spfdiscuss at alandoherty
Feb 15, 2010, 11:02 AM
Post #11 of 11
(1435 views)
Permalink
|
|
RE: trouble with spoofed email spf not working
[In reply to]
|
|
At 16:51 15/02/2010 Monday, Russ Muncy wrote:
>Great information here.
>In answer to Alan's question "{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}".
>This is the suggested configuration of <dyndns.org>. Since they are "supposed" to be providing some Spam and Virus filtering then forwarding on to my MX server.
If outpouring your spam/AV or other filtering then you should
A trust them entirely {or whats the point}
B do no filtering /checking on your "downstream" {as this creates backscatter and makes you the source of abuse}
C accept no connections on your downstream from the Internet only from your "upsteam-servers" {to ensure no one gets round filters}
but as i understand it dynadns service is not supposed to be much more more than a queueing service for people wanting to run mailservers on dynamic IP's {what the rest of us think is pretty universally a bad idea}
>As Alan mentioned, my MTA does ignore the inbound forgeries when it is operating alone. I only have the problem when attempting to use an "outside" "backup MX server".
do they not give you any control over filtering policy on mails to yourself?
also if {as appears to be the case} they do not provide outgoing mail service to you they need to be removed from your spf record
>So, based on all the good responses I have been getting, I may change my mind on "backup MX servers" that are "not under my control".
its what i would recommend {because i NEED* to have the control
{but as I also provide spam filtering services to others {who are happy to use our filter controls} i know the "having others as your public facing MX's and running your own receiving server/mailboxes privately" is a legitimate and common setup
they just have us enforce their SPF/DNSBL/etc policy long before any mail reaches their server {saving them all the load and hassle}
*need being an irrational urge for control
>-----Original Message-----
>From: alan [mailto:spfdiscuss [at] alandoherty]
>Sent: Monday, February 15, 2010 10:57 AM
>To: spf-help [at] v2
>Subject: RE: [spf-help] trouble with spoofed email spf not working
>
>At 14:43 15/02/2010 Monday, Vic wrote:
>
>>> I am curious how you might
>>> advise being able to create some redundancy for your mail server without
>>> creating this problem.
>
>simply ensure that your backup MX's enforce identical policy for incoming mail as your primaries
>{backup MX's not under your direct administrative control should never be used}
>
>ie ensure all use the same DNSBL's
>ensure all reject {not bounce} mail to non-existent addresses
>ensure all enforce the same SPF checks on inbound email
>ensure all perform identical content based filtering {if any}
>
>as for your original question {how to block inbound forgeries of your own domain, SPF isn't even needed for this
>{SPF checking is for blocking inbound forgeries of SPF publishing domains, whether yours uses publishes SPF or not}
>your MTA's should by policy be able to block all external senders claiming to be you regardless of SPF
>
>{as your own users should only be sending outbound/internal via your submission server {could be the same machine/server but its on port 587 and authenticated not 25}}
>so even internal > internal will never be arriving from 'outside'
>
>as for the SPF record
>
>v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all
>
>what Vic said
>
>as according to headers
>Received: from month.salem.k12.va.us (month.salem.k12.va.us [67.221.119.199]
>
>so a:month is a syntax error and a:month.salem.k12.va.us == ip4:67.221.119.199/32 so unnecessary and as its in your own domain its unlikely to move without your knowledge
>
>mx:salem.k12.va.us == a:mx1.mailhop.org. a:month.salem.k12.va.us a:mx2.mailhop.org.
>
>so could be better/faster written/read as
>
>v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all
>
>if and only if you send mail out to the Internet via these mailhop.org servers
>{its unusual for backup MX's to be used for outbound mail in any way}
>
>{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}
>
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
|
