Comment 9 for bug 1215961

My config:

/etc/postfix-policyd-spf-python/policyd-spf.conf:

# For a fully commented sample config file see policyd-spf.conf.commented

debugLevel = 1
defaultSeedOnly = 1

HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0//104,::1//128

/etc/postfix/master.cf:

[...]
policy-spf unix - n n - - spawn
     user=nobody argv=/usr/bin/policyd-spf

/etc/postfix/main.cf:

[...]
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    check_client_access pcre:/etc/postfix/checks/client-whitelist,
    check_client_access pcre:/etc/postfix/checks/client-blacklist,
    reject_unknown_client_hostname,
    check_policy_service unix:private/policy-spf,
[...]

policy-spf_time_limit = 3600s