Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

SPF Records.. Sending mail through smarthost

  

 
SPF help RSS feed   Index | Next | Previous | View Threaded


matt at digitallyhosted

Oct 30, 2006, 8:26 AM

Post #1 of 12 (2460 views)
Permalink
SPF Records.. Sending mail through smarthost
Hey there,

I currently have a problem.

I manage the IT for 4 different companies. These companies are setup more or
less identical when it comes to servers.

Some of the companies are multi-site, so we have more than one server for
that company, while others are just a one site company

All our mail servers (7) are on dsl lines scattered in the 7 different
buildings which form the 4 seperate companies.

Because the servers are on DSL we do send through a smarthost because some
servers block email from ip addresses which are on a dynamic range.

The problem i have at the moment, is that the ISP we are using for DSL, does
NOT have any SPF records so im pretty sure we cant just use include:isp.com
in our SPF record... because that assumes they have SPF records for their
domain.

So i decided to list all the outgoing mail servers for the isp, using
a:outgoing-mailserver.isp.com.

The problem i have now is that there are many outgoing mail servers for our
isp and they all belong to systems.viatel.com... here are some examples:

lucy log # host seasat.systems.viatel.net
seasat.systems.viatel.net has address 135.196.68.13
lucy log # host endeavour.systems.viatel.net
endeavour.systems.viatel.net has address 194.42.224.139
lucy log # host falcon.systems.viatel.net
falcon.systems.viatel.net has address 194.42.224.144
lucy log # host aquarius.systems.viatel.net
aquarius.systems.viatel.net has address 194.42.224.145

They are not all on the same subnet, and use generic names so im unsure how
to find a full list of outgoing mail servers for the isp.

is there any way to include something like *.systems.viatel.com or some
other way of doing this... without listing all the servers one by one....

Plus with the amount of servers that i have already found the names of (over
10 so far) im guessing that over time im going to have to update the list
with new servers and such.

So basically is there anyway to include them all without listing them one by
one.

Thanx

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


alex at ergens

Oct 30, 2006, 8:40 AM

Post #2 of 12 (2328 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
On Mon, Oct 30, 2006 at 04:26:06PM -0000, Matt wrote:

> Because the servers are on DSL we do send through a smarthost because some
> servers block email from ip addresses which are on a dynamic range.

"through a smarthost" -> info on everything before this smarthost
is irrelevant.

client-->server_on_dsl-->smarthost-->destination

or maybe

client-->server_on_dsl-->smarthost-->other_host(s)-->destination

You need to list the server(s) doing final delivery to 'destination',
not the host earlier in the chain.

So, in my first example you'd have to list 'smarthost'. In the
second example, you would not need to list that one.

Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


steve at teamITS

Oct 30, 2006, 9:59 AM

Post #3 of 12 (2442 views)
Permalink
RE: SPF Records.. Sending mail through smarthost [In reply to]
Matt <mailto:matt [at] digitallyhosted> wrote on Monday, October 30, 2006
10:26 AM:
> They are not all on the same subnet, and use generic names so im
unsure how
> to find a full list of outgoing mail servers for the isp.
>
> is there any way to include something like *.systems.viatel.com or
some
> other way of doing this... without listing all the servers one by
one....

Only if they create an SPF record you can include.

> Plus with the amount of servers that i have already found the names of
(over
> 10 so far) im guessing that over time im going to have to update the
list
> with new servers and such.

There is a limit of 10 DNS lookups per SPF record...you may need
to use the IP address ("ip4:...") instead.

> So basically is there anyway to include them all without listing them
one by
> one.

It's going to be difficult for you to use SPF without knowing
the sending servers. You could use ?all but that sort of defeats the
purpose of SPF. This may be a use for the "ptr" mechanism
(http://new.openspf.org/SPF_Record_Syntax#ptr) but I don't think you can
have that distinguish between mail.systems.viatel.com and
somecustomer.systems.viatel.com.

- Steve Yates
- ITS, Inc.
- It's always darkest before you step on the cat.

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


scott at kitterman

Oct 30, 2006, 11:10 AM

Post #4 of 12 (2461 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
On Monday 30 October 2006 11:26, Matt wrote:
> Hey there,
>
> I currently have a problem.
>
> I manage the IT for 4 different companies. These companies are setup more
> or less identical when it comes to servers.
>
> Some of the companies are multi-site, so we have more than one server for
> that company, while others are just a one site company
>
> All our mail servers (7) are on dsl lines scattered in the 7 different
> buildings which form the 4 seperate companies.
>
> Because the servers are on DSL we do send through a smarthost because some
> servers block email from ip addresses which are on a dynamic range.

