Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SPF: Help

Exchange 2003+GFI as SPF implementaion

  

 
SPF help RSS feed   Index | Next | Previous | View Threaded


michael at softasap

Apr 24, 2008, 7:57 AM

Post #1 of 10 (558 views)
Permalink
Exchange 2003+GFI as SPF implementaion
Hi Guys,



I have a problem with rejecting VALID sender. Ok, here is how I defined SPF:

"v=spf1 ip4: ip_of_my_mail_server -all"



Then in Outlook, I have an account with smtp/pop server set as the one I
have defined in SPF record. So, I am trying to send email via
"ip_of_my_mail_server" with correct user/pass. But, GFI rejects an email as
being with forged sender. When I look at the message header I see there that
email was originated by my desktop name [ip] and received by my mail server.
Obviously this is a real life kind of thing when I have email client which
is running not on the same ip as my email server does, but I think GFI
thinks of mine desktop IP as being illegal to send email on behalf of SPF
defined domain name, EVEN if I authenticate and send via legal mail server
defined in SPF record.



I would appreciate any advice on how to handle it. Thank you in advance.





-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


steve at teamITS

Apr 24, 2008, 8:37 AM

Post #2 of 10 (539 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
Michael Korotun wrote on 4/24/2008 9:57:38 AM:

> email was originated by my desktop name [ip] and received by my mail
server.

Mail you are sending from your mail client to your mail server
should never be subject to SPF tests. Only outgoing mail (others
checking incoming mail from your domain) should be checked.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- famous last words: .....Yes, I HAVE a complete backup!

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at softasap

Apr 24, 2008, 9:00 AM

Post #3 of 10 (542 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
I agree, but I am concerned on why GFI's SPF module still checks it and
moreover considers it forged sender.

-----Original Message-----
From: Steve Yates [mailto:steve[at]teamITS.com]
Sent: Thursday, April 24, 2008 6:37 PM
To: spf-help[at]v2.listbox.com
Subject: RE: [spf-help] Exchange 2003+GFI as SPF implementaion

Michael Korotun wrote on 4/24/2008 9:57:38 AM:

> email was originated by my desktop name [ip] and received by my mail
server.

Mail you are sending from your mail client to your mail server
should never be subject to SPF tests. Only outgoing mail (others
checking incoming mail from your domain) should be checked.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- famous last words: .....Yes, I HAVE a complete backup!

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at breton

Apr 24, 2008, 9:13 AM

Post #4 of 10 (541 views)
Permalink
Re: Exchange 2003+GFI as SPF implementaion [In reply to]
Michael Korotun wrote:
> I agree, but I am concerned on why GFI's SPF module still checks it and
> moreover considers it forged sender.
>
> -----Original Message-----
> From: Steve Yates [mailto:steve[at]teamITS.com]
> Sent: Thursday, April 24, 2008 6:37 PM
> To: spf-help[at]v2.listbox.com
> Subject: RE: [spf-help] Exchange 2003+GFI as SPF implementaion
>
> Michael Korotun wrote on 4/24/2008 9:57:38 AM:
>
>
>> email was originated by my desktop name [ip] and received by my mail
>>
> server.
>
> Mail you are sending from your mail client to your mail server
> should never be subject to SPF tests. Only outgoing mail (others
> checking incoming mail from your domain) should be checked.
>
>

Hello Michael,

Whatever software you use on your email server, it should NEVER even
check SPF for email sent from the email clients. For example, if you
use 192.168.10.X for your internal LAN users, then there has to be a way
to tell your server to not check SPF for emails from those IPs. Same
goes for authenticated senders if you have those.

Michael Breton

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at softasap

Apr 24, 2008, 9:16 AM

Post #5 of 10 (542 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
Well, I think GFI DOES check ALL incoming mails for SPF regardless were they
sent via the same mail host as GFI is on or the other.

Here is info from KB of GFI "To perform the Sender Policy Framework (SPF)
check, GFI MailEssentials will retrieve the TXT type DNS record of the
domain in the FROM email address. The SPF details will be found in this type
of record, and this will contain information on the IP addresses which are
allowed to send for the particular domain."


-----Original Message-----
From: Steve Yates [mailto:steve[at]teamITS.com]
Sent: Thursday, April 24, 2008 6:37 PM
To: spf-help[at]v2.listbox.com
Subject: RE: [spf-help] Exchange 2003+GFI as SPF implementaion

Michael Korotun wrote on 4/24/2008 9:57:38 AM:

> email was originated by my desktop name [ip] and received by my mail
server.

Mail you are sending from your mail client to your mail server
should never be subject to SPF tests. Only outgoing mail (others
checking incoming mail from your domain) should be checked.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- famous last words: .....Yes, I HAVE a complete backup!

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at breton

Apr 24, 2008, 10:33 AM

Post #6 of 10 (532 views)
Permalink
Re: Exchange 2003+GFI as SPF implementaion [In reply to]
Michael Korotun wrote:
> Well, I think GFI DOES check ALL incoming mails for SPF regardless were they
> sent via the same mail host as GFI is on or the other.
>
> Here is info from KB of GFI "To perform the Sender Policy Framework (SPF)
> check, GFI MailEssentials will retrieve the TXT type DNS record of the
> domain in the FROM email address. The SPF details will be found in this type
> of record, and this will contain information on the IP addresses which are
> allowed to send for the particular domain."
>
>
> -----Original Message-----
> From: Steve Yates [mailto:steve[at]teamITS.com]
> Sent: Thursday, April 24, 2008 6:37 PM
> To: spf-help[at]v2.listbox.com
> Subject: RE: [spf-help] Exchange 2003+GFI as SPF implementaion
>
> Michael Korotun wrote on 4/24/2008 9:57:38 AM:
>
>
>> email was originated by my desktop name [ip] and received by my mail
>>
> server.
>
> Mail you are sending from your mail client to your mail server
> should never be subject to SPF tests. Only outgoing mail (others
> checking incoming mail from your domain) should be checked.
>
> -----
> SPF FAQ: http://www.openspf.org/FAQ
> Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
>

