Mailing List Archive: SPF: Help

SPF on a VPS

Index | Next | Previous | View Threaded

somebody at shoestringwebs

Jan 15, 2007, 7:44 AM

Post #1 of 6 (1320 views)
Permalink

SPF on a VPS

I have been lurking for a while and have come to realize that you guys
who provide the great advice and assistance are not only extremely
knowledgeable but have the patience of saints! Thank you for the great
service.

I operate a Virtuozzo Virtual Private Server (cPanel, Exim, BIND, cppop)
with about 75 client accounts, most of which I manage directly. I can do
pretty much whatever I want with email. For the past month, Comcast has
blacklisted my mail server at least twice a week. It hasn't been
hijacked to send spam but, like most folks, many of the domains have
been spoofed.

Almost every account forwards its mail to the client's ISP; very few
utilize mailboxes on the VPS. Until recently, I usually set up the
accounts with the default "catch-all" address enabled. (Almost all have
been disabled at this point.) Except for a couple of clients who use the
webmail, all send email through their ISP's SMTP server. Some, including
me, have their mail client configured to send using their domain as the
TO: address.

The MX for my primary business domain is directed to a Microsoft
Exchange account elsewhere. Mail from my server is whitelisted at the
Exchange account server. The rest, I forward to Gmail (for filtering)
and download from there.

After disabling default addresses, I had begun installing SPF records on
each account but, after seeing the following comment in an email earlier
this evening, I realized that there may be other things that I should do
before or in addition to an SPF record:

"If you forward spam, and if this spam is reported (for instance to
spamcop) it is your host that ends up blacklisted, not the spammer's
hosts."

I hate to admit it, but I hadn't really thought of that (beyond
disabling the catch-all).

I am a perfectionist but not a pro; I want to configure the server to
cut down on the spoofing; and certainly to minimize or eliminate the
spam being forwarded by my server. I want to do it right from the start
and with a minimum of confusion for you folks helping me... thus the
long email. I also want to document my experience and contribute it to
the SPF site in the hopes that it will help others.

If you had my server setup and could set up the ideal mail handling
configuration, what would YOU do?

Thanks in advance,

Bob G

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

kindler at gmail

Jan 15, 2007, 9:33 AM

Post #2 of 6 (1218 views)
Permalink

Re: SPF on a VPS [In reply to]

On 1/15/07, Shoestring Solutions <somebody [at] shoestringwebs> wrote:
> I am a perfectionist but not a pro; I want to configure the server to
> cut down on the spoofing; and certainly to minimize or eliminate the
> spam being forwarded by my server. I want to do it right from the start
> and with a minimum of confusion for you folks helping me... thus the
> long email. I also want to document my experience and contribute it to
> the SPF site in the hopes that it will help others.
>
> If you had my server setup and could set up the ideal mail handling
> configuration, what would YOU do?
>
> Thanks in advance,
>
> Bob G

Bob,

If you don't mind, I'll chime in on your sever configuration and leave
any of the SPF stuff the boys who know what their talking about.

I too run a server with my client's websites and email. I've recently
changed my policies regarding the email server to the following:

- No catch-all accounts unless they are specifically requested.

- I disallow forwarding of any email to the following domains
specifically to eliminate te chance of being blacklisted:
aol.com
comcast.com
<may add others in the future>

- I ask that users use my outgoing mail server. Often times their ISP
has port 25 blocked, so you need to open up an alternate port and then
instruct your clients to make the proper change in their email
clients.

- Require authentication to send mail.

HTH's

--
::kindler::

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

steve at teamITS

Jan 15, 2007, 10:12 AM

Post #3 of 6 (1243 views)
Permalink

RE: SPF on a VPS [In reply to]

Shoestring Solutions <mailto:somebody [at] shoestringwebs> wrote on
Monday, January 15, 2007 9:45 AM:

> Except for a couple of clients who use the
> webmail, all send email through their ISP's SMTP server.

This makes it difficult to set up SPF for your clients' domains.
You would need to list all mail servers each client's ISP would use. If
they publish an SPF record for you to "include" that would be a good
solution. Another is to have your clients send mail using your SMTP
server.

Note if your clients use an address at their ISP, and *never*
use their domain to send e-mail, you can indicate that using an SPF
record of "v=spf1 -all".

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Sex is hereditary: If your parents never had it, you won't either.

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

somebody at shoestringwebs

Jan 15, 2007, 10:44 AM

Post #4 of 6 (1222 views)
Permalink

RE: SPF on a VPS [In reply to]

-----Original Message-----
From: Steve Yates [mailto:steve [at] teamITS]
Sent: Monday, January 15, 2007 1:13 PM
To: spf-help [at] v2
Subject: RE: [spf-help] SPF on a VPS

Shoestring Solutions <mailto:somebody [at] shoestringwebs> wrote on
Monday, January 15, 2007 9:45 AM:

> Except for a couple of clients who use the webmail, all send email
> through their ISP's SMTP server.

This makes it difficult to set up SPF for your clients' domains.
You would need to list all mail servers each client's ISP would use. If
they publish an SPF record for you to "include" that would be a good
solution. Another is to have your clients send mail using your SMTP
server.

Note if your clients use an address at their ISP, and *never*
use their domain to send e-mail, you can indicate that using an SPF
record of "v=spf1 -all".

----------------------------------------

To summarize (and correct me if I am wrong) regarding SPF:

1. If they NEVER use their domain to send, then I could use the most
restrictive SPF record possible for that domain;

2. If they EVER send using their domain:

A. BEST CASE is to always use their domain and always send through my
SMTP server;
B. SECOND BEST is to create an SPF record that includes their ISP's mail
servers.

#1 above would be simple to implement;

#2 above may require opening a different port for SMTP.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

steve at teamITS

Jan 15, 2007, 11:17 AM

Post #5 of 6 (1235 views)
Permalink

RE: SPF on a VPS [In reply to]

Shoestring Solutions <mailto:somebody [at] shoestringwebs> wrote on
Monday, January 15, 2007 12:45 PM:

> A. BEST CASE is to always use their domain and always send through my
> SMTP server;
> B. SECOND BEST is to create an SPF record that includes their ISP's
mail
> servers.

And for "B" you'll need to know any other SMTP servers they may
use. For instance if their web server sends mail using their domain, or
do they use a mailing service, etc. Generally implementing SPF for
someone else's domain involves a lot of questions.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Your Motherboard wears combat boots.

~ Taglines by Taglinator - www.srtware.com ~

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

spf at beer

Jan 15, 2007, 12:00 PM

Post #6 of 6 (1233 views)
Permalink

RE: SPF on a VPS [In reply to]

> 2. If they EVER send using their domain:

...Then don't do *anything* without consulting them.

> #2 above may require opening a different port for SMTP.

587 works.

Vic.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads