Mailing List Archive: SPF: Help

Help setting up

Index | Next | Previous | View Threaded

mario.lobo at ipad

May 6, 2008, 5:17 AM

Post #1 of 5 (413 views)
Permalink

Help setting up

Hi everyone;

I am having a hard time in trying to understand how spf works.

I have the following domains hosted here. They are properly set on the dns
server and they each have their own .zone file and they all have their own MX
record.

digiart.art.br
dgdesign.com.br
euapoiooforteorange.com.br
expoworks.com.br
futsim.com.br
gctenorio.com.br
ipad.com.br
ipadnet.com.br
jynx.com.br
l2tecnologia.com.br
mallavoodoo.com.br
spyket.com.br
deoserve.net
mauriciodenassau.org.br
saepe.org.br

here is a zone file for one of them:

digiart.art.zone
-------------------------------------------------------------
$TTL 3600
@ IN SOA digiart.art.br. Postmaster.ipad.com.br. (
2007100301
7200
7200
1209600
3600 )
IN NS recife.ipad.com.br.
IN NS olinda.ipad.com.br.
IN MX 10 mail.digiart.art.br.
IN A 200.249.204.129
ns IN A 200.249.204.129
dns IN A 200.249.204.129
www IN A 200.249.204.130
webmail IN A 200.249.204.129
imap IN A 200.249.204.129
pop3 IN A 200.249.204.129
mail IN A 200.249.204.129
smtp IN A 200.249.204.129
ftp IN A 200.249.204.130
-------------------------------------------------------------

The zone file for the others look just like this one. How would I set up an
spf record in the above file for digiart.art.br?

Could I replicate the same spf line for the other domains (just changing the
domain name) ?

Will those spf records affect mail delivery/reception for the local users of
these domains? any config I need to make to my mail program (qmail) after
adding spf?

Please forgive me for this lame question which has probably been asked many
times and thanks for any info.

--
Mario Lobo
Segurança de Redes - Desenvolvimento e Análise
IPAD - Instituto de Pesquisa e Apoio ao Desenvolvimento Tecnológico e
Científico

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

May 6, 2008, 6:00 AM

Post #2 of 5 (402 views)
Permalink

Re: Help setting up [In reply to]

On Tue, May 6, 2008 at 1:17 PM, Mario Lobo <mario.lobo[at]ipad.com.br> wrote:
> Hi everyone;
>
> I am having a hard time in trying to understand how spf works.
>
> I have the following domains hosted here. They are properly set on the dns
> server and they each have their own .zone file and they all have their own MX
> record.
<---SNIP---
> The zone file for the others look just like this one. How would I set up an
> spf record in the above file for digiart.art.br?

What matters is, which server(s) SEND mail on behalf of those domains?
If all mail is routed through the host .129 (mail/webmail) then the
following minimal record would be correct:

"v=spf1 mx -all"

Though it would be better to list the IP:

"v=spf1 ip4:200.249.204.129 -all"

> Could I replicate the same spf line for the other domains (just changing the
> domain name) ?

If they all send the mail through the same host(s), yes.

> Will those spf records affect mail delivery/reception for the local users of
> these domains?

No.

> any config I need to make to my mail program (qmail) after
> adding spf?

No changes would be required.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

vesely at tana

May 6, 2008, 6:37 AM

Post #3 of 5 (395 views)
Permalink

Re: Help setting up [In reply to]

Mario Lobo wrote:
> Hi everyone;
>
> I am having a hard time in trying to understand how spf works.

The catch is to provide a "fail" for abuses of your domain name.

> I have the following domains hosted here. They are properly set on
> the dns server and they each have their own .zone file and they all
> have their own MX record.
>
> digiart.art.br [...]

You should audit your users, i.e. those who sport an address like
xyz[at]digiart.art.br. How do they send mail? The preferred situation if
when they _all_ submit to, say, port 587 of your mail server. In that
case you may just add (near the MX) a TXT like so

IN TXT "v=spfv1 +ip4:200.249.204.129 +ip4:200.249.204.130 -all"

(Note that if your IPs were 200.249.204.130 and 200.249.204.131 you
could abbreviate the record using CIDR as +ip4:200.249.204.130/31)

The worst situation is that everybody want to send mail using any
server they like. In that case you can only do "v=spfv1 ?all". If
they use their addresses with servers that state an SPF policy,
you can include those records. You can also allow all of LatNIC's
IP addresses (using CIDR notation or exists mechanism), which would
still be better than "?all".