One solution to this particular problem would be to upgrade one of your DSL
lines to static IP. Then you could smarthost via your mail server on that
connection from all the others (you can use a port other than port 25 if one
of the ISPs blocks port 25).

This, BTW, would probably help a lot with your e-mail reliability in general.
Most ISP mail servers get a lot of junk sent through them and it is not rare
for them get blacklisted. It would be much more reliable from an SPF
perspective than guessing what your ISP Is up to.

> The problem i have at the moment, is that the ISP we are using for DSL,
> does NOT have any SPF records so im pretty sure we cant just use
> include:isp.com in our SPF record... because that assumes they have SPF
> records for their domain.

That is correct.

> So i decided to list all the outgoing mail servers for the isp, using
> a:outgoing-mailserver.isp.com.
>
> The problem i have now is that there are many outgoing mail servers for our
> isp and they all belong to systems.viatel.com... here are some examples:
>
> lucy log # host seasat.systems.viatel.net
> seasat.systems.viatel.net has address 135.196.68.13
> lucy log # host endeavour.systems.viatel.net
> endeavour.systems.viatel.net has address 194.42.224.139
> lucy log # host falcon.systems.viatel.net
> falcon.systems.viatel.net has address 194.42.224.144
> lucy log # host aquarius.systems.viatel.net
> aquarius.systems.viatel.net has address 194.42.224.145
>
> They are not all on the same subnet, and use generic names so im unsure how
> to find a full list of outgoing mail servers for the isp.

The way I did this back when I was in a similar situation was to send multiple
messages to myself at an external MX and see what IPs they came from.
Eventually I stopped finding new ones. Then I'd repeat the process every
several months to see what had popped up.

> is there any way to include something like *.systems.viatel.com or some
> other way of doing this... without listing all the servers one by one....

No.

> Plus with the amount of servers that i have already found the names of
> (over 10 so far) im guessing that over time im going to have to update the
> list with new servers and such.
>
> So basically is there anyway to include them all without listing them one
> by one.

No, but as one of the other posters pointed out, use the ip4: mechanism to
lookup by IP address. This will protect you against triggering DNS lookup
limits.

I'd also suggest requesting that the ISP publish an SPF record.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


nobody at xyzzy

Oct 30, 2006, 5:09 PM

Post #5 of 12 (2334 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
Matt wrote:

> lucy log # host seasat.systems.viatel.net
> seasat.systems.viatel.net has address 135.196.68.13
> lucy log # host endeavour.systems.viatel.net
> endeavour.systems.viatel.net has address 194.42.224.139
> lucy log # host falcon.systems.viatel.net
> falcon.systems.viatel.net has address 194.42.224.144
> lucy log # host aquarius.systems.viatel.net
> aquarius.systems.viatel.net has address 194.42.224.145
[...]
> is there any way to include something like *.systems.viatel.com
> or some other way of doing this... without listing all the servers
> one by one....

For that example you could permit 194.42.224.anything with
'ip4:194.42.224.0/24'.

> is there anyway to include them all without listing them
> one by one.

'v=spf1 ptr:systems.viatel.net ~all' apparently does the
trick, tested at http://www.kitterman.com/spf/validate.html

You can combine it, simple cases first:
'v=spf1 ip4:194.42.224.0/24 ptr:systems.viatel.net ~all'

Testing that with 135.196.68.13 the validator says PASS.

Frank


-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


scott at kitterman

Oct 30, 2006, 6:20 PM

Post #6 of 12 (2360 views)
Permalink
Re: Re: SPF Records.. Sending mail through smarthost [In reply to]
On Tue, 31 Oct 2006 02:09:30 +0100 Frank Ellermann
<nobody [at] xyzzy> wrote:
>Matt wrote:
>
>> lucy log # host seasat.systems.viatel.net
>> seasat.systems.viatel.net has address 135.196.68.13
>> lucy log # host endeavour.systems.viatel.net
>> endeavour.systems.viatel.net has address 194.42.224.139
>> lucy log # host falcon.systems.viatel.net
>> falcon.systems.viatel.net has address 194.42.224.144
>> lucy log # host aquarius.systems.viatel.net
>> aquarius.systems.viatel.net has address 194.42.224.145
>[...]
>> is there any way to include something like *.systems.viatel.com
>> or some other way of doing this... without listing all the servers
>> one by one....
>
>For that example you could permit 194.42.224.anything with
>'ip4:194.42.224.0/24'.
>
>> is there anyway to include them all without listing them
>> one by one.
>
>'v=spf1 ptr:systems.viatel.net ~all' apparently does the
>trick, tested at http://www.kitterman.com/spf/validate.html
>
>You can combine it, simple cases first:
>'v=spf1 ip4:194.42.224.0/24 ptr:systems.viatel.net ~all'
>
>Testing that with 135.196.68.13 the validator says PASS.

