Re: policyd-spf tip

2017-12-25 Thread Scott Kitterman 


On December 25, 2017 10:25:42 PM EST, "li...@lazygranch.com" 
 wrote:
>I figured I would middle post, so skip down a bit.
>
>On Mon, 25 Dec 2017 11:56:02 -0800
>Gao  wrote:
>
>> I quickly checked my policyd-spf setting after read your email. I 
>> noticed that the policyd-spf in my system is not running as a
>service.
>> 
>> I guess you are using debian. I am using CentOS7 and I installed 
>> pypolicyd-spf from EPEL. So is there a big advantage to running it as
>> a daemon service? How do I enable it as a service? Obviously yum
>> install doesn't take care of the service setup.
>> 
>> Gao
>
>I'm on Centos 7. This is my uname -a.
>Linux servername 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40
>UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
>
>Looking at ps aux, policyd-spf is not running. In the strict sense,
>that means it is not a daemon.
>https://en.wikipedia.org/wiki/Daemon_(computing)
>However all references to policyd and policyd-spf are as daemons.  
>
>I'm new to Centos. I run opensuse on my desktop and had presently have
>my VPS server on FreeBSD. Due to update issues, I decided to abandon
>FreeBSD for Centos, since I'm more familiar with Linux than BSD these
>days.

Despite the name, it's not a daemon.  When I started the project, I anticipated 
that in it's future, but later decided staying with using spawn was a good 
idea.  I also decided renaming wasn't worth the trouble.

Scott K

Re: policyd-spf tip

2017-12-25 Thread li...@lazygranch.com 
I figured I would middle post, so skip down a bit.

On Mon, 25 Dec 2017 11:56:02 -0800
Gao  wrote:

> I quickly checked my policyd-spf setting after read your email. I 
> noticed that the policyd-spf in my system is not running as a service.
> 
> I guess you are using debian. I am using CentOS7 and I installed 
> pypolicyd-spf from EPEL. So is there a big advantage to running it as
> a daemon service? How do I enable it as a service? Obviously yum
> install doesn't take care of the service setup.
> 
> Gao

I'm on Centos 7. This is my uname -a.
Linux servername 3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40
UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Looking at ps aux, policyd-spf is not running. In the strict sense,
that means it is not a daemon.
https://en.wikipedia.org/wiki/Daemon_(computing)
However all references to policyd and policyd-spf are as daemons.  

I'm new to Centos. I run opensuse on my desktop and had presently have
my VPS server on FreeBSD. Due to update issues, I decided to abandon
FreeBSD for Centos, since I'm more familiar with Linux than BSD these
days.



> 
> On 2017-12-24 22:02, li...@lazygranch.com wrote:
> > There are many "problem solving pages" on the interwebs that have
> > wrong information on setting up policyd-spf. The key to make sure
> > you use consistent names in both main.cf and master.cf. Yeah, I
> > know, I'm preaching to the choir, but hopefully the next person
> > with a set up problem finds this message in a search.
> > 
> > In master.cf:
> > policyunix  -   n   n   -   0   spawn
> >  user=nobody  argv=/usr/libexec/postfix/policyd-spf
> > /etc/policyd-spf/policyd-spf.conf
> > 
> > Note you need to make sure the conf file location is correct.
> > 
> > In main.cf:
> > smtpd_recipient_restrictions =
> >   permit_sasl_authenticated,
> >   permit_mynetworks,
> >   reject_unauth_destination,
> >   reject_rbl_client zen.spamhaus.org,
> >   check_policy_service unix:private/policy,
> >   permit
> > 
> > policy_time_limit = 3600
> > 
> > The word "policy" needs to be consistent in all three locations. For
> > example, this would be wrong:
> >   check_policy_service unix:private/policyd-spf,
> > 
> > Also wrong would be:
> > policyd_time_limit = 3600
> > 
> > 
> > In postfix, systemctl status postfix should indicate the policyd-spf
> > daemon was started:
> > 
> > ● postfix.service - Postfix Mail Transport
> > Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service;
> > enabled; vendor preset: disabled) Active: active (running) since
> > Mon 2017-12-25 05:28:11 UTC; 16s ago Process: 7661
> > ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
> > Process: 7681 ExecStart=/usr/sbin/postfix start (code=exited,
> > status=0/SUCCESS) Process: 7679
> > ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited,
> > status=0/SUCCESS) Process: 7677
> > ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited,
> > status=0/SUCCESS) Main PID: 7755 (master)
> > CGroup: /system.slice/postfix.service
> > ├─7755 /usr/libexec/postfix/master -w ├─7756 pickup -l -t unix -u
> > ├─7757 qmgr -l -t unix -u ├─7758 smtpd -n smtp -t inet -u -o
> > stress= ├─7759 proxymap -t unix -u ├─7760 tlsmgr -l -t unix -u
> >├─7761 anvil -l -t unix -u
> >├─7763 trivial-rewrite -n rewrite -t unix -u
> >├─7764 spawn -z -n policy -t unix user=nobody
> > argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
> > ├─7765 /usr/bin/python /usr/libexec/postfix/policyd-spf
> > /etc/policyd-spf/policyd-spf.conf
> > ├─7766 cleanup -z -t unix -u └─7767 virtual -t unix
> > -
> > 
> > And proof it is working from an email header:
> > Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
> > client-ip=66.163.187.148;
> > helo=sonic316-22.consmr.mail.ne1.yahoo.com;
> > envelope-from=m...@yahoo.com; receiver=m...@mydomain.com

