Proxmox Mail Gateway (PMG) is a powerful email security solution that provides various features to protect your mail server. One of the important security measures is SPF (Sender Policy Framework) check. SPF helps prevent email spoofing by verifying the sender’s IP address against the authorized servers for the domain.
By default, PMG (Proxmox Mail Gateway) will reject emails that have a “hardfail” SPF (Sender Policy Framework) policy. This means that if the sender’s IP address is not listed as an authorized server for the sending domain, PMG will reject the email.
However, if an email has a “softfail” or “none” SPF policy, PMG will not directly reject the email. A “softfail” policy indicates that the sender’s IP address may not fully comply with the SPF policy, but PMG will still accept the email with a warning. A “none” policy indicates that the sending domain does not have an SPF policy set, but PMG will also accept the email.
While PMG will reject emails with a “hardfail” policy by default, it’s important to note that PMG’s configuration can be customized to fit your security needs and policies. You can adjust the SPF policy settings in PMG to meet your security requirements and preferences. Make sure to review and validate SPF policies carefully to ensure desired email delivery and avoid unintended rejections.
In this article, I will guide you on how to enforce SPF checks on Proxmox Mail Gateway. Emails will be rejected if they fail the SPF check with a hardfail, softfail, or if they do not have SPF records.
To begin, please follow these steps to enable SPF checking in the PMG dashboard:
1. Access the PMG dashboard and navigate to Configuration.
2. Select Mail Proxy and go to Options.
3. Locate the “Use SPF” setting and adjust it to “Yes”.
Backup Result.pm and pmgpolicy file
cd /usr/share/perl5/Mail/SPF/ cp Result.pm Result.pm-backup cp /usr/bin/pmgpolicy /usr/bin/pmgpolicy-backup
Please replace the two files above with the adjusted files.
curl -k https://raw.githubusercontent.com/imanudin11/script/master/Result.pm > /usr/share/perl5/Mail/SPF/Result.pm curl -k https://raw.githubusercontent.com/imanudin11/script/master/pmgpolicy > /usr/bin/pmgpolicy
Restart pmgpolicy.service
systemctl restart pmgpolicy.service
Now, all emails with SPF hardfail, softfail, and none will be rejected. Below are some examples from my PMG log.
SPF Hardfail
Jul 6 22:11:17 pmg postfix/smtpd[3087]: NOQUEUE: reject: RCPT from server.xxxxxxx.id[xx.xx.xx.xx]: 554 5.7.1: Recipient address rejected: Rejected by SPF: xx.xx.xx.xx is not a designated mailserver for admin%40xxxxxx.com (context mfrom, on pmg.imanudin.web.id) (SPF fail); from= to= proto=ESMTP helo=
SPF Softfail
Jul 6 22:03:55 pmg postfix/smtpd[2949]: NOQUEUE: reject: RCPT from server.xxxxxxxx.id[xx.xx.xx.xxx]: 554 5.7.1: Recipient address rejected: Rejected by SPF: xx.xx.xx.xx is not a designated mailserver for admin%40xxxxxxxx.com (context mfrom, on pmg.imanudin.web.id) (SPF softfail); from= to= proto=ESMTP helo=
SPF None
Jul 6 22:06:37 pmg postfix/smtpd[3035]: NOQUEUE: reject: RCPT from server.xxxxxxxxxx.id[xx.xx.xx.xx]: 554 5.7.1: Recipient address rejected: you do not have SPF records (SPF none); from= to= proto=ESMTP helo=
Goodluck 🙂