content/blog/mail_server_alpine_postfix_dovecot_tutorial.md: postfix-policyd-spf-perl section

content/blog/mail_server_alpine_postfix_dovecot_tutorial/index.md

@@ -94,10 +94,18 @@ The mail server will be composed of the following software:
         <td>Mail delivery agent</td>
         <td colspan="2">Dovecot</td>
     </tr>
+    <tr>
+        <td>SPF authentication</td>
+        <td colspan="2">postfix-policyd-spf-perl</td>
+    </tr>
     <tr>
         <td>DKIM authentication and signing</td>
         <td colspan="2">OpenDKIM</td>
     </tr>
+    <tr>
+        <td>DMARC authentication</td>
+        <td colspan="2">OpenDMARC</td>
+    </tr>
     <tr>
         <td>Spam filter</td>
         <td rowspan="2">Amavis</td>
@@ -801,6 +809,8 @@ checks.
 
 ## Sender Policy Framework
 
+### Set up your DNS record
+
 Add a TXT record for your root domain with the contents `v=spf1 mx ~all`, like:
 
 ```dns
@@ -863,6 +873,68 @@ Breaking down the TXT data:
     </tr>
 </table>
 
+### Get Postfix to validate SPF
+
+We're going to use a Postfix SMTPd policy server called postfix-policyd-spf-perl to check SPF of incoming emails.
+postfix-policyd-spf-perl is very simple and requires almost no configuration.
+
+Install `postfix-policyd-spf-perl` and create a user, `policyd-spf` for it:
+
+    # apk add postfix-policyd-spf-perl
+    # adduser -S -s /sbin/nologin -h /dev/null -H policyd-spf
+
+Explanation of `adduser` flags:
+
+<table>
+    <tr>
+        <th>Option</th>
+        <th>Explanation</th>
+    </tr>
+    <tr>
+        <td><code>-S</code></td>
+        <td>Create a system user</td>
+    </tr>
+    <tr>
+        <td><code>-s /sbin/nologin</code></td>
+        <td>Set shell to <code>/sbin/nologin</code> so the user doesn't have a shell</td>
+    </tr>
+    <tr>
+        <td><code>-h /dev/null</code></td>
+        <td>Set home directory to <code>/dev/null</code></td>
+    </tr>
+    <tr>
+        <td><code>-H</code></td>
+        <td>
+            Don't create a home directory (if you try to create <code>/dev/null</code> and assign it to
+            <code>policyd-spf</code> there will be all sorts of permissions issues)
+        </td>
+    </tr>
+</table>
+
+Now edit `/etc/postfix/master.cf` to tell Postfix to start up the postfix-policyd-spf-perl daemon:
+
+```conf
+policyd-spf   unix -     n       n       -       0       spawn
+  user=policyd-spf argv=/usr/bin/postfix-policyd-spf-perl
+```
+
+Now get Postfix to use postfix-policyd-spf-perl in `/etc/postfix/main.cf` by adding the following lines:
+
+```conf
+smtpd_recipient_restrictions =
+    permit_mynetworks,
+    reject_unauth_destination,
+    check_policy_service unix:private/policyd-spf
+policyd-spf_time_limit = 3600
+```
+
+postfix-policyd-spf-perl is now set up, and you can test it by sending yourself an email from a mainstream email
+provider (which ought to have an SPF record) and checking for the presence of this header:
+
+```
+Received-SPF: pass (protonmail.com: Sender is authorized to use 'revsuine@protonmail.com' in 'mfrom' identity (mechanism 'include:_spf.protonmail.ch' matched))
+```
+
 ## DomainKeys Identified Mail
 
 ### Configure OpenDKIM
@@ -1065,6 +1137,11 @@ non_smtpd_milters = $smtpd_milters
 This uses the Milter extension, which is something that can be used to process mail; in this case, to add headers to
 emails relating to DKIM.
 
+You can, again, test this on both incoming and outgoing mail. On outgoing mail, there should be a `DKIM-Signature:`
+header present. On incoming mail from domains implementing DKIM, there should be a
+`Authentication-Results: master.revsuine.xyz;` header (obviously replacing `master.revsuine.xyz` with your hostname)
+indicating whether or not the email has passed DKIM authentication.
+
 ## Domain-based Message Authentication, Reporting, and Conformance
 
 ### Ensure your domains are aligned in email headers