Mailing List Archive: SPF: Help

SPF for Email Service Providers

Index | Next | Previous | View Threaded

justin at blasthosting

Jul 11, 2004, 9:42 PM

Post #1 of 5 (914 views)
Permalink

SPF for Email Service Providers

I am a web hosting provider who also provides email to my customers (a very
common situation). I would like to publish SPF records for the domains I
host, but have been unable to do so in this situation. I provide an SMTP
server for clients to use to send mail (with SMTP AUTH of course). All
email will be coming from this server for the domains I host.
Unfortunately, when I placed SPF records on these domains with the IP of my
SMTP server, mail was denied to be sent. Apparently, SPF aware mail servers
are looking at the furthest Received: header to determine whether a user is
authorized to send from that domain. Since mail is sent from the user's
computer to the mail server, the IP address of the user's computer is
checked against the SPF record. This, of course, does not match. It would
be impossible to include the user's IP address in the SPF record for the
domain because many are on dynamic IP addresses or send mail from multiple
locations. Is there any way to specify SPF records in the domains I host to
check not the user's IP address, but the address of the smtp server the mail
is coming from? Is this something that could be considered? I would
appreciate any feedback on the topic.

Thank You,

Justin Bachus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

jeffrey at goldmark

Jul 11, 2004, 10:42 PM

Post #2 of 5 (889 views)
Permalink

Re: SPF for Email Service Providers [In reply to]

On Sun, 11 Jul 2004, Justin Bachus wrote:

> I am a web hosting provider who also provides email to my customers (a very
> common situation). I would like to publish SPF records for the domains I
> host, but have been unable to do so in this situation. I provide an SMTP
> server for clients to use to send mail (with SMTP AUTH of course). All
> email will be coming from this server for the domains I host.

Are you certain that none of your customers will be mailing via their ASPs
mail-hubs? That is the typical practice of most users,

> Unfortunately, when I placed SPF records on these domains with the IP of my
> SMTP server, mail was denied to be sent.

I suspect that this is because not all mail was going via your server.

Could you quote an actual bounce message? That would help a great deal.

> Apparently, SPF aware mail servers
> are looking at the furthest Received: header to determine whether a user is
> authorized to send from that domain.

I don't rule out the possibility that a few sites are doing something like
that, but that is far from the normal behavior.

> Since mail is sent from the user's
> computer to the mail server, the IP address of the user's computer is
> checked against the SPF record.

If the mail is going from the user's computer to your server and then to
the recipient's system then SPF checks would not be checking the IP of the
user's computer. But, if as I suspect, the mail is going from the user's
computer to the user's ISP's mailhub to the recipients system, then SPF
will not find the ISP's mailhub authorized for the domain.

> Is there any way to specify SPF records in the domains I host to
> check not the user's IP address, but the address of the smtp server the mail
> is coming from? Is this something that could be considered? I would
> appreciate any feedback on the topic.

SPF already does what you ask. Appearently you have some configuration
error (I outlined one possible misdesign, but that is just speculation).
If you posted details (the records, and the bounce message) people here
could be of more help.

-j

--
Jeffrey Goldberg http://www.goldmark.org/jeff/
Relativism is the triumph of authority over truth, convention over justice
Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

justin at blasthosting

Jul 11, 2004, 11:30 PM

Post #3 of 5 (895 views)
Permalink

RE: SPF for Email Service Providers [In reply to]

> -----Original Message-----
> From: Jeffrey Goldberg [mailto:jeffrey [at] goldmark]
> Sent: Monday, July 12, 2004 12:43 AM
> To: spf-help [at] v2
> Subject: Re: [spf-help] SPF for Email Service Providers
>
> On Sun, 11 Jul 2004, Justin Bachus wrote:
>
> > I am a web hosting provider who also provides email to my customers (a
> very
> > common situation). I would like to publish SPF records for the domains
> I
> > host, but have been unable to do so in this situation. I provide an
> SMTP
> > server for clients to use to send mail (with SMTP AUTH of course). All
> > email will be coming from this server for the domains I host.
>
> Are you certain that none of your customers will be mailing via their ASPs
> mail-hubs? That is the typical practice of most users,

There may be some that do this currently, but it would not be difficult to
have them use our SMTP servers.

