Postfix: How to accept email with valid SPF but unresolvable hostname?

Solution 1:

This could be possible if check_policy_service responded permit (from access(5) other actions) instead of neutral accept action OK vs. reject action reject. That would need modification to the SPF policy service policyd-spf.conf. Although I have never actually tried this, based on the manpage it seems that Pass condition for both HELO and MAIL FROM allows using ANY action defined in access(5). Resulting configuratoin parameters in policyd-spf.conf:

HELO_pass_restriction = permit
Mail_From_pass_restriction = permit

Now, the order of the restrictions starts to matter as SPF policy service answers:

• reject on SPF Fail
• permit on SPF Pass
• neutral OK on all other conditions including errors, Softfail, Neutral and no SPF.

Then, the Postfix main.cf can have all your restrictions in this kind of order:

smtpd_recipient_restrictions =
    permit_mynetworks,

    [checks done regardless of SPF],

    check_policy_service unix:private/policy-spf,

    [checks done only if SPF didn't either Pass or Fail],

    permit

Both permit and reject are first matches mentioned in smtpd_recipient_restrictions

Restrictions are applied in the order as specified; the first restriction that matches wins

while the neutral response from any restriction causes moving to the next one.

Solution 2:

Quote from the Postfix documentation:

Restrictions are applied in the order as specified; the first restriction that matches wins

So no, it's not possible. If only one of the restrictions matches it results in the mail being rejected, the order doesn't matter.