\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "policy-spf 1"
.TH policy-spf 1 "2012-03-17"
.SH "NAME"
python-policyd-spf \- pure-Python Postfix policy daemon for SPF checking
.SH "VERSION"
.IX Header "VERSION"
1\.3

.SH "USAGE"
.IX Header "USAGE"

NOTE: Depending on the packaging and distribution, the exact path to the
executable may vary.

$ policyd-spf (Start using installed config file)

$ policyd-spf \-h (Display usage message)

$ policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf
  (Config file name to use)

Configuration options are described in the sample configuration file installed
in /usr/share/doc/postfix-policyd-spf-python (policyd-spf.conf.commented) and
in policyd-spf.conf(5).  The provided setup.py installs an uncommented
configuration file in /etc/postfix-policyd-spf-python/.

Additionally, whitelisting certain IP addresses or IP addresses used by listed
domains from SPF checks is supported.  Skipping SPF checks for local submission
or trusted relays is also provided.  The sample configuration file and
policyd-spf.conf(5) shows the format to use.

.SH "OTHER DOCUMENTATION"
.IX Header "OTHER DOCUMENTATION"
This documentation assumes you have read Postfix's README_FILES/
SMTPD_POLICY_README and are generally familiar with Sender Policy Framework
(SPF).  See RFC 7208 for details.

See man 5 policyd-spf.conf for configuration file information.

man 5 policyd-spf.peruser provides documentation on setting up and using
different configuration options on a per user (mail reciepient) basis.

.SH "SYNOPSIS"
.IX Header "SYNOPSIS"

python-policyd-spf is a Postfix SMTPd policy daemon for SPF checking.
It is implemented in pure Python and uses the pyspf module.  The SPF
web site is http://www.openspf.org/.  The Postfix configuration must be
changed to check SPF.  

.SH "DESCRIPTION"
.IX Header "DESCRIPTION"

Logging is sent to syslogd.

Each time a Postfix SMTP server process is started it connects to the policy
service socket and Postfix runs one instance of this Python script.  By
default, a Postfix SMTP server process terminates after 100 seconds of idle
time, or after serving 100 clients.  Thus, the cost of starting this Python
script is smoothed over time

The default policy_time_limit is 1000 seconds.  This may be too short for some
SMTP transactions to complete.  As recommended in SMTPD_POLICY_README, this
should be extended to 3600 seconds.  To do so, set "policy_time_limit = 3600"
in /etc/postfix/main.cf.

Messages that get a Fail SPF result will be rejected.  Messages that get a 
Permerror are, by default, treated as if they had no SPF record.  Messages
that get a Temperror result are, by default, treated as if they had no SPF 
record, but can (and probably should) be deferred if otherwise permitted.  
Messages that get other SPF results (Pass, None, Neutral, Softfail) will have 
the SPF Received header prepended.  Note: Spamasassisn 3.2 and follow will use
this header for spam scoring so there is no need to configure a separate SPF
check in these Spamassassin versions.  See Spamassassin documentation for 
details.

Default Mail From rejection/deferal criteria are, by design, conservative.
Default HELO check actions are to reject mail with other than Pass/None. HELO
records are much simpler than Mail From records and rejecting based on HELO 
checking does not present a false positive risk.  These settings are a matter
of local policy and should be adjusted to meet the requirements of site
administrators.  See policyd-spf.conf(5) for configuration file details.

.SH "LOGGING"
.IX Header "LOGGING"

Policyd-spf will log messages to syslog about it's activities.  The "debugLevel"
value in "policyd-spf.conf" can be increased to get additional information to
be logged.  When set to a value of "0", only test results (SPF hits/misses) 
are logged.  Results will be returned to Postfix and logged as a warning by 
Postfix also.  For logging by this policy server, look for "policyd-spf" in your
mail log files.

.SH "TESTING THE POLICY DAEMON"
.IX Header "TESTING THE POLICY DAEMON"
Testing the policy daemon

To test the policy daemon by hand, execute:

    policyd-spf

Each query is a bunch of attributes.  Order does not matter, and the daemon
uses only a few of all the attributes shown below:

    request=smtpd_access_policy
    protocol_state=RCPT
    protocol_name=SMTP
    helo_name=some.domain.tld
    queue_id=8045F2AB23
    instance=12345.6789
    sender=foo@bar.tld
    recipient=bar@foo.tld
    client_address=1.2.3.4
    client_name=another.domain.tld
    [empty line]

The policy daemon will answer in the same style, with an attribute list
followed by a empty line:

    action=dunno
    [empty line]

.SH "POSTFIX INTEGRATION"
.IX Header "POSTFIX INTEGRATION"

 1. Add the following to /etc/postfix/master.cf:

        policyd-spf  unix  -       n       n       -       0       spawn
            user=policyd-spf argv=/usr/bin/policyd-spf

    NOTE: Check the path to both the installed Python interpreter and
          policyd-spf.  These vary from system to system.  To use non-default
          settings, you must also add the config file (see above and 
          policyd-spf.conf(5) for details).

 2. Configure the Postfix policy service in /etc/postfix/main.cf:

        smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policyd-spf
            ...
        policyd-spf_time_limit = 3600

    NOTE:  Specify check_policy_service AFTER reject_unauth_destination or
           else your system can become an open relay.


 3. Reload Postfix.

.SH "SEE ALSO"
.IX Header "SEE ALSO"
policyd-spf.conf(5), policyd-spf.peruser(5), python-spf,
<http://www.openspf.org>, RFC 7208

.SH "AUTHORS"
.IX Header "AUTHORS"
This version of \fBpython-policyd-spf\fR was written by Copyright © 2007-2012
Scott Kitterman <scott@kitterman.com>.  It is derived from Tumgreyspf,
written by Sean Reifschneider, tummy.com, ltd <jafo@tummy.com>. Portions of
the documentation were written by Meng Weng Wong <mengwong@pobox.com>.
.PP
This man-page was created by Scott Kitterman <scott@kitterman.com>.