Mailing List Archive

At 13:59 12/10/2009 Monday, Jonathan Lumb wrote:
>Thanks for the quick response.
>
>I did know we were using Murphx.net as a mail relay so I should have mentioned that in my post. Apologies for that. During my testing I did an include for murphx but they use so many servers I couldn't pin it down and as Vic points out, they may not carry an SPF. Would I be best not using Murphx as a relay?

you could do that
or build a list of their delevering ips /ranges yourself {trial and error as they shouldn't take long or include the /24/23... they use for mailservers}
or add ptr:Murphx.net and allow all their valid servers and a few invalid ones to pass
or add prt:edge-c.Murphx.net if tests show all their mail servers to be within this ptr sub=domain

i would be tempted to take up the offer of bounce a bunch of testmails to me {or yourself via gmail/wherever
and that way get a profile of likely source matches for murphx.net

adding their ips as ranges shouldn't be an issue if they are trusted by you not to be trying to forge anything from you, if they arn't trusted using them as a relay would be bad ;)

or if vics mate can get a list of ip's / ranges it would be fine to directly add those to your spf


>Thanks
>
>Jonathan
>
>Jonathan Lumb
>IT Technician
>
>The Virtual College
>Tel:01943 605976
>Fax:01943 605522
>
>www.virtual-college.co.uk
>
>With over 10 years' experience and over 150,000 on-line and face to face learners, Virtual College is enhancing the learning experience by accelerating the adoption of e-learning.
>
>We are proud of our Investors in People, CPD UK, Matrix, Customer First recognition and Winner of the Medilink Partnership with the NHS Award 2008
>
>Virtual College is a limited company registered in England and Wales, a division of Virtual College Group plc.
>Registered Office: Marsel House, Stephensons Way, Ilkley, LS29 8DD
>Reg No: 3052439 VAT No: GB75529689
>
>The information contained in this email is intended only for the named recipient(s). It may contain confidential information and if you are not an intended recipient you must not copy, distribute or take action or reliance on it. If you received this email in error, please contact us immediately, Any unauthorised disclosure of the information contained in this communication is strictly prohibited.
>
>
>-----Original Message-----
>From: Vic [mailto:spf1@beer.org.uk]
>Sent: 12 October 2009 13:48
>To: spf-help@v2.listbox.com
>Subject: Re: [spf-help] Setting up SPF
>
>
>> Our on-site exchange server has a public address of 94.30.116.48
>>
>> Our MX are mail.virtual-college.co.uk, mail2.virtual-college.co.uk and
>> telewest.virtual-college.co.uk
>>
>> Any mail sent from the exchange server results in a softfail.
>
>That's because the rest of the world doesn't see that address - you're
>relaying all your outgoing mail via murphx.net.
>
>Sadly, it looks like Murphx don't have an SPF record - I'll take a look at
>that (one of their sysads is a personal friend of mine).
>
>But the problem you've got is that anyone receiving mail from you is
>actually getting it from Murphx, who aren't mentioned in your SPF record.
>That's why you get the fail...
>
>The solution is either to send mail directly, or to get murphx added to
>the record.
>
>Vic.
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

> Using include gives a permerror

You'll get that if there isn't anything to include.

> trying to mx murphx without any real
> success. The wrong way of doing things I guess.

Yep. MX is for inbound mail, you need the outbound servers. For larger
installations, these are frequently not the same machines.

> I have sent a request for
> SPF info to the ISP but failing this, will have to change provider or
> bypass.

Is there a reason you're not sending directly? It might make life a lot
easier...

> We used to be on Demon, changed before my arrival.

Don't change back. Demon have been pulling all sorts of stunts lately.

> HELO hostname: mx-relay-02.edge-c.murphx.net
> Source IP: 62.69.62.102

Note that this is not one of the MXes you list later...

> virtual-college.co.uk. 86400 IN MX 20 82.47.215.100.
> virtual-college.co.uk. 86400 IN MX 0 mail.virtual-college.co.uk.
> virtual-college.co.uk. 86400 IN MX 10 mail2.virtual-college.co.uk.

Do you really need 3 inbound servers? That's nothing to do with SPF, but
will probably cause you far more difficulty than it solves problems...

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Hi all,

I added the prt:edge-c.Murphx.net as all test emails showed up as being within this subdomain. Finally a pass. Many thanks for you all for your assistance and clear explanations.
Point taken with regards to moving back to Demon.
We use 3 incoming as mail-primary, mail2-secondary and telewest-last chance. I thought this was recommended. If not, I can change.
I will continue testing to ensure all mails are behaving and then implement on our other domains.

Thanks again

Jonathan

Jonathan Lumb
IT Technician
 
The Virtual College
Tel:01943 605976
Fax:01943 605522
 
www.virtual-college.co.uk
 
With over 10 years' experience and over 150,000 on-line and face to face learners, Virtual College is enhancing the learning experience by accelerating the adoption of e-learning.
 