>
> > Unfortunately, when I placed SPF records on these domains with the IP of
> my
> > SMTP server, mail was denied to be sent.
>
> I suspect that this is because not all mail was going via your server.
>
> Could you quote an actual bounce message? That would help a great deal.
>
Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 7/12/2004 1:14 AM

The following recipient(s) could not be reached:

'justin [at] hot' on 7/12/2004 1:14 AM
550 Please see
http://spf.pobox.com/why.html?sender=justin%40blasthosting.com&ip=66.69.225.
10&receiver=hercules.epicserver.com

Sending from justin [at] blasthosting from my local computer with a "v=spf1 a
mx ptr ip4:66.219.52.196 -all" SPF record to the web hosting server running
exim with the SPF patch. Headers for successful mails are (without
published SPF records):

Return-path: <justin [at] blasthosting>
Received: from ms-mta-03 (ms-mta-03-smtp.texas.rr.com [10.93.38.33])
by ms-mss-02.texas.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0I0Q00BLZ6YDLN [at] ms-mss-02> for
justin [at] hot;
Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
Received: from txmx05.mgw.rr.com (txmx05.mgw.rr.com [24.93.41.204])
by ms-mta-03.texas.rr.com
(iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
with ESMTP id <0I0Q002ZQ6YDK7 [at] ms-mta-03> for justin [at] hot
(ORCPT justin [at] hot); Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
Received: from hercules.epicserver.com
(hercules.epicserver.com [66.219.52.196]) by txmx05.mgw.rr.com
(8.12.10/8.12.8) with ESMTP id i6C6KXPt015438 for <justin [at] hot>;
Mon,
12 Jul 2004 02:20:34 -0400 (EDT)
Received: from cs6669225-10.austin.rr.com ([66.69.225.10]
helo=jblaptop00105)
by hercules.epicserver.com with asmtp (Exim 4.32; FreeBSD)
id 1BjuB5-000IwR-C6 for justin [at] hot; Mon, 12 Jul 2004
01:20:39 -0500
Date: Mon, 12 Jul 2004 01:20:32 -0500
From: justin [at] blasthosting
Subject: test
To: justin [at] hot
Message-id: <!~!AAAAAFrraV7Q/KpLl8cLcjfrSuEkKzYA [at] blasthosting>
MIME-version: 1.0

> > Apparently, SPF aware mail servers
> > are looking at the furthest Received: header to determine whether a user
> is
> > authorized to send from that domain.
>
> I don't rule out the possibility that a few sites are doing something like
> that, but that is far from the normal behavior.
>
> > Since mail is sent from the user's
> > computer to the mail server, the IP address of the user's computer is
> > checked against the SPF record.
>
> If the mail is going from the user's computer to your server and then to
> the recipient's system then SPF checks would not be checking the IP of the
> user's computer. But, if as I suspect, the mail is going from the user's
> computer to the user's ISP's mailhub to the recipients system, then SPF
> will not find the ISP's mailhub authorized for the domain.
>
> > Is there any way to specify SPF records in the domains I host to
> > check not the user's IP address, but the address of the smtp server the
> mail
> > is coming from? Is this something that could be considered? I would
> > appreciate any feedback on the topic.
>
> SPF already does what you ask. Appearently you have some configuration
> error (I outlined one possible misdesign, but that is just speculation).
> If you posted details (the records, and the bounce message) people here
> could be of more help.

Let me know if any other information would be helpful. Maybe the patch
provided for exim produces non-standard behavior. Maybe the SPF ACL
disagrees with other ACLs active in my configuration. I have tried sending
to other hosts that enforce SPF on their incoming mail and those also fail.
One thing that does seem suspicious, however, is that the rejected response
is coming from my SMTP server itself. I will look into that a little
further, but I have installed the default settings from the documentation
for the exim module. Any pointers as to where the error might be or other
ways to diagnose the problem would be helpful.
>
> -j
>
>
> --
> Jeffrey Goldberg http://www.goldmark.org/jeff/
> Relativism is the triumph of authority over truth, convention over
> justice
> Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?listname=spf-
> help [at] v2

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

justin at blasthosting

Jul 11, 2004, 11:41 PM

Post #4 of 5 (884 views)
Permalink

RE: SPF for Email Service Providers [In reply to]

It looks like the spf acl was in the RCPT section (as the exim doc said to
place for testing, but I never removed it). Thank you for making me
investigate my configuration further.

