Zimbra Tips : How To Enforce SPF Checking For Incoming Email

Home » Zimbra » Zimbra Tips : How To Enforce SPF Checking For Incoming Email
Zimbra 2 Comments

Before configure this guidance, please make sure you’ve configured SPF checking from this link : https://imanudin.net/2016/03/11/zimbra-tips-how-to-enable-spf-checking-for-incoming-connection/. When you’ve done, by default will reject SPF only if configured fail (-). If SPF none or SPF soft fail, email will pass and given some score.

If you want to block sender did not have SPF or soft fail, you can change CheckSPF module on PolicyD with this one.

# On Zimbra 8.5/8.6

cd /opt/zimbra/cbpolicyd/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

# On Zimbra 8.7.x

cd /opt/zimbra/common/lib/policyd-2.1/cbp/modules
mv CheckSPF.pm CheckSPF.pm-backup
wget -c --no-check-certificate https://raw.githubusercontent.com/imanudin11/script/master/CheckSPF.pm

The following are example when receiving email from domain who did not have SPF or SPF soft fail

Mar 23 16:15:22 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.xx.xxx.xxx]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com, No applicable sender policy available; from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Mar 23 16:16:39 mail postfix/smtpd[7006]: NOQUEUE: reject: RCPT from unknown[36.70.176.194]: 554 5.7.1 <admin@example.com>: Recipient address rejected: Failed SPF check; example.com ... example.com, Sender is not authorized by default to use 'admin@example.com' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched); from=<admin@example.com> to=<admin@example.net> proto=ESMTP helo=

Good luck and hopefully useful 😉

2 thoughts on - Zimbra Tips : How To Enforce SPF Checking For Incoming Email

LEAVE A COMMENT