OK, but you need to have some idea what else this matches. I have no idea
what kind of provider viatel.net is, but as an example, if I had used that
to solve my Comcast problem with ptr:comcast.net I would have authorized
every Windows zombie on their network to send mail in my name. This is not
a good plan.

Scott K

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


nobody at xyzzy

Oct 31, 2006, 12:51 AM

Post #7 of 12 (2324 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
Scott Kitterman wrote:

>> You can combine it, simple cases first:
>> 'v=spf1 ip4:194.42.224.0/24 ptr:systems.viatel.net ~all'

>> Testing that with 135.196.68.13 the validator says PASS.

> OK, but you need to have some idea what else this matches.

Ideally. In a less than ideal world it would still SOFTFAIL
for all IPs of all other ISPs. Better than nothing.

> if I had used that to solve my Comcast problem with
> ptr:comcast.net I would have authorized every Windows
> zombie on their network to send mail in my name.

Spamcast is the biggest ISP of the world, isn't it ? That's
a special case for various reasons - as far as I'm concerned
nothing short of returning their IPs to ARIN can fix this.

> This is not a good plan.

The PASS is dubious - depending on how good the abuse desk of
"systems.viatel.net" solves reported problems. If that's a
hopeless case the policy could still use NEUTRAL results:

'v=spf1 ?ip4:194.42.224.0/24 ?ptr:systems.viatel.net ~all'

The "systems" could mean "our servers", not including any
trojaned "adsl.viatel.net" box of their customers, then it's
not necessarily a bad plan. For starters these policies all
result in a SOFTFAIL for Spamcast's botnets. <eg>

Of course your recipe - find a decent mail provider or run
your own server with a static IP - is better, but it's not
cheap. And of course SOFTFAIL is for testing and tinkering,
the real thing is FAIL.

Frank


-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


matt at digitallyhosted

Oct 31, 2006, 2:38 AM

Post #8 of 12 (2327 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
Thanx for the help so far.

All the servers are on static ip addresses.... but none of them have rdns
setup yet, and from what i read on sorbs.... without rdns....they may be
listed as dynamic.

i will just get all the dsl connections setup with rdns records for all the
static ip addresses and get rid of the smarthost idea all together.

Thanx for the help

--------- Original Message --------
From: spf-help [at] v2
To: spf-help [at] v2 <spf-help [at] v2>
Subject: Re: [spf-help] SPF Records.. Sending mail through smarthost
Date: 30/10/06 19:13

>
> On Monday 30 October 2006 11:26, Matt wrote:
> &gt; Hey there,
> &gt;
> &gt; I currently have a problem.
> &gt;
> &gt; I manage the IT for 4 different companies. These companies are setup
more
> &gt; or less identical when it comes to servers.
> &gt;
> &gt; Some of the companies are multi-site, so we have more than one server
for
> &gt; that company, while others are just a one site company
> &gt;
> &gt; All our mail servers (7) are on dsl lines scattered in the 7
different
> &gt; buildings which form the 4 seperate companies.
> &gt;
> &gt; Because the servers are on DSL we do send through a smarthost because
some
> &gt; servers block email from ip addresses which are on a dynamic range.
>
> One solution to this particular problem would be to upgrade one of your
DSL
> lines to static IP. Then you could smarthost via your mail server on that
> connection from all the others (you can use a port other than port 25 if
one
> of the ISPs blocks port 25).
>
> This, BTW, would probably help a lot with your e-mail reliability in
general.
> Most ISP mail servers get a lot of junk sent through them and it is not
rare
> for them get blacklisted. It would be much more reliable from an SPF
> perspective than guessing what your ISP Is up to.
>
> &gt; The problem i have at the moment, is that the ISP we are using for
DSL,
> &gt; does NOT have any SPF records so im pretty sure we cant just use
> &gt; include:isp.com in our SPF record... because that assumes they have
SPF
> &gt; records for their domain.
>
> That is correct.
>
> &gt; So i decided to list all the outgoing mail servers for the isp, using
> &gt; a:outgoing-mailserver.isp.com.
> &gt;
> &gt; The problem i have now is that there are many outgoing mail servers
for our
> &gt; isp and they all belong to systems.viatel.com... here are some
examples:
> &gt;
> &gt; lucy log # host seasat.systems.viatel.net
> &gt; seasat.systems.viatel.net has address 135.196.68.13
> &gt; lucy log # host endeavour.systems.viatel.net
> &gt; endeavour.systems.viatel.net has address 194.42.224.139
> &gt; lucy log # host falcon.systems.viatel.net
> &gt; falcon.systems.viatel.net has address 194.42.224.144
> &gt; lucy log # host aquarius.systems.viatel.net
> &gt; aquarius.systems.viatel.net has address 194.42.224.145
> &gt;
> &gt; They are not all on the same subnet, and use generic names so im
unsure how
> &gt; to find a full list of outgoing mail servers for the isp.
>
> The way I did this back when I was in a similar situation was to send
multiple
> messages to myself at an external MX and see what IPs they came from.
> Eventually I stopped finding new ones. Then I'd repeat the process every
> several months to see what had popped up.
>
> &gt; is there any way to include something like *.systems.viatel.com or
some
> &gt; other way of doing this... without listing all the servers one by
one....
>
> No.
>
> &gt; Plus with the amount of servers that i have already found the names
of
> &gt; (over 10 so far) im guessing that over time im going to have to
update the
> &gt; list with new servers and such.
> &gt;
> &gt; So basically is there anyway to include them all without listing them
one
> &gt; by one.
>
> No, but as one of the other posters pointed out, use the ip4: mechanism to
> lookup by IP address. This will protect you against triggering DNS lookup
> limits.
>
> I'd also suggest requesting that the ISP publish an SPF record.
>
> Scott K
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/ or
> http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?&amp;
>
>
>
>