Basically, you should work out who may legitimately forward or relay
mail with one of your addresses as the envelope sender.

> here is a zone file for one of them:
>
> digiart.art.zone
> -------------------------------------------------------------
> $TTL 3600
> @ IN SOA digiart.art.br. Postmaster.ipad.com.br. (
> 2007100301
> 7200
> 7200
> 1209600
> 3600 )
> IN NS recife.ipad.com.br.
> IN NS olinda.ipad.com.br.
> IN MX 10 mail.digiart.art.br.
> IN A 200.249.204.129
> ns IN A 200.249.204.129
> dns IN A 200.249.204.129
> www IN A 200.249.204.130
> webmail IN A 200.249.204.129
> imap IN A 200.249.204.129
> pop3 IN A 200.249.204.129
> mail IN A 200.249.204.129
> smtp IN A 200.249.204.129
> ftp IN A 200.249.204.130
> -------------------------------------------------------------

I would also add a short SPF record for each A record that you may want
to use in a HELO line, like so:

ns IN TXT "v=spf1 a -all"
dns IN TXT "v=spf1 a -all"
www IN TXT "v=spf1 a -all"
webmail IN TXT "v=spf1 a -all"
imap IN TXT "v=spf1 a -all"
pop3 IN TXT "v=spf1 a -all"
mail IN TXT "v=spf1 a -all"
smtp IN TXT "v=spf1 a -all"
ftp IN TXT "v=spf1 a -all"

That will produce a fail for, say, anyone[at]ftp.digiart.art.br, unless
the message is sent from that host.

That stuff can be printed on stdout using a one-liner command, e.g.
perl -n -e 'if (m/^([a-z0-9]+)\s+IN\s+A\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\s*$/) {printf "%-16sIN TXT \"v=spf1 a -all\"\n", $1;}' /your/zone/file

> The zone file for the others look just like this one. How would I
> set up an spf record in the above file for digiart.art.br?

Discuss it with your user. At any rate, they should know what policy
you publish for the addresses they use.

You may want to terminate the record with ~all rather than -all for
the period you run tests to check your configuration. That will deliver
softfail (usually treated like neutral) rather than fail.

> Could I replicate the same spf line for the other domains (just
> changing the domain name) ?

Better using scripts. I find it handy to leave scripts as comments
in the zone file and fire them at need. In case you come out with a
difficult record that must be the same for all domains, you may use
the include mechanism, see http://www.openspf.org/RFC_4408#mech-include

> Will those spf records affect mail delivery/reception for the local
> users of these domains? any config I need to make to my mail
> program (qmail) after adding spf?

You should (1) run spf checking on incoming mail, and (2) make sure you
rewrite the envelope sender if you forward to another server. These
two steps, however, are not directly related with publishing your own
SPF record.

> Please forgive me for this lame question which has probably been
> asked many times and thanks for any info.

HTH
Ale

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

mario.lobo at ipad

May 6, 2008, 9:10 AM

Post #4 of 5 (399 views)
Permalink

Re: Help setting up [In reply to]

Wow Alessandro ! Thank you for taking the time to write all this !!

It cleared a lot for me.

Just a few quick doubts still:

> You should audit your users, i.e. those who sport an address like
> xyz[at]digiart.art.br. How do they send mail? The preferred situation if
> when they _all_ submit to, say, port 587 of your mail server.

That's correct. They all connect to port 465 and they HAVE to authenticate so
they can be able to relay. No authentication=No relay. Unless mail is being
sent from the mail host.

> The worst situation is that everybody want to send mail using any
> server they like.

Not the case. If they want their mail to go out, they can't use any server
other than their domain's host.

>
> Basically, you should work out who may legitimately forward or relay
> mail with one of your addresses as the envelope sender.

Those who authenticate or are inside the corporate LAN.