Re: policyd-spf tip

2017-12-25 Thread Gao 
I quickly checked my policyd-spf setting after read your email. I 
noticed that the policyd-spf in my system is not running as a service.


I guess you are using debian. I am using CentOS7 and I installed 
pypolicyd-spf from EPEL. So is there a big advantage to running it as a 
daemon service? How do I enable it as a service? Obviously yum install 
doesn't take care of the service setup.


Gao

On 2017-12-24 22:02, li...@lazygranch.com wrote:

There are many "problem solving pages" on the interwebs that have wrong
information on setting up policyd-spf. The key to make sure you use
consistent names in both main.cf and master.cf. Yeah, I know, I'm
preaching to the choir, but hopefully the next person with a set up
problem finds this message in a search.

In master.cf:
policyunix  -   n   n   -   0   spawn
 user=nobody  argv=/usr/libexec/postfix/policyd-spf
/etc/policyd-spf/policyd-spf.conf

Note you need to make sure the conf file location is correct.

In main.cf:
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_rbl_client zen.spamhaus.org,
  check_policy_service unix:private/policy,
  permit

policy_time_limit = 3600

The word "policy" needs to be consistent in all three locations. For
example, this would be wrong:
  check_policy_service unix:private/policyd-spf,

Also wrong would be:
policyd_time_limit = 3600


In postfix, systemctl status postfix should indicate the policyd-spf
daemon was started:

● postfix.service - Postfix Mail Transport
Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
vendor preset: disabled) Active: active (running) since Mon 2017-12-25
05:28:11 UTC; 16s ago Process: 7661 ExecStop=/usr/sbin/postfix stop
(code=exited, status=0/SUCCESS) Process: 7681
ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 7679 ExecStartPre=/usr/libexec/postfix/chroot-update
(code=exited, status=0/SUCCESS) Process: 7677
ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited,
status=0/SUCCESS) Main PID: 7755 (master)
CGroup: /system.slice/postfix.service
├─7755 /usr/libexec/postfix/master -w ├─7756 pickup -l -t unix -u
├─7757 qmgr -l -t unix -u ├─7758 smtpd -n smtp -t inet -u -o
stress= ├─7759 proxymap -t unix
-u ├─7760 tlsmgr -l -t unix -u
   ├─7761 anvil -l -t unix -u
   ├─7763 trivial-rewrite -n rewrite -t unix -u
   ├─7764 spawn -z -n policy -t unix user=nobody
argv=/usr/libexec/postfix/policyd-spf /etc/policyd-spf/policyd-spf.conf
├─7765 /usr/bin/python /usr/libexec/postfix/policyd-spf
/etc/policyd-spf/policyd-spf.conf
├─7766 cleanup -z -t unix -u └─7767 virtual -t unix
-

And proof it is working from an email header:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=66.163.187.148; helo=sonic316-22.consmr.mail.ne1.yahoo.com;
envelope-from=m...@yahoo.com; receiver=m...@mydomain.com