Quick tip for those struggling with SPF

I'm mostly a very lightweight geek, but I do one thing that's quite hard core, these days: I run my own mailserver, rather than letting Google do it for me. (I know they just want to love me. I know, I know.)

This includes outgoing mail. I send all my mail through my own postfix server, which - until today - relayed it all through my ISP's SMTP server. Geeks have been doing this sort of thing for years.

Lately I've had a bit of a problem: more and more of my mails are getting rejected by SPF. Especially ones from my redhat.com address, because redhat.com implements SPF, and so any server which also implements it will flag or refuse mail that claims to be from a redhat.com email address but which didn't arrive from Red Hat's outgoing mail server.

This is a bit of a pain. If you're in the same situation but you don't run your own mail server, all you need to do is make sure each of your accounts is set to send outgoing mail through the correct server, don't just send them all through your ISP server. If you run your own mail server which then relays the mail, though, it's a bit trickier.

I started on a whiny post about how SPF was evil, then decided I'd better just try and fix it instead. So with a few minutes of Googling, here's how you do it, with Postfix at least. Postfix has a feature which lets you override the relayhost parameter conditionally, depending on the address the email claims to be from. So, I added a line like this in my /etc/postfix/main.cf:

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

and I created the file /etc/postfix/sender_relay , which contains this single line:

@redhat.com [foobaroutgoingserver.redhat.com]

et voila. Any mail sent through my server which claims to be from someone@redhat.com gets relayed via Red Hat's SMTP server (no, that's not its real address), not via my ISP's server (which all my other mail gets relayed through). That was simple.


mcepl wrote on 2009-05-03 19:52:
a) I found it useful to also plain rule to send all emails directed to @redhat.com address (whatever email address they come from) to be sent through internal SMTP server as well. Just a security measure for emails with @redhat.com recipient (and possibly with confidential content) be sent internally. Put redhat.com :[secret.smtp-server.redhat.com] .redhat.com :[secret.smtp-server.redhat.com] b) why do you hate comments? Ever heard about OpenID? Wordpress should support it. Matěj
adamw wrote on 2009-05-03 19:56:
I don't hate comments, I hate spam. :) Yes, I've heard of OpenID, but I've generally found it to be about as useful as a chocolate teapot. It's my blog, I'll be as lazy as I like in maintaining it ;). I figure if you're not willing to spend ten seconds to sign up before saying what you want to say, it probably wasn't worth reading anyway...I've been filtered out in a similar way on other people's blogs, and when I thought about it the next day, it always turned out that what I wanted to say wasn't really worthwhile...heh.