We are proud of our Investors in People, CPD UK, Matrix, Customer First recognition and Winner of the Medilink Partnership with the NHS Award 2008
 
Virtual College is a limited company registered in England and Wales, a division of Virtual College Group plc.
Registered Office: Marsel House, Stephensons Way, Ilkley, LS29 8DD
Reg No: 3052439  VAT No: GB75529689
 
The information contained in this email is intended only for the named recipient(s). It may contain confidential information and if you are not an intended recipient you must not copy, distribute or take action or reliance on it.  If you received this email in error, please contact us immediately, Any unauthorised disclosure of the information contained in this communication is strictly prohibited.
 


-----Original Message-----
From: alan [mailto:spfdiscuss@alandoherty.net]
Sent: 12 October 2009 15:42
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Setting up SPF

At 13:59 12/10/2009 Monday, Jonathan Lumb wrote:
>Thanks for the quick response.
>
>I did know we were using Murphx.net as a mail relay so I should have mentioned that in my post. Apologies for that. During my testing I did an include for murphx but they use so many servers I couldn't pin it down and as Vic points out, they may not carry an SPF. Would I be best not using Murphx as a relay?

you could do that
or build a list of their delevering ips /ranges yourself {trial and error as they shouldn't take long or include the /24/23... they use for mailservers}
or add ptr:Murphx.net and allow all their valid servers and a few invalid ones to pass
or add prt:edge-c.Murphx.net if tests show all their mail servers to be within this ptr sub=domain

i would be tempted to take up the offer of bounce a bunch of testmails to me {or yourself via gmail/wherever
and that way get a profile of likely source matches for murphx.net

adding their ips as ranges shouldn't be an issue if they are trusted by you not to be trying to forge anything from you, if they arn't trusted using them as a relay would be bad ;)

or if vics mate can get a list of ip's / ranges it would be fine to directly add those to your spf


>Thanks
>
>Jonathan
>
>Jonathan Lumb
>IT Technician
>
>The Virtual College
>Tel:01943 605976
>Fax:01943 605522
>
>www.virtual-college.co.uk
>
>With over 10 years' experience and over 150,000 on-line and face to face learners, Virtual College is enhancing the learning experience by accelerating the adoption of e-learning.
>
>We are proud of our Investors in People, CPD UK, Matrix, Customer First recognition and Winner of the Medilink Partnership with the NHS Award 2008
>
>Virtual College is a limited company registered in England and Wales, a division of Virtual College Group plc.
>Registered Office: Marsel House, Stephensons Way, Ilkley, LS29 8DD
>Reg No: 3052439 VAT No: GB75529689
>
>The information contained in this email is intended only for the named recipient(s). It may contain confidential information and if you are not an intended recipient you must not copy, distribute or take action or reliance on it. If you received this email in error, please contact us immediately, Any unauthorised disclosure of the information contained in this communication is strictly prohibited.
>
>
>-----Original Message-----
>From: Vic [mailto:spf1@beer.org.uk]
>Sent: 12 October 2009 13:48
>To: spf-help@v2.listbox.com
>Subject: Re: [spf-help] Setting up SPF
>
>
>> Our on-site exchange server has a public address of 94.30.116.48
>>
>> Our MX are mail.virtual-college.co.uk, mail2.virtual-college.co.uk and
>> telewest.virtual-college.co.uk
>>
>> Any mail sent from the exchange server results in a softfail.
>
>That's because the rest of the world doesn't see that address - you're
>relaying all your outgoing mail via murphx.net.
>
>Sadly, it looks like Murphx don't have an SPF record - I'll take a look at
>that (one of their sysads is a personal friend of mine).
>
>But the problem you've got is that anyone receiving mail from you is
>actually getting it from Murphx, who aren't mentioned in your SPF record.
>That's why you get the fail...
>
>The solution is either to send mail directly, or to get murphx added to
>the record.
>
>Vic.
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Oh and if Vic does get a list of IPs I will alter to suite. Would be better specifying individual IPs than a whole sub domain.

Now onto Smoothwall, all good fun.



Jonathan Lumb
IT Technician
 
The Virtual College
Tel:01943 605976
Fax:01943 605522
 
www.virtual-college.co.uk
 
With over 10 years' experience and over 150,000 on-line and face to face learners, Virtual College is enhancing the learning experience by accelerating the adoption of e-learning.
 
We are proud of our Investors in People, CPD UK, Matrix, Customer First recognition and Winner of the Medilink Partnership with the NHS Award 2008
 
Virtual College is a limited company registered in England and Wales, a division of Virtual College Group plc.
Registered Office: Marsel House, Stephensons Way, Ilkley, LS29 8DD
Reg No: 3052439  VAT No: GB75529689
 
The information contained in this email is intended only for the named recipient(s). It may contain confidential information and if you are not an intended recipient you must not copy, distribute or take action or reliance on it.  If you received this email in error, please contact us immediately, Any unauthorised disclosure of the information contained in this communication is strictly prohibited.
 


-----Original Message-----
From: Vic [mailto:spf1@beer.org.uk]
Sent: 12 October 2009 15:53
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Setting up SPF


> Using include gives a permerror

You'll get that if there isn't anything to include.