Justin Bachus

> -----Original Message-----
> From: Justin Bachus [mailto:justin [at] blasthosting]
> Sent: Monday, July 12, 2004 1:30 AM
> To: spf-help [at] v2
> Subject: RE: [spf-help] SPF for Email Service Providers
>
> > -----Original Message-----
> > From: Jeffrey Goldberg [mailto:jeffrey [at] goldmark]
> > Sent: Monday, July 12, 2004 12:43 AM
> > To: spf-help [at] v2
> > Subject: Re: [spf-help] SPF for Email Service Providers
> >
> > On Sun, 11 Jul 2004, Justin Bachus wrote:
> >
> > > I am a web hosting provider who also provides email to my customers (a
> > very
> > > common situation). I would like to publish SPF records for the
> domains
> > I
> > > host, but have been unable to do so in this situation. I provide an
> > SMTP
> > > server for clients to use to send mail (with SMTP AUTH of course).
> All
> > > email will be coming from this server for the domains I host.
> >
> > Are you certain that none of your customers will be mailing via their
> ASPs
> > mail-hubs? That is the typical practice of most users,
>
> There may be some that do this currently, but it would not be difficult to
> have them use our SMTP servers.
>
> >
> > > Unfortunately, when I placed SPF records on these domains with the IP
> of
> > my
> > > SMTP server, mail was denied to be sent.
> >
> > I suspect that this is because not all mail was going via your server.
> >
> > Could you quote an actual bounce message? That would help a great deal.
> >
> Your message did not reach some or all of the intended recipients.
>
> Subject: test
> Sent: 7/12/2004 1:14 AM
>
> The following recipient(s) could not be reached:
>
> 'justin [at] hot' on 7/12/2004 1:14 AM
> 550 Please see
> http://spf.pobox.com/why.html?sender=justin%40blasthosting.com&ip=66.69.22
> 5.
> 10&receiver=hercules.epicserver.com
>
> Sending from justin [at] blasthosting from my local computer with a "v=spf1
> a
> mx ptr ip4:66.219.52.196 -all" SPF record to the web hosting server
> running
> exim with the SPF patch. Headers for successful mails are (without
> published SPF records):
>
> Return-path: <justin [at] blasthosting>
> Received: from ms-mta-03 (ms-mta-03-smtp.texas.rr.com [10.93.38.33])
> by ms-mss-02.texas.rr.com
> (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
> with ESMTP id <0I0Q00BLZ6YDLN [at] ms-mss-02> for
> justin [at] hot;
> Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
> Received: from txmx05.mgw.rr.com (txmx05.mgw.rr.com [24.93.41.204])
> by ms-mta-03.texas.rr.com
> (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
> with ESMTP id <0I0Q002ZQ6YDK7 [at] ms-mta-03> for
> justin [at] hot
> (ORCPT justin [at] hot); Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
> Received: from hercules.epicserver.com
> (hercules.epicserver.com [66.219.52.196]) by txmx05.mgw.rr.com
> (8.12.10/8.12.8) with ESMTP id i6C6KXPt015438 for
<justin [at] hot>;
> Mon,
> 12 Jul 2004 02:20:34 -0400 (EDT)
> Received: from cs6669225-10.austin.rr.com ([66.69.225.10]
> helo=jblaptop00105)
> by hercules.epicserver.com with asmtp (Exim 4.32; FreeBSD)
> id 1BjuB5-000IwR-C6 for justin [at] hot; Mon, 12 Jul 2004
> 01:20:39 -0500
> Date: Mon, 12 Jul 2004 01:20:32 -0500
> From: justin [at] blasthosting
> Subject: test
> To: justin [at] hot
> Message-id: <!~!AAAAAFrraV7Q/KpLl8cLcjfrSuEkKzYA [at] blasthosting>
> MIME-version: 1.0
>
>
>
>
> > > Apparently, SPF aware mail servers
> > > are looking at the furthest Received: header to determine whether a
> user
> > is
> > > authorized to send from that domain.
> >
> > I don't rule out the possibility that a few sites are doing something
> like
> > that, but that is far from the normal behavior.
> >
> > > Since mail is sent from the user's
> > > computer to the mail server, the IP address of the user's computer is
> > > checked against the SPF record.
> >
> > If the mail is going from the user's computer to your server and then to
> > the recipient's system then SPF checks would not be checking the IP of
> the
> > user's computer. But, if as I suspect, the mail is going from the
> user's
> > computer to the user's ISP's mailhub to the recipients system, then SPF
> > will not find the ISP's mailhub authorized for the domain.
> >
> > > Is there any way to specify SPF records in the domains I host to
> > > check not the user's IP address, but the address of the smtp server
> the
> > mail
> > > is coming from? Is this something that could be considered? I would
> > > appreciate any feedback on the topic.
> >
> > SPF already does what you ask. Appearently you have some configuration
> > error (I outlined one possible misdesign, but that is just speculation).
> > If you posted details (the records, and the bounce message) people here
> > could be of more help.
>
> Let me know if any other information would be helpful. Maybe the patch
> provided for exim produces non-standard behavior. Maybe the SPF ACL
> disagrees with other ACLs active in my configuration. I have tried
> sending
> to other hosts that enforce SPF on their incoming mail and those also
> fail.
> One thing that does seem suspicious, however, is that the rejected
> response
> is coming from my SMTP server itself. I will look into that a little
> further, but I have installed the default settings from the documentation
> for the exim module. Any pointers as to where the error might be or other
> ways to diagnose the problem would be helpful.
> >
> > -j
> >
> >
> > --
> > Jeffrey Goldberg
> http://www.goldmark.org/jeff/
> > Relativism is the triumph of authority over truth, convention over
> > justice
> > Hate spam? Boycott MCI! http://www.goldmark.org/jeff/anti-spam/mci/
> >
> > -------
> > Archives at http://archives.listbox.com/spf-help/current/
> > Donate! http://spf.pobox.com/donations.html
> > To unsubscribe, change your address, or temporarily deactivate your
> > subscription,
> > please go to http://v2.listbox.com/member/?listname=spf-
> > help [at] v2
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?listname=spf-
> help [at] v2

