SPFで困ったことが起こったので検証してみた」の解決編です。

■解決方法
header_checksのmanを見てみるとif分で条件を区切れるみたいだったので、最終配送先ホストが行ったSPFチェックの結果だけを見るようにしてみました。
※最終配送先ホストは、上記リンク先の「検証図」で言う「example2」です。

(1)postfixのheader_checksを修正

[root@example2 ~]# vi /etc/postfix/header_checks
if /^Received-SPF:.* receiver=example2;/
/^Received-SPF: softfail/ REJECT
endif
※最終配送先「example2」がSPFのチェックを付けたものだけを検査対象とするため「receiver=example2;」にする。

(2)postfixリロード
[root@example2 ~]# service postfix reload
postfix を再読み込み中:                                    [  OK  ]

(3)maillog
Jul  1 23:51:35 example2 postfix/policy-spf[3879]: : SPF pass (Mechanism 'ip4:192.168.0.72' matched): Envelope-from: root@example4.com
Jul  1 23:51:35 example2 postfix/policy-spf[3879]: handler sender_policy_framework: is decisive.
Jul  1 23:51:35 example2 postfix/policy-spf[3879]: : Policy action=PREPEND Received-SPF: pass (example4.com: 192.168.0.72 is authorized to use 'root@example4.com' in 'mfrom' identity (mechanism 'ip4:192.168.0.72' matched)) receiver=example2; identity=mailfrom; envelope-from="root@example4.com"; helo=mail.example3.com; client-ip=192.168.0.72
Jul  1 23:51:35 example2 postfix/smtpd[3875]: 853C0167059: client=example3.com[192.168.0.72]
Jul  1 23:51:35 example2 postfix/cleanup[3880]: 853C0167059: message-id=<20110701145135.6E311AF7FB@mail.example4.com>
Jul  1 23:51:35 example2 postfix/smtpd[3875]: disconnect from example3.com[192.168.0.72]
Jul  1 23:51:35 example2 postfix/qmgr[3872]: 853C0167059: from=<root@example4.com>, size=1407, nrcpt=1 (queue active)
Jul  1 23:51:35 example2 postfix/local[3885]: 853C0167059: to=<root@example2.com>, relay=local, delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jul  1 23:51:35 example2 postfix/qmgr[3872]: 853C0167059: removed

うん、受信した。

(4)受信したメールのヘッダ
Return-Path: <root@example4.com>
X-Original-To: root@example2.com
Delivered-To: root@example2.com
Received-SPF: pass (example4.com: 192.168.0.72 is authorized to use 'root@example4.com' in 'mfrom' identity (mechanism 'ip4:192.168.0.72' matched)) receiver=example2; identity=mailfrom; envelope-from="root@example4.com"; helo=mail.example3.com; client-ip=192.168.0.72
Received: from mail.example3.com (example3.com [192.168.0.72])
        by mail.example2.com (Postfix) with ESMTP id 853C0167059
        for <root@example2.com>; Fri,  1 Jul 2011 23:51:35 +0900 (JST)
Received: by mail.example3.com (Postfix)
        id 700136CB32E; Fri,  1 Jul 2011 23:51:35 +0900 (JST)
Delivered-To: root@example3.com
Received-SPF: softfail (example4.com: Sender is not authorized by default to use 'root@example4.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=example3; identity=mailfrom; envelope-from="root@example4.com"; helo=mail.example4.com; client-ip=192.168.0.73
Received: from mail.example4.com (example4.com [192.168.0.73])
        by mail.example3.com (Postfix) with ESMTP id 6EB226CB32A
        for <root@example3.com>; Fri,  1 Jul 2011 23:51:35 +0900 (JST)
Received: by mail.example4.com (Postfix, from userid 0)
        id 6E311AF7FB; Fri,  1 Jul 2011 23:51:35 +0900 (JST)

ちゃんと、前段階でsoftfailがくっついているけど、example2ではpassになっている。
# passが無くても受信するんだけどね:D softfailがある場合にのみ拒否。

(5)example2でsoftfailを付けてみる
Jul  1 23:50:30 example2 postfix/smtpd[3875]: connect from example3.com[192.168.0.72]
Jul  1 23:50:30 example2 postfix/policy-spf[3879]: : SPF softfail (Mechanism '~all' matched): Envelope-from: root@example4.com
Jul  1 23:50:30 example2 postfix/policy-spf[3879]: handler sender_policy_framework: is decisive.
Jul  1 23:50:30 example2 postfix/policy-spf[3879]: : Policy action=PREPEND Received-SPF: softfail (example4.com: Sender is not authorized by default to use 'root@example4.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=example2; identity=mailfrom; envelope-from="root@example4.com"; helo=mail.example3.com; client-ip=192.168.0.72
Jul  1 23:50:30 example2 postfix/smtpd[3875]: 589D8167059: client=example3.com[192.168.0.72]
Jul  1 23:50:30 example2 postfix/cleanup[3880]: 589D8167059: reject: header Received-SPF: softfail (example4.com: Sender is not authorized by default to use 'root@example4.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanis from example3.com[192.168.0.72]; from=<root@example4.com> to=<root@example2.com> proto=ESMTP helo=<mail.example3.com>: 5.7.1 message content rejected
Jul  1 23:50:30 example2 postfix/smtpd[3875]: disconnect from example3.com[192.168.0.72]

上記のmaillogではきちんとREJECTしてます。

これで、取りあえず解決(´ω`)b


7月 1, 2011 at 11:47 pm by 黒ぶちメガネ
Category: Linux, Postfix, spam対策