andy at andycc
Jul 10, 2006, 11:12 AM
Post #4 of 11
(11314 views)
Permalink
|
David and Robert,
That's fantastic - a perfect explanation - thanks a million guys :) I
wasn't getting the full illustration from the on-line docs.
With regard to your comment Dave about dealing with bounced forwarded
messages, I was having a quick read through the docs of SPF and SRS, and
it appears that in SPFv1, if the sending MAIL FROM header is <> (i.e. a
bounce message), the receiving MX looks up the SPF record from the EHLO
server name given. So in your example situation, if
finaldestination.com had to bounce a message received from sending.com
via publicdomain.com, SRS would have re-written the sender to something
like sender#sending.com [at] publicdomain Finaldestination.com would
announce itself as (for example) mx1.finaldestination.com.
Publicdomain.com would look up the SPF for mx1.finaldestination.com.
SRS at publicdomain.com would then unwrap the To: address to
sender [at] sending, and forward it back to sending.com (sending.com
would look up SPF for the given EHLO name (e.g. mx1.publicdomain.com) as
there is no From: address.)
Right?
"It strikes me that if you're not actually going to use different server
machines when your clients add their own domain names, and assuming you
have your DNS TXT record set up correctly, you won't be having broken
forwarding issues at all."
I had wondered about this actually. Obviously if I have control of the
DNS, there's no problem, but if you take the situation:
A client has his own domain name: "external.com." He points his MX
records to my servers, and sends all outgoing e-mails through my servers
(announced as exchange.mailnetwork.co.uk and dns.mailnetwork.co.uk.) If
the client does not know about SPF, and/or doesn't have access to his
DNS to add TXT records - he sends an e-mail to, for example,
publicdomain.com. The MX at publicdomain.com looks up SPF for
"external.com", however because there are no SPF records, the message
gets rejected (or treated as a possible forgery.) Therefore SRS would
be needed to rewrite the address to have come from mailnetwork.co.uk.
I have this situation with my andycc.net domain, in that andycc.net is
my domain but the mailservers are on mailnetwork.co.uk - however I have
the bonus that I can modify the DNS :)
Thanks again,
Andy
David Sowder wrote:
> On 7/10/06, *Robert Muchnick* <hostmaster [at] xenterra
> <mailto:hostmaster [at] xenterra>> wrote:
>
> This is probably an oversimplified explanation but it should serve to
> point you in the right direction.
>
> SPF breaks mail forwarding. For example, sender [at] sending
> <mailto:sender [at] sending> (IP address
> 1.2.3.4 <http://1.2.3.4>) sends an email to
> intended [at] publicdomain <mailto:intended [at] publicdomain> who
> actually picks up
> his mail at its final destination
> intendeds-real-acct [at] finaldestination
> <mailto:intendeds-real-acct [at] finaldestination>. So
> publicdomain.com <http://publicdomain.com> is a
> forwarder (as in virtusertable) to the machine
> finaldestination.com <http://finaldestination.com> .
>
> Without SRS, publicdomain.com <http://publicdomain.com> will try
> to forward the mail to
> finaldestination.com <http://finaldestination.com> while
> announcing the FROM IP address as 1.2.3.4 <http://1.2.3.4>,
> which SPF will reject because it doesn't jive with the IP for
> publicdomain.com <http://publicdomain.com>. That's the anti-SPAM
> aspect of SPF.
>
>
> finaldestination.com <http://finaldestination.com>'s MX host will see
> the client coming from publicdomain.com <http://publicdomain.com>'s IP
> address, which sending.com <http://sending.com> didn't likely
> authorize in the SPF record for sending.com <http://sending.com>.
> finaldestination.com <http://finaldestination.com>, when checking SPF
> records, will see the envelope MAIL FROM: header containing
> sending.com <http://sending.com> and lookup the SPF record for
> sending.com <http://sending.com> and check the clien'ts IP address
> (the IP address for publicdomain.com <http://publicdomain.com>) to see
> if sending.com <http://sending.com>'s SPF record authorizes that IP
> address to claim to be sending.com <http://sending.com> in the
> envelope MAIL FROM (RFC821). SPF is not anti-spam; but rather
> anti-forgery. Note that forgery is still possible if publicdomain.com
> <http://publicdomain.com> didn't check the SPF record for sending.com
> <http://sending.com> before forwarding the message.
>
> To cure this and allow desired forwarding, SRS (on
> publicdomain.com <http://publicdomain.com>)
> rewrites the sender address (now seen as coming from
> publicdomain.com <http://publicdomain.com>) so
> that SPF on finaldestination.com <http://finaldestination.com>
> will accept the mail.
