|
|
|
|
spfaction |
Description: Define how to react to various SPF results
Contents: Inside this file place a single digit between 0 and 7.
Type: Integer
Default: 1 (enabled)
Below describes the behaviour of these digits:
0: disabled
1: enabled (only prepends headers, and only if spfheaderstate == 1)
2: REJECT: fail; ACCEPT: pass, none, softfail, error, netural, unknown;
3: REJECT: fail, softfail; ACCEPT: pass, none, error, netural, unknown;
4: REJECT: fail, softfail, neutral; ACCEPT: pass, none, error, unknown;
5: REJECT: fail, softfail, neutral, none; ACCEPT: pass, error, unknown;
6: REJECT: fail, softfail, neutral, none, error; ACCEPT: pass, unknown;
7: REJECT: fail, softfail, neutral, none, error, unknown; ACCEPT: pass;
|
|
Running higher than 2 or 3 will definitely result in a loss of email.
Consult the Adoption role at http://spftools.net and see the number of
SPF records that are parsed incorrectly, so be careful.
|
|
|
spftarpit |
Description: Tarpit or 'latch-on' to a client you don't like
0 (default) = disable tarpitting
1 (enabled) = enable tarpitting
Type: Integer (time in seconds)
Default: 0 (off)
Tarpitting happens based on the above set spfaction. If the action
was set to 2, then upon a softfail the process would sleep x seconds
and then call quit (where x is the value of spftarpittime or the
default 60)
|
|
I suggest you use this with caution, perhaps only enabling it on
FAIL which is something that can only happen when an SPF rule is
supplied, and some how the connecting client violates the policy.
You have been warned. This could quite EASILY LEAD TO YOUR SERVER
BEING DOSSED BY SOME TURD. DO NOT BLAME ME, DEFAULT IS OFF.
CONSIDER YOUR SELF WARNED.
|
|
|
spftarpittime |
Description: How long to tarpit a client
Type: Integer (time in seconds)
|
|
Not too short, or its pointless, but not too long or you'll be clientless
|
|
|
spfexplainstate |
Description: Enable or Disable giving of 'SPF Explanations'
Type: Integer
Default: 0 (off)
When set to 1, explanations will be automatically printed out after any SPF
query excluding SPF_PASS. This information is designed to be informative and
helpful to a user who has just likely had his or her email rejected. See the
above 'spfexplain' to define your own string to use instead. The default value
exists within libSPF, so creating the control file is only necessary if you
wish to change this value.
|
|
When set to 0, explanations are not appended.
|
|
|
spfexplanation |
Description: Explanation to provide client in any event result but SPF_PASS
Type: String
This string (can include macros) is expanded and sent to the client for every
result case excluding pass. The default value exists within libspf, so creating
the control file is only necessary if you wish to change this
value.
|
Default: See http://spf.pobox.com/why.html?sender=%{S}&ip=%{I}&receiver=%{xR}
|
|
When set to 0, explanations are not appended.
|
|
|
spftrustedstate |
Description: Enable or Disable SPF Trusted Forwarder mode
Type: Integer
When set to 1, libspf will attempt to contact the site contained within that text,
which would be ideally a whitelisting site (anything can really go there, but this
particular file is here specifically to handle larger whitelisting services) that
would be contacted in the event an SPF query returns NONE. The default value exists
within libspf, so creating the control file is only necessary if you wish to change
this value.
|
|
This is a great way to get around any hosts who refuse to publish! Simply
publish for them in your own local DNS server, or you can make use of the the real
"Trusted Forwarder" service which has many well known "non-SPF-publishing" sites
already. http://trusted-forwarder.org
|
|
|
spftrustedforwarder |
Description: Define your Trusted Forwarder SPF Query
Type: String
This string (can include macros) is expanded and is used in the event that a
connecting client's query results in NONE (no SPF record published). libSPF
will then (if enabled) attempt to contact trusted-forwarder.org (default) which
is a global whitelisting system. You can add additional sites, or provide your
own. The default value exists withinlibSPF, so creating the control file is
only necessary if you wish to change this value
|
Default: v=spf1 include:spf.trusted-forwarder.org
|
|
Its VERY important that this string end with a SPACE at the end!
Failure to do so will likely result in parse failures.
|
|
|
spfguessstate |
Description: Enable or Disable SPF Best Guess mode
Type: Integer
When an SPF query fails, and then subsequently a trusted forwarder query possibly fails,
libspf will attempt to perform a "best guess" query using a default string which can
be redefined using the 'spfguess' control file. The default value exists within libspf,
so creating the control file is only necessary if you wish to change
this value.
|
|
|
|
|
spfbestguess |
Description: Define your Best Guess SPF Query
Type: String
This query is looked up in an attempt to make a guess against the user in the event
no record is found and the trusted forwarder lookup fails. The default value exists
within libspf, so creating the control file is only necessary if you wish to change
this value.
|
Default: v=spf1 a/24 mx/24 ptr
|
|
Its VERY important that this string end with a SPACE at the end!
Failure to do so will likely result in parse failures.
|
|
|
spfheaderstate |
Description: Enable or Disable Received-SPF: header prepending
Type: Integer
When set to 1, libspf will pre-pend "Received-SPF:" headers as per the SPF RFC
Internet Draft. This are useful for third party applications such as SpamAssassin,
and even email clients capable of parsing headers to know where to
filter email to.
|
|
You should leave this ON. Failure to pre-pend Received-SPF: headers will nullify
any possible benefit had through 3rd party Anti-Spam implementations such as SpamAssassin
which will look at headers and evaluate them based on their content. It should be noted
however, that SpamAssassin (unless someone intentionally does this) will only
consider FAIL messages, because to do otherwise would be stupid. Spammers would
simply tag their own messages with Received-SPF: pass messages :-)
|
|
|
spfdebugstate |
Description: Enable or Disable libSPF debugging
Type: Integer
When set to anything above 0 this will enable debugging in libSPF (provided that
when you configured libSPF you supplied --enable-debug). To learn more about how
debugging works in libSPF please read the "Debugging libSPF" PDF or TXT that
accompanied your distribution or see the on-line version at:
http://libspf.org/debugging_libspf.html.
|
|
It should be noted that Autoconf enables _SPF_DEBUG_LOGFILE by default, and the
only way to disable this (to get deubgging to show up on STDOUT) is to manually
edit the Makefile and comment out or remove the _SPF_DEBUG_LOGFILE macro leaving
only _SPF_DEBUG.
|
|