the master.cf config file for Postfix, adding the following at the bottom:

policy unix - n n - 0 spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf

Note: those are actually tabs in my config file – but spaces work, too.

When you’re done with your edits and record additions, restart Postfix:

systemctl restart postfix

Then you’ll see messages like this in your /var/log/maillog file:

Apr 23 18:58:59 khopesh postfix/smtpd[18199]: NOQUEUE: reject: RCPT from unknown[]: 550 5.7.1 <warren@datente.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=warren@datente.com;ip=;r=warren@datente.com; from=<warren@datente.com> to=<warren@datente.com> proto=ESMTP helo=<[]>

And if you follow the directive to go visit the “Why” page on OpenSPF, you’ll see something like this explanation:

Why did SPF cause my mail to be rejected?

What is SPF?

SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider’s setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.

Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient’s mail server detected this and blocked the message.

warren@datente.com rejected a message that claimed an envelope sender address of warren@datente.com. warren@datente.com received a message from that claimed an envelope sender address of warren@datente.com.

However, the domain datente.com has declared using SPF that it does not send mail through That is why the message was rejected.

group admin in the era of facebook

Along the difficulties of initially building a good group/community, comes the hassles of managing said [virtual] community – especially on the book of the face.

I am a coadmin on the Ontario & Western Railways Historical Society Inc Facebook group. My friend Peter is a coadmin of the Linux Mint group.

Something both of us have noticed is the ridiculous spam problem Facebook groups have developed over the past 1-2 years. It’s not a new problem, of course – Stack Overflow has had problems since very early on, too: they printed A Theory of Moderation to outline the issues they were seeing, and how they planned to handle it.

The real problem at the root of all the spam lies, though, not in technology, but in people.

Even with active community self-regulation, moderators occasionally need to intervene. Moderators are human exception handlers, there to deal with those (hopefully rare) exceptional conditions that should not normally happen, but when they do, they can bring your entire community to a screaming halt – if you don’t have human exception handling in place.

Spam doesn’t arise on its own – it’s all developed by people. Until the people problem of spam can be addressed, it will continue. Sadly, technology, in and of itself, cannot deal with the people problem.

So instead we have human admins and moderators whose [typically volunteer] job is to ensure that the communit[y|ies] keeps to a general standard, as defined by the community itself. By assuming technology could be made that would fix the problem, we’re asking the wrong question: human behavior needs to be addressed and improved; while technology is wonderful and can aid in the process, it is no panacea.

Encouragements for moderation teams can come in the form of gamification (the SO model), community accolade, or just the individual admin’s personal satisfaction.

The drawback is that this task can become so overwhelming at times and in places that it those tasked with caring for the community, when the community itself won’t do anything about the problem(s), give up because they adopt the view that it’s everyone’s problem, and presume that since it is everyone’s problem, it’s not “theirs”.

What are the solutions to these issues? I can think of a few – but many remain yet unanswered:

  1. the community must encourage the admins
    • if the community isn’t doing something to make their admins feel appreciated, the admins will, eventually, leave
  2. better tech
    • it’s not possible to solve all problems with technology, but there are certainly many areas that can be improved in this regard
  3. community engagement and education
    • seasoned community members and admins alike need to take the time to “mentor” new community members to make sure they stick to the guidelines of that community
    • community members need to be proactive in assisting the moderators when inappropriate items are posted, or conversation degrades below the stands of the group
  4. a willingness to say “no”
    • admins and the general community needs to be willing to tell some people they are not welcome
    • this should [almost] never be in a hateful, grudge-bearing manner, but it must be done to ensure the integrity of the community in the long-term
  5. a willingness to morph
    • the flip side of (4) is that the community needs to be willing on a regular basis:
      • review its own guidelines
      • change / modify rules
      • find new admins
      • welcome new members who aren’t yet versed in the ways of the group ( related to (3) above)

I am sure there are many many more items that can be added to this list. But this is the starting point for every successfully-maintained community I’ve ever seen.

What others would you add, or what would you change?