Mailing List Archive

I don't know sendmail (Exchange admin here) but using the spf policy I
have the option to tag it as spam or deny its delivery. Having an SPF
record in your DNS means you are abiding by the rules that others
(aol,hotmail, me) may implement on my SMTP about what to do with SPF
failing messages. For now we are treating non-spf messages as tagging
with spam but SPF messages that fail (someone relaying through AOL) is a
definite kill.

So having an SPF record does not mean you will immediatley stop
receiving mail from others. You should have the ability to filter/limit
on what to do with SPF fails, again Im on a Windows box so hopefully you
have similar options on sendmail.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Terry Whitney
Sent: Tuesday, August 24, 2004 2:26 PM
To: spf-help@v2.listbox.com
Subject: [spf-help] SPF, Sendmail help and rant

Maybe I am wrong on this but, after reading and rereading the spf info
for sendmail, it looks as though if I implement spf, then anyone who
tries to email my company who doest have an SPF record then the email
will be dropped. Plus if I implement SPF, then blind relaying from
internal machines without SMTP auth also will be unable to connect.

If there is a work around for this, please I am all ears. However a non
industrial standard just to not get as many spam emails, is, well lame.
Between the SBL and spamassassin, ninety percent of spam is caught. Now
to just cut down on the forged from headers, there are a number of
hacks, for postfix, sendmail, exim, ectra that all take care of this

--
Terry Whitney
I.T. Manager



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

>Maybe I am wrong on this but, after reading and rereading the spf info
>for sendmail, it looks as though if I implement spf, then anyone who
>tries to email my company who doest have an SPF record then the email
>will be dropped. Plus if I implement SPF, then blind relaying from
>internal machines without SMTP auth also will be unable to connect.

It is a little confusing, but in a nutshell:

1) Once you implement SPF for sendmail, it will check all emails that pass
through. When a message
passes through sendmail, it checks to see if the sending domain has an SPF
record published in DNS. If
not, SPF returns "none" indicating that there's no way to validate the
email's originating domain. By default,
this type of email passes right through. If SPF *DOES* find an SPF record
in the DNS, that record "tells" your sendmail
how to handle the message. Be default, this operates exactly the opposite
of what you thought. If somebody
emails your company that doesn't have an SPF record, the mail passes right
through, just as if SPF weren't there.

2) When you publish your own SPF record(s) in DNS, your blind relaying
from internal machines will likely
start to fail. There are several ways around this, the easiest being the
ability for you to "whitelist" the
IP addresses of the internal machines. This whitelisting feature tells
SPF on your sendmail to "let these
pass without further checking". If you never publish your SPF records in
DNS, you won't have this problem at
all, but the SPF "effort" as a whole hopes that you will.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Hi Terry,

Please enlighten us, where did you get the idea that implementing spf
will result in the loss of all messages that come from domains that do
not have spf published? What implementation of sendmail are you refering
to? If it says that, it should be changed since it is not true.

All sendmail spf implementations I know of (including the one I wrote
the sendmail patch for) will either reject a message
if the domain publishes SPF and the ip does not match against the spf
record, or add a header that indicates why the message was passed:
because the spf record allows the ip to send the mail or because an
error has occured (eg. the domain did not have an spf record).

So it will only reject if the domain has spf and the ip does not match
with the spf record.

Also, this 'non industrial' standard is not for getting less spam mails,
it is for protecting domains against forgery. It helps me to state 'hey,
sonologic.nl is my domain and I allow these servers to send mail from
that domain, if any other server is sending please reject the message
because it is not sonologic who is sending the mail!'.

Koen

On Tue, Aug 24, 2004 at 02:26:21PM -0400, Terry Whitney wrote:
> Maybe I am wrong on this but, after reading and rereading the spf info
> for sendmail, it looks as though if I implement spf, then anyone who
> tries to email my company who doest have an SPF record then the email
> will be dropped. Plus if I implement SPF, then blind relaying from
> internal machines without SMTP auth also will be unable to connect.
>
> If there is a work around for this, please I am all ears. However a non
> industrial standard just to not get as many spam emails, is, well lame.
> Between the SBL and spamassassin, ninety percent of spam is caught. Now
> to just cut down on the forged from headers, there are a number of
> hacks, for postfix, sendmail, exim, ectra that all take care of this


--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

----- Original Message -----
From: "Terry Whitney" <twhitney@fourstarwire.com>
To: <spf-help@v2.listbox.com>
Sent: Tuesday, August 24, 2004 2:26 PM
Subject: [spf-help] SPF, Sendmail help and rant


> Maybe I am wrong on this but, after reading and rereading the spf info
> for sendmail, it looks as though if I implement spf, then anyone who
> tries to email my company who doest have an SPF record then the email
> will be dropped. Plus if I implement SPF, then blind relaying from
> internal machines without SMTP auth also will be unable to connect.

That is absolutely incorrect. If they do not implement SPF, then no SPF
checks are done and the mail proceeds merrily on its way. Blind email
relaying from your internal machines can also be explicitly whitelisted,
although I'd recommend against that.

Your internal spam filtering may assign scores based on SPF results, but
that's another story.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com