Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

SPF Help

  

 
SPF help RSS feed   Index | Next | Previous | View Threaded


richard at sheflug

Jul 27, 2004, 12:47 PM

Post #1 of 16 (2176 views)
Permalink
SPF Help
Hi

I'm trying to configure SPF on my own SuSE 9.1 mailserver.

I already use Spamassassin 2.63 and Mail::Audit but recent spam and a
chat with another system admin explains that I should be using SPF.
With this in mind I have installed Mail::SPF::Query from CPAN.

Looked at the docs and configuration options at...

http://search.cpan.org/~freeside/Mail-SPF-Query-1.997/Query.pm


I see that I might need to use.. $query->result() .. but I'm not quite
sure how to implement it. Or, how to include it into my own script for
spam scanning.....

#!/usr/bin/perl

use strict;
use warnings;

use Mail::Audit qw/KillDups/;
use Mail::Audit;
use Mail::SpamAssassin;
use Mail::SPF::Query

my $mailbox = "/home/mail/Mail/inbox";

my $mail = Mail::Audit->new( nomime => 1, );
my $spamtest = Mail::SpamAssassin->new();
my $status = $spamtest->check( $mail );

if ( $status->is_spam() ) {
$status->rewrite_mail();
$mail->accept( "/home/mail/Mail/Spam" );
} else {
$mail->accept( "home/mail/Mail/inbox" );
}


As you can see, I've put the line "use Mail::SPF::Query" into this but
so far it's not doing anything. Anyone know where to put
$query->result() or something more appropriate ?

The above works fine. I don't want anything else. Just some help with
SPF :)

Regards




Richard

www.sheflug.co.uk

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com


spf at metro

Jul 27, 2004, 1:57 PM

Post #2 of 16 (2118 views)
Permalink
Re: SPF Help [In reply to]
Hi,

You'll need to put support for spf somewhere in your MTA, and your
implementation should be able to reject the mail before the DATA stage.

So the question that is the answer to your question is: what MTA are you
using? If you're using eg. sendmail you can install a milter (i
personally have had it with milters atm), or choose one of the spf
libraries, and patch your MTA for them (eg libspf / libspsf2).

Koen

On Tue, Jul 27, 2004 at 08:47:27PM +0100, Richard Ibbotson wrote:
> Hi
>
> I'm trying to configure SPF on my own SuSE 9.1 mailserver.
>
> I already use Spamassassin 2.63 and Mail::Audit but recent spam and a
> chat with another system admin explains that I should be using SPF.
> With this in mind I have installed Mail::SPF::Query from CPAN.
>
> Looked at the docs and configuration options at...
>
> http://search.cpan.org/~freeside/Mail-SPF-Query-1.997/Query.pm
>
>
> I see that I might need to use.. $query->result() .. but I'm not quite
> sure how to implement it. Or, how to include it into my own script for
> spam scanning.....
>
> #!/usr/bin/perl
>
> use strict;
> use warnings;
>
> use Mail::Audit qw/KillDups/;
> use Mail::Audit;
> use Mail::SpamAssassin;
> use Mail::SPF::Query
>
> my $mailbox = "/home/mail/Mail/inbox";
>
> my $mail = Mail::Audit->new( nomime => 1, );
> my $spamtest = Mail::SpamAssassin->new();
> my $status = $spamtest->check( $mail );
>
> if ( $status->is_spam() ) {
> $status->rewrite_mail();
> $mail->accept( "/home/mail/Mail/Spam" );
> } else {
> $mail->accept( "home/mail/Mail/inbox" );
> }
>
>
> As you can see, I've put the line "use Mail::SPF::Query" into this but
> so far it's not doing anything. Anyone know where to put
> $query->result() or something more appropriate ?
>
> The above works fine. I don't want anything else. Just some help with
> SPF :)
>
> Regards
>
>
>
>
> Richard
>
> www.sheflug.co.uk
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com


richard at sheflug

Jul 27, 2004, 2:08 PM

Post #3 of 16 (2154 views)
Permalink
Re: SPF Help [In reply to]
Hi

> So the question that is the answer to your question is: what MTA are you
> using?

Postfix and Amavisd.. Sorry I didn't explain that.