>
>
> SRS is intended to rewrite the envelope MAIL FROM (RFC821) to that of
> the forwarding sender ( publicdomain.com <http://publicdomain.com>)
> such that finaldestination.com <http://finaldestination.com>'s SPF
> check will be against the SPF record for publicdomain.com
> <http://publicdomain.com>, which presumably allows it's own IP address
> to send mail for publicdomain.com <http://publicdomain.com>. :) A
> downside to this approach is that you have to sort out how
> finaldestination.com <http://finaldestination.com> bouncing a
> forwarded message will be handled (rejected is a little easier to deal
> with).
>
> I'm pretty sure I got this right. The explanation is based on an
> actual
> scenario I had to deal with about a year and a half ago and
> implementing
> SRS as mentioned above was the only way to solve it.
>
> It strikes me that if you're not actually going to use different
> server
> machines when your clients add their own domain names, and
> assuming you
> have your DNS TXT record set up correctly, you won't be having broken
> forwarding issues at all.
>
>
> If publicdomain.com <http://publicdomain.com> and finaldestination.com
> <http://finaldestination.com> are in the same administrative domain,
> but on separate servers, finaldestination should simply whitelist
> messages coming from publicdomain.com <http://publicdomain.com> as a
> client.
>
> On Mon, 10 Jul 2006, Andy Shellam wrote:
>
> > Date: Mon, 10 Jul 2006 11:56:58 +0100
> > From: Andy Shellam <andy [at] andycc <mailto:andy [at] andycc>>
> > Reply-To: srs-discuss [at] v2
> <mailto:srs-discuss [at] v2>
> > To: srs-discuss [at] v2 <mailto:srs-discuss [at] v2>
> > Subject: [srs-discuss] SRS/SPF Help Needed
> >
> > Hi,
> >
> >
> >
> > I need some advice off people who know about SRS!
> >
> > I'm designing a complete mail solution system based largely on
> open-source
> > products with custom tweaks, to support SPF, SRS and other
> validation
> > schemes (such as DomainKeys) out-of-the-box.
> >
> >
> >
> > However, I'm having a little trouble under-standing the
> reasoning for
> > requiring SRS.
> >
> >
> >
> > As an example:
> >
> >
> >
> > My company's domain is mailnetwork.co.uk
> <http://mailnetwork.co.uk>, which has an SPF record,
> > authorising the machines exchange.mailnetwork.co.uk
> <http://exchange.mailnetwork.co.uk> ( 88.208.192.113
> <http://88.208.192.113>,
> > 88.208.192.114 <http://88.208.192.114>) and
> dns.mailnetwork.co.uk <http://dns.mailnetwork.co.uk>
> (84.18.200.160 <http://84.18.200.160>) to send mail from
> > mailnetwork.co.uk <http://mailnetwork.co.uk>, and to fail any
> other servers that attempt to do so.
> >
> >
> >
> > Now, how does SRS come in to this?
> >
> >
> >
> > All my current users use one of our registered domains (
> mailnetwork.co.uk <http://mailnetwork.co.uk>
> > and andycc.net <http://andycc.net> are currently the two
> most-used) as their sender addresses -
> > they are allowed incoming aliases (e.g. andy [at] mailnetwork
> <mailto:andy [at] mailnetwork> is an alias
> > for andy [at] andycc <mailto:andy [at] andycc>) - however, if a
> user tries to use an alias as the
> > sender address it is rewritten to the alias' destination address
> - e.g. if I
> > tried to send using a From: address of andy [at] mailnetwork
> <mailto:andy [at] mailnetwork>, the mail
> > server will rewrite it as andy [at] andycc <mailto:andy [at] andycc>.
> >
> >
> >
> > When it gets off the ground, users will have the ability to add
> their own
> > domains to the system - I'm guessing in this case, the system
> will act as a
> > forwarder, and I'm thinking this is where SRS comes in, but I'm
> a tad
> > confused how SPF breaks forwarding and the like!!
> >
> >
> >
> > Any advice/explanations would be appreciated!
>
>
> --
> Robert Muchnick
> Xenterra.net <http://Xenterra.net>
> 720-276-7917
>
> -------
> To unsubscribe, change your address, or temporarily deactivate
> your subscription,
> please go to
> http://v2.listbox.com/member/?listname=srs-discuss [at] v2
> <http://v2.listbox.com/member/?listname=srs-discuss [at] v2>
>
>
>
>
> --
> David R. Sowder
> University of Texas at Arlington
> Department of Modern Languages
> Language Acquisition Center Supervisor
> Work: davids [at] uta <mailto:davids [at] uta>
> Personal: david [at] sowder <mailto:david [at] sowder>
> Lists: davidrsowder [at] gmail <mailto:davidrsowder [at] gmail>
> http://david.sowder.com/ <http://david.sowder.com/>
> ------------------------------------------------------------------------
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=srs-discuss [at] v2
> !DSPAM:14,44b2913f34531536620633!
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss [at] v2
|
