policyd-spf and whitelisting
Python vs. Perl implementation - and how to setup whitelisting
Now here's one that took me a while to figure out. This only reminds me why I hate Perl and the stuff that people write in it, but this one takes the cake. I found this page about the two versions, and it seemed like these are pretty much the same thing, just written in different scripting languages: Official Ubuntu Postfix/SPF Doc
We're using debian on our systems, so setting this up should be pretty straight forward, right? After desperately crawling the manpage for files, I found this little hint in the synopsis (!) of the manpage. First of all, it doesn't belong there, secondly: what the hell?!
The policy server skips SPF checks for connections from the localhost (127.) and instead prepends and logs 'SPF skipped - localhost is always allowed.' If you have relays that you want to skip SPF checks for, you can add them to relay_addresses on line 78 using standard CIDR notation in a space separated list. For these addresses, 'X-Comment: SPF skipped for whitelisted relay' is prepended and logged.
Now hold on there hot shot. Line 78 of what now? After looking into every file of the documentation and looking for a way to create a config file, I did something out of desperation. "grep relay_addresses * -R" in /usr - and there it was. Sitting there in the fucking source of the file.
Bottomline: postfix-policyd-spf-perl has no config file
So, to get this straight: The maintainer wants us to mess around in his perl file (and you know how much I love perl) and add ip addresses to it. Say what now? So I am allowed to use hostnames, too? Can I add networks? Do I need to escape strings with dots and slashes in them? There is no documentation and no nothing.
This needs to be kicked out of the repositories due to lack of quality ot at least somebody needs to notify us that it does very well make a difference whether you use the perl or the python version.
postfix-policyd-spf-python does the trick - and it supports easy whitelisting
To cut a long story short: just switch it out. Do not bother to mess around in the perl sources just to lose all your changes in the next update. And if you're gonna say that this package will never be updated anyways, there's your reason not to use it.
All you need to do is swap out the config, as described here (at least this article is good for something). After installing, you will find config files in /etc as you would expect. just edit /etc/postfix-policyd-spf-python/policyd-spf.conf and add a line about whitelisting.
Domain_Whitelist = outlook.com,something-else.com, etc. etc.
(as documented in /usr/share/doc/postfix-policyd-spf-python/policyd-spf.conf.commented)
You can of course also name relay addresses and everything else that you might need, it's fully documented and you should never ever consider using the "perl version" of it.
I spent a few hours trying to figure out where the config is and this is why I am writing this. Do not bother to use the perl version, there is absolutely no reason for its existence in the first place, unless you are unable to use python on your system for whichever reason.
For everybody else: Use the other policyd, it's a quick and easy fix, once you know that the other version is just a piece of crap that shouldn't lead you on to thinking it might be the same thing in another language.
Glad I could help.