> I would also add a short SPF record for each A record that you may want
> to use in a HELO line, like so:
>
> ns IN TXT "v=spf1 a -all"
> dns IN TXT "v=spf1 a -all"
> www IN TXT "v=spf1 a -all"
> webmail IN TXT "v=spf1 a -all"
> imap IN TXT "v=spf1 a -all"
> pop3 IN TXT "v=spf1 a -all"
> mail IN TXT "v=spf1 a -all"
> smtp IN TXT "v=spf1 a -all"
> ftp IN TXT "v=spf1 a -all"
>

So the "new" digiart.art.zone file would become:

---------------------------------------------------------------------
$TTL 3600
@ IN SOA digiart.art.br. Postmaster.ipad.com.br. (
2007100301
7200
7200
1209600
3600 )
IN NS recife.ipad.com.br.
IN NS olinda.ipad.com.br.
IN MX 10 mail.digiart.art.br.
IN TXT "v=spfv1 +ip4:200.249.204.129 +ip4:200.249.204.130 ~all"
ns IN TXT "v=spf1 a ~all"
dns IN TXT "v=spf1 a ~all"
www IN TXT "v=spf1 a ~all"
webmail IN TXT "v=spf1 a ~all"
imap IN TXT "v=spf1 a ~all"
pop3 IN TXT "v=spf1 a ~all"
mail IN TXT "v=spf1 a ~all"
smtp IN TXT "v=spf1 a ~all"
ftp IN TXT "v=spf1 a ~all"

IN A 200.249.204.129
ns IN A 200.249.204.129
dns IN A 200.249.204.129
www IN A 200.249.204.130
webmail IN A 200.249.204.129
imap IN A 200.249.204.129
pop3 IN A 200.249.204.129
mail IN A 200.249.204.129
smtp IN A 200.249.204.129
ftp IN A 200.249.204.130

---------------------------------------------------------------------

later switching to -all and replicating this to the other domain zone files
(using scripts or manually). Would this file be correct?

Once again, thanks Alessandro.
--
Mario Lobo
Segurança de Redes - Desenvolvimento e Análise
IPAD - Instituto de Pesquisa e Apoio ao Desenvolvimento Tecnológico e
Científico

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

vesely at tana

May 6, 2008, 10:29 AM

Post #5 of 5 (393 views)
Permalink

Re: Help setting up [In reply to]

Mario Lobo wrote:
> Wow Alessandro ! Thank you for taking the time to write all this !!

You're welcome.

>> You should audit your users, i.e. those who sport an address like
>> xyz[at]digiart.art.br. How do they send mail? The preferred situation if
>> when they _all_ submit to, say, port 587 of your mail server.
>
> That's correct. They all connect to port 465 and they HAVE to authenticate so
> they can be able to relay. No authentication=No relay. Unless mail is being
> sent from the mail host.

That is fine. 465 is unofficial (see references mentioned at
http://en.wikipedia.org/wiki/Mail_user_agent#Port_numbers ) but it works.

>> Basically, you should work out who may legitimately forward or relay
>> mail with one of your addresses as the envelope sender.
>
> Those who authenticate or are inside the corporate LAN.

Hard-and-fast as in banks!

> So the "new" digiart.art.zone file would become:
>
> ---------------------------------------------------------------------
> $TTL 3600
> @ IN SOA digiart.art.br. Postmaster.ipad.com.br. (
> [...]
> IN MX 10 mail.digiart.art.br.
> IN TXT "v=spfv1 +ip4:200.249.204.129 +ip4:200.249.204.130 ~all"
> ns IN TXT "v=spf1 a ~all"
> [...]
> IN A 200.249.204.129
> ns IN A 200.249.204.129

If choosing to keep SPF stuff together rather than grouping by record
owner, I would either add a $ORIGIN directive or explicitly repeat the
zone name. However, I'm no DNS guru and don't know if that's a syntax
requirement or just a matter of style...

> later switching to -all and replicating this to the other domain zone files
> (using scripts or manually). Would this file be correct?

Yup. Keep in mind that, although ~all is meant for debugging, there is
no actual debugging facility: you'll have to hunt for SPF reports
(usually included as Received-SPF headers) at hosts who do SPF checking.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: http://www.listbox.com/member/archive/1020/=now
RSS Feed: http://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com