How to configure policyd-spf in Postfix to reject domains with no SPF record?
The documentation doesn't specify this condition and its needed to reject spoofed/unauthorized emails on an outbound relay.
Similar Q&A on Stackoverflow recommends use of DMARC along with SPF. But this is not an ideal case for Postfix since OpenDMARC is still in beta and tbh I'm not familiar with its Postfix implementation or whether it can even be configured to reject emails in case of no DMARC record.
SPF policy servers like policyd-spf does not have option to reject domains with no SPF records. Solution was to use a custom policy server.
If you use the python policyd-spf, you can edit the executable file (/usr/bin/policyd-spf in debian):
In line 159 under this code block :
if mfrom_policy == 'SPF_Not_Pass':
try:
unused_results.remove('Fail')
actions['reject'].append('Fail')
unused_results.remove('Softfail')
actions['reject'].append('Softfail')
unused_results.remove('Neutral')
actions['reject'].append('Neutral')
except:
if debugLevel >= 2: syslog.syslog('Configuration File parsing error: Mail_From_reject')
add :
elif mfrom_policy == 'Cerberus':
try:
unused_results.remove('Fail')
actions['reject'].append('Fail')
unused_results.remove('Softfail')
actions['reject'].append('Softfail')
unused_results.remove('None')
actions['reject'].append('None')
except:
if debugLevel >= 2: syslog.syslog('Configuration File parsing error: Mail_From_reject')
To activate this new "Cerberus" option, edit the config file /etc/postfix-policyd-spf-python/policyd-spf.conf and change the value of Mail_From_reject by "Cerberus" like this :
# Mail_From_reject = Fail
Mail_From_reject = Cerberus
With this modification you can easily change from the standard configuration to the more aggressive configuration which rejects domains without spf record.
This works for Debian 10 and ubuntu 20.04.