> trying to mx murphx without any real
> success. The wrong way of doing things I guess.

Yep. MX is for inbound mail, you need the outbound servers. For larger
installations, these are frequently not the same machines.

> I have sent a request for
> SPF info to the ISP but failing this, will have to change provider or
> bypass.

Is there a reason you're not sending directly? It might make life a lot
easier...

> We used to be on Demon, changed before my arrival.

Don't change back. Demon have been pulling all sorts of stunts lately.

> HELO hostname: mx-relay-02.edge-c.murphx.net
> Source IP: 62.69.62.102

Note that this is not one of the MXes you list later...

> virtual-college.co.uk. 86400 IN MX 20 82.47.215.100.
> virtual-college.co.uk. 86400 IN MX 0 mail.virtual-college.co.uk.
> virtual-college.co.uk. 86400 IN MX 10 mail2.virtual-college.co.uk.

Do you really need 3 inbound servers? That's nothing to do with SPF, but
will probably cause you far more difficulty than it solves problems...

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Jonathan Lumb wrote on Mon, Oct 12 2009 at 10:32 am:

> Oh and if Vic does get a list of IPs I will alter to suite. Would be
better specifying
> individual IPs than a whole sub domain.

And in general PTR will cause the other end some extra DNS
lookups:

http://www.openspf.org/SPF_Record_Syntax#ptr

The best solution is for murphx.net to set up an SPF record for their
customers to use (ideally listing only IP addresses), and you can then
include it in your record. They can then add/remove mail servers at
will.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- ERROR: ERROR: ERROR: ERROR: ERROR: <*SMACK*> C:\>_

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 16:31 12/10/2009 Monday, Jonathan Lumb wrote:
>Hi all,
>
>I added the prt:edge-c.Murphx.net as all test emails showed up as being within this subdomain. Finally a pass. Many thanks for you all for your assistance and clear explanations.
>Point taken with regards to moving back to Demon.
>We use 3 incoming as mail-primary, mail2-secondary and telewest-last chance. I thought this was recommended. If not, I can change.
>I will continue testing to ensure all mails are behaving and then implement on our other domains.

the only recommended with respect to incoming is

A they all know which addresses are valid and which are not
{ie if i send mail to totaly-made@your-domain and it is rejected by your primary MX it damn well better be rejected by your secondaries too}

this is because otherwise it will be accepted by your secondaries, then rejected when they try to connect to your primary, resulting in them sending a bounce NDR to the 'victim' the guy who's address was forged in the envelope-from

2 possible outcomes,
your secondaries used to victimize people {bounce-spam, ndr-bombing, ddos whatever}
your secondaries end up widely blacklisted to avoid the above

B they all run the same checks/policy
for pretty much the same reasons as above {ie all rejections must be between the sender and your MX not between one of your high-mx's>lower-mx

C if you run SPF checks ensure your own backup MX's are whitelisted and see point B

so because of these rules most people have multiple MX's only when they directly control ALL of them
as its hard to achieve rule B otherwise
anyone failing rule A is just outright callous/lazy {but not uncommon}

[.but all this is moot if the only MX capable of delivering to a users mailbox is the primary, as then the others are doing nothing usefull]
most successful multiple MX setups have an alternate route from backup>mailbox if primary is down and can't get up
{private/internal mx's to pop3 hosts or even manual scripts to fetchmail/sort}

here we use 4 MX's
primary is a false primary {permanently down} to absorb/log a lot of bot syn traffic {all valid mts's fail up some {few} bots never do}
secondary real primary physically closest to our mailbox server thus fastest delivery route
teritary real secondary remote site with wan link to mailbox server so if Internet provider goes dark at primary or bgp issues mail still gets through
fourth and final leg a false last MX with similar job to primary {absorbs lots of bot syn traffic as most bots try last MX first {as most people have the laxest policy on the last {as they fail point B above} so most bots try last first and fail down, we dnsbl any ip trying our last first, with some whitelisting for known broken sites}

[.for anyone checking our 4th MX dnsbl system is currently down so pointed at the same ip as primary {dead but logging} till fixed]



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

> Sadly, it looks like Murphx don't have an SPF record - I'll take a look at
> that (one of their sysads is a personal friend of mine).

OK, I've asked the question. It would appear that Murphx aren't likely to
set up an SPF record anytime soon, but they have two outgoing relays - on
62.69.62.101 and 62.69.62.102.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Vic wrote on Mon, Oct 12 2009 at 9:15 pm:

> OK, I've asked the question. It would appear that Murphx aren't likely
to
> set up an SPF record anytime soon, but they have two outgoing relays -
on
> 62.69.62.101 and 62.69.62.102.

If those are the only two outgoing/delivery mail servers in use
for your domain, then you can simply use:

v=spf1 ip4:62.69.62.101 ip4:62.69.62.102 -all

(or ~all during testing).

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Wisdom of Bart: Coffee is not for kids

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com