Mailing List Archive: SPF: Help

trying to understand proper setup

Index | Next | Previous | View Threaded

mfidelman at meetinghouse

Oct 29, 2006, 6:48 PM

Post #1 of 5 (3086 views)
Permalink

trying to understand proper setup

Hi Folks,

I run a Linux box, mostly to support mailing lists (configured w/ Debian
Sarge, and Sympa).

In addition, I have a small number of mail accounts hosted on the
machine, 1 of which logs in and uses pine, the other two use remote
clients (Thunderbird) - authenticated via MD5 challenge -response.

I've just started to add SPF records to all the domains I support, all
of which go through one mail machine, and I've published a DNS record of
the form "v=spf1 a mx ~all" (as recommended by the wizard on
www.openspf.org).

But I seem to have a problem: For the mail server, and the pine-based
email account, everything works just fine, but mail that originates from
Thunderbird fails SPF checks - presumably because it's originating from
the IP address of the client client (dynamically assigned) rather than
from the server.

Any suggestions?

Thanks very much,

Miles Fidelmn

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

scott at kitterman

Oct 29, 2006, 8:20 PM

Post #2 of 5 (2892 views)
Permalink

Re: trying to understand proper setup [In reply to]

On Sun, 29 Oct 2006 21:48:18 -0500 Miles Fidelman
<mfidelman[at]meetinghouse.net> wrote:
>Hi Folks,
>
>I run a Linux box, mostly to support mailing lists (configured w/ Debian
>Sarge, and Sympa).
>
>In addition, I have a small number of mail accounts hosted on the
>machine, 1 of which logs in and uses pine, the other two use remote
>clients (Thunderbird) - authenticated via MD5 challenge -response.
>
>I've just started to add SPF records to all the domains I support, all
>of which go through one mail machine, and I've published a DNS record of
>the form "v=spf1 a mx ~all" (as recommended by the wizard on
>www.openspf.org).
>
>But I seem to have a problem: For the mail server, and the pine-based
>email account, everything works just fine, but mail that originates from
>Thunderbird fails SPF checks - presumably because it's originating from
>the IP address of the client client (dynamically assigned) rather than
>from the server.
>
>Any suggestions?

For the record, here is the same answer I just sent you offlist in response
to your similar question on Postfix-users....

The simplest way to do this is have Thunderbird submit mail on the
submission port (587). Only allow authorized senders (mynetworks or SMTP
AUTH) to connect via that port. Don't check SPF on that port. Problem
solved.

SPF should only be checked for MTA to MTA transactions, not for MUA
submissions.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

gavin at orion-online

Oct 29, 2006, 9:42 PM

Post #3 of 5 (2908 views)
Permalink

Re: trying to understand proper setup [In reply to]

Hi all,

For clients sending mail to their server, get them to authenticate. I'm
not sure about "NIX" boxes but most mail servers will bypass the SPF
testing if the client is authenticated.

I have 400 odd email clients using my server and they all authenticate,
they are also all on dynamic IP's when they connect to the net, I have
no problems and I have had SPF running flawlessly for nearly 12 months
now..

As a side note the ~all switch is fine for testing but be aware a
growing number of server admins will give a neutral or softfail a
positive score in the spam filters for the reason that mail is either
allowed to be sent from that server or it's not, from my point of view
you may as well not bother setting up records in the DNS if you are
going to give a neutral or softfail, as it seems to me to defeat the
purpose.

Regards
Gavin Roche

Miles Fidelman wrote:

Hi Folks,

I run a Linux box, mostly to support mailing lists (configured w/
Debian Sarge, and Sympa).

In addition, I have a small number of mail accounts hosted on the
machine, 1 of which logs in and uses pine, the other two use remote
clients (Thunderbird) - authenticated via MD5 challenge -response.

I've just started to add SPF records to all the domains I support,
all of which go through one mail machine, and I've published a DNS
record of the form "v=spf1 a mx ~all" (as recommended by the wizard
on www.openspf.org).

But I seem to have a problem: For the mail server, and the
pine-based email account, everything works just fine, but mail that
originates from Thunderbird fails SPF checks - presumably because
it's originating from the IP address of the client client
(dynamically assigned) rather than from the server.

Any suggestions?

Thanks very much,

Miles Fidelmn

-------
Archives at http://archives.listbox.com/spf-help/current/ or http:/
/www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to http://v2.listbox.com/member/?member_id=
3609300&

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

mfidelman at meetinghouse

Oct 30, 2006, 4:45 AM

Post #4 of 5 (2903 views)
Permalink

Re: trying to understand proper setup [In reply to]

Gavin Roche wrote:
> Hi all,
>
> For clients sending mail to their server, get them to authenticate. I'm
> not sure about "NIX" boxes but most mail servers will bypass the SPF
> testing if the client is authenticated.
>
Well, that's what I thought - but I guess I have something miswired. I
just recently switched from Sendmail to Postfix, and all the
configuration stuff is new to me - complicated by all the changes in the
anti-spam configuration. Sigh..
>
> As a side note the ~all switch is fine for testing but be aware a
> growing number of server admins will give a neutral or softfail a
> positive score in the spam filters for the reason that mail is either
> allowed to be sent from that server or it's not, from my point of view
> you may as well not bother setting up records in the DNS if you are
> going to give a neutral or softfail, as it seems to me to defeat the
> purpose.
>
Good to know!

Thanks,

Miles

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

scott at kitterman

Oct 30, 2006, 4:52 AM

Post #5 of 5 (2900 views)
Permalink

Re: trying to understand proper setup [In reply to]

On Monday 30 October 2006 07:45, Miles Fidelman wrote:
> Gavin Roche wrote:
> > Hi all,
> >
> > For clients sending mail to their server, get them to authenticate. I'm
> > not sure about "NIX" boxes but most mail servers will bypass the SPF
> > testing if the client is authenticated.
>
> Well, that's what I thought - but I guess I have something miswired. I
> just recently switched from Sendmail to Postfix, and all the
> configuration stuff is new to me - complicated by all the changes in the
> anti-spam configuration. Sigh..
>
It depends on the implementation. I can help you with getting the Postfix
setup correct.

If you want help. please send me a copy of your main.cf, master.cf, and the
output of postconf -n offlist. If you choose to anonymize parts of it,
that's fine. I actually don't want any information you consider senstitive.
I'll look it over and give you a recommendation.

I do suggest taking MUA submissions via port 587 (or port 465 for wrapped port
if you find yourself needing to support Microsoft MUAs).

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com