Autarchy of the Private Cave

Tiny bits of bioinformatics, [web-]programming etc

    Debian: how to whitelist IP addresses in tumgrey-SPF

    7th August 2013

    SPF is nice for protecting your mail server from spam, but sometimes there is a need to bypass SPF checking. For example, if you rely on 3rd party servers to do spam protection for you :)

    Current setup:

    • MX records point to the spam protection mail servers, which then
    • connect to my server and deliver (hopefully spam-free) mail.

    Problem: some senders (like last.fm) do have proper, strict SPF records. Tumgreyspf on my server then rejects emails relayed through the spam-protection service.

    If these spam protection relay servers are the only which send mail to your server, then it makes sense to fully disable/uninstall tumgreyspf. Putting tumgreyspf into the permanent “learning mode” (set defaultSeedOnly = 1 in /etc/tumgreyspf/tumgreyspf.conf) may not fix the SPF problem described above, as SeedOnly seems to only affect greylisting, and not rejecting unauthorized senders.

    Solution: whitelist relay server IPs.

    I will use MXGuardDog spam blocker as an example. This solution is a slightly extended version of this one, and used tumgreyspf README as the reference.

    • For each of the IPs you want to whitelist, create a directory tree under /var/lib/tumgreyspf/config/client_address. Here is a copy-pasteable example for MXGuardDog, based on their list of server IPs, valid as of August 2013:

      mkdir -p /var/lib/tumgreyspf/config/client_address/108/166/117
      mkdir -p /var/lib/tumgreyspf/config/client_address/174/129/28
      mkdir -p /var/lib/tumgreyspf/config/client_address/216/58/39
      mkdir -p /var/lib/tumgreyspf/config/client_address/222/229/219
      mkdir -p /var/lib/tumgreyspf/config/client_address/64/15/147
      mkdir -p /var/lib/tumgreyspf/config/client_address/66/85/178
    • Into each of these IP range-specific directories, put a config file, which disables checks (or symlink one). First, create /etc/tumgreyspf/disable.conf with the following lines in it:

      SPFSEEDONLY = 0
      GREYLISTTIME = 600
      CHECKERS =
      OTHERCONFIGS =

      It is just like the default.conf, but has empty CHECKERS and OTHERCONFIGS lines.
      Now, symlink it into each of the IP range directories:

      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/108/166/117/__default__
      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/174/129/28/__default__
      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/216/58/39/__default__
      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/222/229/219/__default__
      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/64/15/147/__default__
      ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/66/85/178/__default__

    Note the double-underscores to the left and right of default.

    That’s it.

    StumbleUponDeliciousCiteULikePocketKindle ItEvernotePinterestShare

    Leave a Reply

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>