Best ways to implement SPF for incoming mails

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Best ways to implement SPF for incoming mails

Post by robertitox »

Dear, I have Zimbra 8.6 and I want to implement SPF for incoming mails.

I've just tried with SPF through cbpolicy but it doesn't work for me.

Is there any way to implement SPF for incoming mails without cbpolicyd? Maybe with any perl script downloable as RPM package or what is the easiest option ???

My goal is to reject ilegitime incoming mails from Internet, including mails from @mydomain to @mydomain.

Special thanks in advance.

Greetings !!!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Best ways to implement SPF for incoming mails

Post by pup_seba »

Hi,

I understand your struggle :) most of the docs I've seen for Zimbra talk about how to configure your own DNS SPF records, but they do not explain (or at least I did not see them) for you to make sure you are verifying the SPF records of people sending mail to you.

Maybe there is some easier way...most likely something at a postfix level itself, but I'm not aware of it. So my suggestion would be to use spamassassin filters. If you want to see the SPF filters, you could just:
grep -iR spf /opt/zimbra/data/spamassassin/.

That will return all the scores related to SPF filters. My guess is that you should modify the score for this filter "SPF_FAIL". To modify the scores, follow this guide: https://wiki.zimbra.com/wiki/Anti-spam_Strategies

Basically, you need to create the file /opt/zimbra/data/spamassassin/localrules/sauser.cf

Then, just edit that file and add this to modify the default score for that particular rule:
score SPF_FAIL 10

Then, restart your amavis with "zmamavisctl restart" to apply changes.

Now, everytime a mail sent to you, fail the spf check, your spamassassin will add 10 points to it, which will render that mail spam, (default spam tag score is 6,6).

Again, this is my approach on how to handle SPF checks...maybe there are better ways to do it (using postfix would be better imho), but this is the one I could think or find for Zimbra. I'll keep an eye on this thread just in case someone wants to share a better way to do this.
robertitox
Posts: 20
Joined: Sun May 06, 2018 10:48 pm

Re: Best ways to implement SPF for incoming mails

Post by robertitox »

Dear all, thank yu for yor advice.

Sebastan Greco, special thansk for you....now I will follow what yuo say.

Best regards !!!
Post Reply