Just a quick ‘n’ simple howto on installing SPF tests in postfix on ubuntu:
- Get the policy plugin and perl modules
sudo apt-get install postfix-policyd-spf-perl libmail-spf-perl libversion-perl libnetaddr-ip-perl
- sudo vim /etc/postfix/master.cf and insert the following at the bottom
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
- sudo vim /etc/postfix/main.cf and insert “heck_policy_service unix:private/policy,” somewhere after the reject_unauth_destination or you’ll become a open-relay for anyon with a valid spf (think +). Mine looks like this:
smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/var/lib/pop-before-smtp/hosts, reject_unauth_destination, check_helo_access regexp:/etc/postfix/helo_checks, check_policy_service unix:private/policy, permit
- Then simply sudo /etc/init.d/postfix restart (and check your mail log in case you made a typo!)
That’s it!
Here is a citezns bank phish soft failing in the log:
Sep 8 08:45:51 localhost postfix/policy-spf[31433]: : Policy action=PREPEND Received-SPF: softfail (citizensbank.com: Sender is not authorized by default to use 'clientcare.refUD44983558.gps@citizensbank.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=localhost.localdomain; identity=mfrom; envelope-from="clientcare.refUD44983558.gps@citizensbank.com"; helo=190.Red-88-27-224.staticIP.rima-tde.net; client-ip=88.27.224.190
Now how can I convince the banks to use -all records?? 
/*
*/