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


alex at ergens

Oct 31, 2006, 2:48 AM

Post #9 of 12 (2317 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
On Tue, Oct 31, 2006 at 10:38:49AM -0000, Matt wrote:

> All the servers are on static ip addresses.... but none of them have rdns
> setup yet, and from what i read on sorbs.... without rdns....they may be
> listed as dynamic.
>
> i will just get all the dsl connections setup with rdns records for all the
> static ip addresses and get rid of the smarthost idea all together.

I probably missed something...

Why would you want to do away your smarthost?

In stead of having to look at one smarthost, you are going to need
to fix several DSL lines.

By the way: my address is static. But it is in a residential area
so it is listed. Apparently IT people don't live in houses...

Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


spf at beer

Oct 31, 2006, 2:56 AM

Post #10 of 12 (2330 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
> Why would you want to do away your smarthost?

If you control the connection to the final MX, you get much better
traceability. I find that very valuable in these days of email being
ditched on a whim...

> By the way: my address is static. But it is in a residential area
> so it is listed. Apparently IT people don't live in houses...

That usually depends on your ISP; there are certain things that will get
you listed as dynamic/residential (like having the string "adsl" in your
rDNS). On my old connection, I too had problems with a "residential"
status. I changed ISP, and all that went away.

Vic.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


alex at ergens

Oct 31, 2006, 4:17 AM

Post #11 of 12 (2341 views)
Permalink
Re: SPF Records.. Sending mail through smarthost [In reply to]
On Tue, Oct 31, 2006 at 10:56:00AM -0000, Vic wrote:
> > Why would you want to do away your smarthost?
>
> If you control the connection to the final MX, you get much better
> traceability. I find that very valuable in these days of email being
> ditched on a whim...

Then create your own smarthost(s). Worry about one or two IP address,
not each DSL line individually.

> > By the way: my address is static. But it is in a residential area
> > so it is listed. Apparently IT people don't live in houses...
>
> That usually depends on your ISP; there are certain things that will get
> you listed as dynamic/residential (like having the string "adsl" in your
> rDNS). On my old connection, I too had problems with a "residential"
> status. I changed ISP, and all that went away.

my point: having a static address is not going to help. Not in
all cases anyway.

And I dislike the way these lists operate.

"You have listed my address"
` yeah, we list dynamic addresses, see our definition`
"but I do have a static address"
` er, but it is DSL`
"so what"
` er, um... it is residential <clickety> see our definition`

Some people seem to think that "DHCP", "DSL" and "dynamic address"
are one and the same.

Things have (recently) changed, I am no longer listed. Good to know.

Anyway, setting up a proper in-addr.arpa may not be sufficient.
Sometimes entire netblocks are included, this could include yours.

Alex

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81


steve at teamITS

Oct 31, 2006, 7:14 AM

Post #12 of 12 (2311 views)
Permalink
RE: SPF Records.. Sending mail through smarthost [In reply to]
Matt <mailto:matt [at] digitallyhosted> wrote on Tuesday, October 31,
2006 4:39 AM:

> setup yet, and from what i read on sorbs.... without rdns....they may
be
> listed as dynamic.

That seems wrong, but RDNS is still an issue. AOL for instance
will reject mail coming from IPs without reverse DNS.

http://postmaster.aol.com/guidelines/bestprac.html

- Steve Yates
- ITS, Inc.
- I don't work long hours. They are all 60 minutes, just like everyone
else's.

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=cbdbbc81

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.