Hello Michael,

Please see page 55 in the manual for the GFI product (It says 49 on the
bottom the the page):

http://www.gfi.com/mes/me12manual.pdf

Specifically the "IP exception list" should include all the computers on
your LAN

Hope this helps,

Michael Breton

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at softasap

Apr 24, 2008, 11:06 AM

Post #7 of 10 (529 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
Hey Michael,

Thanks for the info. I just read the manual too. The problem is that I have
a bit different situation. I have my desktop on totally different network (
another part of the world) than my mail server is and I am on dynamic IP so
the exception list does not work for me. Also, I have several users which
are on different networks too and all we used to send email via our mail
server (Exchange 2003+GFI). So once I add spf record for my domain in DNS
and then try to send FROM that domain from my outlook via my smtp legal
server it gets Blocked by GFI running on that smpt server.

-----Original Message-----
From: Michael Breton [mailto:michael[at]breton.us]
Sent: Thursday, April 24, 2008 8:33 PM
To: spf-help[at]v2.listbox.com
Subject: Re: [spf-help] Exchange 2003+GFI as SPF implementaion

Michael Korotun wrote:
> Well, I think GFI DOES check ALL incoming mails for SPF regardless were
they
> sent via the same mail host as GFI is on or the other.
>
> Here is info from KB of GFI "To perform the Sender Policy Framework
(SPF)
> check, GFI MailEssentials will retrieve the TXT type DNS record of the
> domain in the FROM email address. The SPF details will be found in this
type
> of record, and this will contain information on the IP addresses which are
> allowed to send for the particular domain."
>
>
> -----Original Message-----
> From: Steve Yates [mailto:steve[at]teamITS.com]
> Sent: Thursday, April 24, 2008 6:37 PM
> To: spf-help[at]v2.listbox.com
> Subject: RE: [spf-help] Exchange 2003+GFI as SPF implementaion
>
> Michael Korotun wrote on 4/24/2008 9:57:38 AM:
>
>
>> email was originated by my desktop name [ip] and received by my mail
>>
> server.
>
> Mail you are sending from your mail client to your mail server
> should never be subject to SPF tests. Only outgoing mail (others
> checking incoming mail from your domain) should be checked.
>
> -----
> SPF FAQ: http://www.openspf.org/FAQ
> Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
>

Hello Michael,

Please see page 55 in the manual for the GFI product (It says 49 on the
bottom the the page):

http://www.gfi.com/mes/me12manual.pdf

Specifically the "IP exception list" should include all the computers on
your LAN

Hope this helps,

Michael Breton

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


steve at teamITS

Apr 24, 2008, 11:39 AM

Post #8 of 10 (532 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
Michael Korotun wrote on 4/24/2008 1:06:30 PM:

> another part of the world) than my mail server is and I am on dynamic
IP so
> the exception list does not work for me. Also, I have several users
which
> are on different networks too and all we used to send email via our
mail
> server (Exchange 2003+GFI). So once I add spf record for my domain in
DNS
> and then try to send FROM that domain from my outlook via my smtp
legal
> server it gets Blocked by GFI running on that smpt server.

I suggest you contact GFI tech support and find out how to
configure their software to avoid that. It should never perform SPF
tests on mail sent by authorized users, only incoming mail, so what
you're describing is either a serious bug or a misconfiguration.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Money can't buy love, but it can buy chocolate.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


scott at kitterman

Apr 24, 2008, 11:48 AM

Post #9 of 10 (532 views)
Permalink
RE: Exchange 2003+GFI as SPF implementaion [In reply to]
On Thu, 24 Apr 2008 19:16:06 +0300 "Michael Korotun" <michael[at]softasap.net>
wrote:
>Well, I think GFI DOES check ALL incoming mails for SPF regardless were
they
>sent via the same mail host as GFI is on or the other.
>
>Here is info from KB of GFI "To perform the Sender Policy Framework (SPF)
>check, GFI MailEssentials will retrieve the TXT type DNS record of the
>domain in the FROM email address. The SPF details will be found in this
type
>of record, and this will contain information on the IP addresses which are
>allowed to send for the particular domain."
>
That's a deficiency in GFI's product that you ought to take up with them.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


michael at breton

Apr 24, 2008, 11:57 AM

Post #10 of 10 (533 views)
Permalink
Re: Exchange 2003+GFI as SPF implementaion [In reply to]
Michael Korotun wrote:
> Hey Michael,
>
> Thanks for the info. I just read the manual too. The problem is that I have
> a bit different situation. I have my desktop on totally different network (
> another part of the world) than my mail server is and I am on dynamic IP so
> the exception list does not work for me. Also, I have several users which
> are on different networks too and all we used to send email via our mail
> server (Exchange 2003+GFI). So once I add spf record for my domain in DNS
> and then try to send FROM that domain from my outlook via my smtp legal
> server it gets Blocked by GFI running on that smpt server.
>
Hello Michael,

Do what Steve said, and consider NOT using SMTP to send email from the
clients to the Exchange server. Instead, use a VPN and either connect
directly to the Exchange server without using SMTP or continue using
SMTP, but to the local LAN IP of the Exchange server. If you did that,
you could add the VPN IPs to the Exceptions list and not be having this
problem.

Michael Breton

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

SPF help RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.