Yuk ! No, not sendsnail :) Had a lot of discussions with the OpenBSD
team about that. Awful MTA with lots of holes in it. Would use Exim
but Postfix is familiar.

Regards



Richard

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com


spf at metro

Jul 27, 2004, 2:13 PM

Post #4 of 16 (2102 views)
Permalink
Re: Re: SPF Help [In reply to]
I think you should take a look at http://spf.pobox.com/downloads.html
then, it has some stuff for postfix on there..

Also, the libspf and/or libspf2 should have postfix support pretty
soon.

You might also want to search the list archives for hints / tips etc on
the postfix policydaemon for spf, of which i have virtually no knowledge
at all.

Koen

On Tue, Jul 27, 2004 at 10:08:53PM +0100, Richard Ibbotson wrote:
> Hi
>
> > So the question that is the answer to your question is: what MTA are you
> > using?
>
> Postfix and Amavisd.. Sorry I didn't explain that.
>
> Yuk ! No, not sendsnail :) Had a lot of discussions with the OpenBSD
> team about that. Awful MTA with lots of holes in it. Would use Exim
> but Postfix is familiar.
>
> Regards
>
>
>
> Richard
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com


richard at sheflug

Jul 27, 2004, 2:38 PM

Post #5 of 16 (2131 views)
Permalink
Re: SPF Help [In reply to]
Koen

> I think you should take a look at http://spf.pobox.com/downloads.html
> then, it has some stuff for postfix on there..

I'll have a look at it.

Thank you






Richard

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help[at]v2.listbox.com


jgiacobbe at coldwellbankerrichmond

Jan 25, 2005, 8:45 AM

Post #6 of 16 (2102 views)
Permalink
RE: spf help [In reply to]
In addition to SPF, make sure your SMTP HELO and EHELO messages are
configured correctly. I recently took over a system where my exchange
server was not configured to use an internet compatable FQDN in the HELO
message. Instead it was using the local windows computer name which was
serverY.domainX.local. Also many email servers perform a reverse DNS
lookup on your mail server. Make sure there is a PTR record configured
to match your servers internet FQDN. These steps alone resolved the
majority of my bounced back messages from domains such as AOL, Erols and
CompuServe. I did setup a SPF record for my domain, but without
completing these other steps it would have done no good. Hopefully this
email is of some help to you.

Jeremy Giacobbe
IT Manager
Coldwell Banker Advantage
10001 Courtview Lane
Chesterfield, VA 23832
jgiacobbe[at]coldwellbankerrichmond.com


-----Original Message-----
From: owner-spf-help[at]v2.listbox.com
[mailto:owner-spf-help[at]v2.listbox.com] On Behalf Of Chris Boerner
Sent: Tuesday, January 25, 2005 11:16 AM
To: spf-help[at]v2.listbox.com
Subject: [spf-help] spf help

I have been reading about the SPF project. We are experiencing problems
sending mail to some external domains and thought that this may be
because we are not using SPF. I have checked 146 blacklists and we do
not show up on any of them. I have gotten a full report form
DNSreport.com and they stated a warning for not having an SPF. I have
gone to the pobox SPF wizard and created an SPF, but have no idea how to
finish the request. Where do you insert the record and how is it done?
Please help!!!!!



Chris Boerner

Hayner Public Library

401 State St. Alton, Ill. 62002

PH. 618-462-0677

email:chris.boerner[at]haynerlibrary.org



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?member_id=1763563&user_secret=85287933

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=8085f1ba


steve at teamITS

Sep 17, 2007, 11:10 AM

Post #7 of 16 (1298 views)
Permalink
RE: SPF help [In reply to]
Tim Wolak wrote on 9/17/2007 11:55:42 AM:

> v=spf1 ip4:64.149.243.139/29 mx ptr
> mx:adsl-64-149-243-139.dsl.chcgil.sbcglobal.net include:sktydev.com
~all

There are a few errors in your SPF records I see right off the
bat:

1) there is no MX for the domain
adsl-64-149-243-139.dsl.chcgil.sbcglobal.net.

2) The SPF record for skytdev.com is:

sktydev.com. 10800 IN TXT "sktydev.com. IN TXT
\"v=spf1 ip4:10.10.33.192/26 mx ptr mx:sktytrading.com
include:sktytrading.com ~all\"?all"

You can see there is some extra stuff in there that is not valid.