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

jeffrey at goldmark

Jul 12, 2004, 8:23 AM

Post #5 of 5 (916 views)
Permalink

Re: SPF for Email Service Providers [In reply to]

On Jul 11, 2004, at 11:30 PM, Justin Bachus wrote:

>> I suspect that this is because not all mail was going via your server.
>>
>> Could you quote an actual bounce message? That would help a great
>> deal.

> Your message did not reach some or all of the intended recipients.
>
> Subject: test
> Sent: 7/12/2004 1:14 AM
>
> The following recipient(s) could not be reached:
>
> 'justin [at] hot' on 7/12/2004 1:14 AM
> 550 Please see
> http://spf.pobox.com/why.html?
> sender=justin%40blasthosting.com&ip=66.69.225.
> 10&receiver=hercules.epicserver.com

OK. So the rejecting system is saying that the mail is coming in from
66.69.225.10
And for blasthosting.com you have

> "v=spf1 a mx ptr ip4:66.219.52.196 -all"

which, of course, will "fail" that IP address. Now the question is
whether the rejecting system is checking the right IP address.

> Headers for successful mails are (without published SPF records):

OK.

All of the batch below are hops AFTER you would have the fail with the
records published.

> Return-path: <justin [at] blasthosting>
> Received: from ms-mta-03 (ms-mta-03-smtp.texas.rr.com [10.93.38.33])
> by ms-mss-02.texas.rr.com
> (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
> with ESMTP id <0I0Q00BLZ6YDLN [at] ms-mss-02> for
> justin [at] hot;
> Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
> Received: from txmx05.mgw.rr.com (txmx05.mgw.rr.com [24.93.41.204])
> by ms-mta-03.texas.rr.com
> (iPlanet Messaging Server 5.2 HotFix 1.21 (built Sep 8 2003))
> with ESMTP id <0I0Q002ZQ6YDK7 [at] ms-mta-03> for
> justin [at] hot
> (ORCPT justin [at] hot); Mon, 12 Jul 2004 01:20:37 -0500 (CDT)
> Received: from hercules.epicserver.com
> (hercules.epicserver.com [66.219.52.196]) by txmx05.mgw.rr.com
> (8.12.10/8.12.8) with ESMTP id i6C6KXPt015438 for <justin [at] hot>;
> Mon, 12 Jul 2004 02:20:34 -0400 (EDT)

Below is my guess at the hop where things failed with records published.

> Received: from cs6669225-10.austin.rr.com ([66.69.225.10]
> helo=jblaptop00105)
> by hercules.epicserver.com with asmtp (Exim 4.32; FreeBSD)
> id 1BjuB5-000IwR-C6 for justin [at] hot; Mon, 12 Jul 2004
> 01:20:39 -0500

Hmm. That does say received with "asmtp". So, if I understand the
exim ACLs correctly (I've only just glanced at them) that should be OK.
May I recommend publishing your records with ~all instead of -all for
testing purposes?

Hmm, now that I look at the exim configuration patch at

http://spf.pobox.com/exim4.spf.acl-2.09.txt

it doesn't look like it takes into account asmtp. Could it be (I'm not
all that familiar with exim 4) that the behavior depends on the order
of the SPF ACLs with respect to the ASMTP ACLs?

At this point, I would recommend that you post to the exim users list.
This looks like an ACL problem to me. Also set your records to ~all
(softfail) for testing, that way you'll get headers inserted usefully.

-j

--
Jeffrey Goldberg http://www.goldmark.org/jeff/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads