Introduce two useful policyd services for Postfix
Postfix does support a lot of external services, many of them are implemented by the third party.
I used two of them. One is for SPF checking, another is for rate limit of sending email. They are not the official plugins provided by Postfix.
Both have apt sources for Ubuntu 20, under which you just need to install them with,
$ sudo apt install postfix-policyd-spf-python
$ sudo apt install policyd-rate-limit
After installation, the default configuration files are follows.
/etc/postfix-policyd-spf-python/policyd-spf.conf
/etc/policyd-rate-limit.yaml
Please note, you may want to change no lines in these two files. The default settings work just fine.
Services installed by apt would get started up automatically. After then you should add them to Postfix.
Just edit the configuration file /etc/postfix/main.cf, put the sections below.
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
check_policy_service { unix:ratelimit/policy, default_action=DUNNO },
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
As you see, the first "check_policy_service" option defines the unix socket for connection to policyd-rate-limit, the second one defines the unix socket for connection to postfix-policyd-spf-python.
Please note "policyd-rate-limit" is a regular system service, for which you can see the running status,
# systemctl status policyd-rate-limit
● policyd-rate-limit.service - Postfix policyd rate limiter
Loaded: loaded (/lib/systemd/system/policyd-rate-limit.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-12-05 19:07:50 HKT; 41min ago
Main PID: 92180 (policyd-rate-li)
Tasks: 1 (limit: 1066)
Memory: 9.3M
CGroup: /system.slice/policyd-rate-limit.service
└─92180 /usr/bin/python3 /usr/bin/policyd-rate-limit
But "postfix-policyd-spf-python" is just a script rather than a system service, it should be spawned up by Postfix itself. So put this option as the last line into /etc/postfix/master.cf.
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Now, restart the related services,
$ sudo systemctl restart policyd-rate-limit postfix
For SPF testing, you could telnet to SMTP port to send mail from a sender address which has the strict SPF setup. For instance,
$ telnet mail.mailbox.net 25
Connected to mail.mailbox.net.
Escape character is '^]'.
220 mail.mailbox.net ESMTP Postfix
helo localhost.locaodomain
250 mail.mailbox.net
mail from:<jeff@126.com>
250 2.1.0 Ok
rcpt to:<henry@mailbox.net>
550 5.7.23 <henry@mailbox.net>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=jeff@126.com;ip=xx.xx.xx.xx;r=<UNKNOWN>
This mail was rejected by our system since SPF failed.
For rate limit testing, you can send as many messages as possible from email clients such as Thunderbird. When it reaches the limit you can't send anymore. You will get the rejected message as,
4.7.1 <xx@domain.info>: Recipient address rejected: Rate limit reach, retry later
When both processes are running, you will see the ps info as follows.
# ps -efw|grep policyd|grep -v grep
policyd+ 92180 1 0 19:07 ? 00:00:00 /usr/bin/python3 /usr/bin/policyd-rate-limit
postfix 93859 92978 0 20:11 ? 00:00:00 spawn -z -n policyd-spf -t unix user=policyd-spf argv=/usr/bin/policyd-spf
policyd+ 93860 93859 1 20:11 ? 00:00:00 /usr/bin/python3 /usr/bin/policyd-spf
You could also learn the knowledge from linuxbabe, which does have nice written articles for mail systems.
How to Set up SPF and DKIM with Postfix on Ubuntu Server
7 Effective Tips to Stop Your Emails Being Marked as Spam
If you have met any issues on setting up these two services, please contact me for possible helps.