3) The SPF record for sktytrading.com includes the SPF record for
skytdev.com, and vice versa. I'm not sure if that's an error but it
seems wrong to have circular references.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- No Purchase Required. Details Inside Package.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=42824297-b061c0
Powered by Listbox: http://www.listbox.com


steve at teamITS

Apr 23, 2008, 12:35 PM

Post #8 of 16 (860 views)
Permalink
RE: SPF Help [In reply to]
Justin J. Kotulsky wrote on 4/23/2008 2:14:31 PM:

>> I am in the process of setting up an SPF record for our single domain
>> that currently sends email from 1 IP address and 1 exchange server.
>> However, in the future we may open email to be sent from more than 1
>> IP address. For my record is it ok to list my entire external IP
>> range? For example v=spf1 ip4:209.144.71.138/25 -all Is there
>> anything else that I have to list such as mx records? Also, is there
>> anything else that needs done to my Exchange server or anything else
>> on my system? After reading through the openspf website it seems as
>> if all I need to do is have the record published with my provider.

That's pretty much all you need to do. You can list your entire
range, or just one IP now (and add more later). I would say it's better
practice to list only the valid IPs in case another PC gets compromised
and starts sending out spam/viruses. You can change your SPF record at
any time.

You should only list MX servers if they 1) are different than
the IPs already listed, and 2) send outgoing mail.

You don't need to do anything to Exchange to set up SPF to
protect your domain.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- "It's not his fault that he's an unstoppable killing machine! Is it,
snookums?" - Leela

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


vesely at tana

Apr 23, 2008, 9:25 PM

Post #9 of 16 (854 views)
Permalink
Re: SPF Help [In reply to]
Justin J. Kotulsky wrote:
>> I am in the process of setting up an SPF record for our single domain
>> that currently sends email from 1 IP address and 1 exchange server.
>> However, in the future we may open email to be sent from more than 1
>> IP address. For my record is it ok to list my entire external IP
>> range? For example v=spf1 ip4:209.144.71.138/25 -all Is there
>> anything else that I have to list such as mx records?

I agree with Steve, less IPs is better. However, don't forget any
address that users of your domain's mail addresses send mail out from.

>> Also, is there
>> anything else that needs done to my Exchange server or anything else
>> on my system?

Two things: (1) apply SPF checking when you receive mail, and (2) make
sure forwarded mail has its envelope sender rewritten (e.g. empty or
postmaster's address.)

Those three SPF-compliance tasks are loosely related to one another.

>> After reading through the openspf website it seems as
>> if all I need to do is have the record published with my provider.

Correct. Make sure you can change your DNS records easily any time you
want. Besides example.com, you may want to provide a TXT record also
for any helo.example.com. Actually, you may want write SPF records for
each host that has an address or an MX record pointing to it, if you
can do that by scripting.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


JJK at MUSLAW

Apr 24, 2008, 6:22 AM

Post #10 of 16 (853 views)
Permalink
RE: SPF Help [In reply to]
Justin J. Kotulsky
Thanks for the help. I'll try out your suggestions. I'm confident of
my IP addresses. Is there any reason to start out with the ~all over
the -all? I saw on somewhere that the soft fail doesn't really curtail
the spoofing compared to the hard fail. Thanks.

Justin J. Kotulsky wrote:
>> I am in the process of setting up an SPF record for our single domain
>> that currently sends email from 1 IP address and 1 exchange server.
>> However, in the future we may open email to be sent from more than 1
>> IP address. For my record is it ok to list my entire external IP
>> range? For example v=spf1 ip4:209.144.71.138/25 -all Is there
>> anything else that I have to list such as mx records?

I agree with Steve, less IPs is better. However, don't forget any
address that users of your domain's mail addresses send mail out from.

>> Also, is there
>> anything else that needs done to my Exchange server or anything else
>> on my system?

Two things: (1) apply SPF checking when you receive mail, and (2) make
sure forwarded mail has its envelope sender rewritten (e.g. empty or
postmaster's address.)

Those three SPF-compliance tasks are loosely related to one another.

>> After reading through the openspf website it seems as
>> if all I need to do is have the record published with my provider.

Correct. Make sure you can change your DNS records easily any time you
want. Besides example.com, you may want to provide a TXT record also
for any helo.example.com. Actually, you may want write SPF records for
each host that has an address or an MX record pointing to it, if you
can do that by scripting.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


steve at teamITS

Apr 24, 2008, 8:03 AM

Post #11 of 16 (850 views)
Permalink
RE: SPF Help [In reply to]
Justin J. Kotulsky wrote on 4/24/2008 8:22:58 AM:

> Is there any reason to start out with the ~all over
> the -all?

You can use ~all during testing of your SPF record. If you're
confident you have it correct you can start with -all.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- "So this is your new computer!," said Tom calculatingly.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


vesely at tana

Apr 24, 2008, 8:50 AM

Post #12 of 16 (850 views)
Permalink
Re: SPF Help [In reply to]
Steve Yates wrote:
> Justin J. Kotulsky wrote on 4/24/2008 8:22:58 AM:
>
>> Is there any reason to start out with the ~all over
>> the -all?
>
> You can use ~all during testing of your SPF record. If you're
> confident you have it correct you can start with -all.

Unfortunately, there is no provision to learn if something is wrong by
using ~all :-(

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


steve at teamITS

Apr 24, 2008, 9:50 AM

Post #13 of 16 (845 views)
Permalink
RE: SPF Help [In reply to]
Alessandro Vesely wrote on 4/24/2008 10:50:35 AM:

> Unfortunately, there is no provision to learn if something is wrong by
> using ~all :-(

No, not directly. I suppose one can see if mail ends up in
recipients' spam folders. That's a little better than being rejected.
The other option is to use -all and use a short TTL on that DNS entry so
that it can be easily changed if mail starts bouncing.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Cat game number 5. Fit into the smallest space possible.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


rob.macgregor at gmail

Apr 24, 2008, 10:58 AM

Post #14 of 16 (843 views)
Permalink
Re: SPF Help [In reply to]
On Thu, Apr 24, 2008 at 5:50 PM, Steve Yates <steve[at]teamits.com> wrote:
>
> No, not directly. I suppose one can see if mail ends up in
> recipients' spam folders. That's a little better than being rejected.
> The other option is to use -all and use a short TTL on that DNS entry so
> that it can be easily changed if mail starts bouncing.

On the other hand, you could make use of the many test addresses, so
that you can validate your record before switching to -all and denying
yourself the ability to send email ;)

--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


vinh.pt at namansecurities

Jun 20, 2008, 5:48 AM

Post #15 of 16 (498 views)
Permalink
RE: SPF Help [In reply to]
Dear ListBox,

Please remove my email out of your mailling list

Thank you

V

________________________________

From: Scott Kitterman [mailto:scott[at]kitterman.com]
Sent: Fri 6/20/2008 6:53 PM
To: spf-help[at]v2.listbox.com
Subject: Re: [spf-help] SPF Help



On Thu, 19 Jun 2008 15:04:24 -0700 "Jim Knight"
<jim.knight[at]redwoodmktg.com> wrote:
>Hello -
>
>
>
>I am having some problems . SPF keeps rejecting my e-mail and I don't know
>what to do.
>
>
>My ISP REQUIRES that I use their outbound mail server . And SPF doesn't
>seem to like that.
>

Your ISP publishes an SPF record:

wavecable.net. 86400 IN TXT "v=spf1 ip4:24.113.32.0/24 ~all"

Your domain has an SPF record:

redwoodmktg.com. 21600 IN TXT "v=spf1 ip4:216.171.167.40 -all"

Presumably you published this record. You need to modify it to also cover
your ISP's mail servers. The way you do that is change it to:

"v=spf1 ip4:216.171.167.40 include:wavecable.net -all"

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


rob.macgregor at gmail

Jun 20, 2008, 9:33 AM

Post #16 of 16 (497 views)
Permalink
Re: SPF Help [In reply to]
On Fri, Jun 20, 2008 at 13:48, Vinh Phan Tat
<vinh.pt[at]namansecurities.com> wrote:
> Dear ListBox,
>
> Please remove my email out of your mailling list

You can remove yourself from the same location you signed up, or as
mentioned in the headers of every email to the list:

List-Unsubscribe: <mailto:unsubscribe-spf-help[at]v2.listbox.com>,

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.