Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
SPF setup without the wizard?
spf at gbesco
Jul 11, 2005, 11:47 AM
Post #1 of 23 (10526 views)
Permalink
Dear List Persons,

First, thank you Frank Ellermann and Steve Yates for the nice
responses. (Steve Yates? I know that name from somewhere. Do you
publish computer information [i.e. news, reviews, or tech info]
online?) [.Here's hoping you will continue to help even though I know
this is a long e-mail. I appoligize if this sounds like a rant.]

Well, I spent a few more minutes Friday night before going home
reading more of the SPF site and other things and figured some things
out, but still had concerns upon leaving. I let my mind get nice and
distracted on other things (thank goodness) so I didn't have to worry
about this over the weekend. But, its Monday and back to work and back
to the figuring this all out.

One thing I found out before leaving Friday night was that I can
add TXT records to my DNS on ZoneEdit. Thus, I realized that the
"Wizard" is just preparing a string for TXT records that I would put in
there. And it makes me think I don't even need to use a Wizard.

Instead of responding to the questions and responses individually
I decided to send to the list group again. Figuring anyone (except the
newest of comers) will have Frank's and Steve's responses to my initial
questions if reference is needed. And some of the things I can just
leave out because I realized some of my own stupidity.

Thank you Frank for the simple response. These TXT examples may
be almost exactly what I need, except I might need to understand the
technical info or the "Syntax" to make sure what I am doing is exactly
correct. From reading these responses and looking at it it appears
that the TXT record need to be in a specific syntax that starts
"v=spf1". Is there any documentation (I admit haven't searched yet) on
the Syntax of these records so I know what all the possibilities are and
how I should actually set mine up. A good technical reference or
technical manual is always better than a Wizard for me.

But, Steve's response raises some more questions about this whole
SPF thing.

From the reading I have done I am still trying to decide if SPF
is a good thing for me or not. It seems a little better than what most
ISPs are doing right now, but doesn't necessarily look good for my
business neither in the filtering incoming e-mail nor in the sending e-mail.

While working with AOL it has come to my attention that AOL is
not only blocking all e-mail from dynamic IP addresses (causing me to
have to switch ISPs and pay hundreds per month for static IP addresses)
of which there is only about three ISPs (of the hundreds of ISPs) in the
Salt Lake valley that even offer "static" IP addresses and at huge extra
monthly prices. Then AOL was blocking anything without reverse DNS set
to the correct HELO server name, so I was lucky I got an ISP now that
will do reverse DNS on those IP addresses set to my domain names and
HELO message. But, more recently AOL has decided they are going to
block ALL spoofed e-mail. Now here is a problem, sometimes "spoofing"
e-mail is absolutely necessary and legitimate. unfortunately it sounds
as though in order to stop spammers some companies have decided all
"spoofed" e-mail is bad.

So I have already had to jump though hundreds of hoops with AOL
and other big companies just to get the few e-mail messages that I need
to send to customers (typically no more than three messages per month)
and some employees that use these stupid ISPs, and now I am thinking I
need to jump though this SPF hoop too as well. Or maybe I don't.

It sounds like SPF is a way to limit what can be spoofed and what
can't. This in itself seems much better to me than AOL's current way of
blocking all spoofed e-mail But, it sounds like AOL is going to block
anything that doesn't have SPF records, and, if I have SPF records I
still may not be able to spoof when needed. So what do I do.

Here is the quandary. Right now my boss uses the e-mail address
she has been using for nearly a decade for the main businesses e-mail
address (published all over). It is an xmission.com address. However,
I can't send my e-mail though xmission.com 1) we no longer even use
xmission as an ISP so don't connect to xmssion.com 2) myself and
several other employees use our business e-mail addresses for different
domain names based one who we are commenting with and I can't send those
through xmission.com (or they would be spoofed the other way). Thus, to
continue to use the e-mail address my boss has published all over and in
hundreds of thousands of printed documents not to mention that hundreds
of web sites, portals, and contacts that she has given her e-mail
address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
address gets tons of spam still and most of that xmission filters which
means we often miss important e-mail messages too.]

Friday, when I was absolutely sure there is no other work around
(As AOL even blocks a "spoofed" reply-to address), I told my boss that
she will need to lose this e-mail address because of the spoofing
issues. But, I doubt very much at 78 years old she will go for my
opinions or expertise.

Then when it comes to other domains, again I might be sending out
a gbesco.com e-mail from the reidschool.com domain or vice versa. Any
and or all of our domain names might send out e-mail from any or all of
our three servers on the two specific subnets. These could present
spoofing issues just within our companies. [.It's not my fault my bosses
run several small businesses and several domain names on these two
location silly little networks.]

Now, there are other spoofing problems too. For instance on
occasion, I send business related e-mail's from home using my home ISPs
e-mail server. My work servers are so tight that I can't allow an
incoming connection to anyone not on the LAN to send e-mail from it. To
unsecure my mail servers (as I use dynamic IP address at home because I
can't afford $350 per month at home for a static IP address) would be
like asking for my currently secure servers to get used as spamming
machines by remote attackers. So I utterly refuse to open my servers
up. So again, there are legitimate reasons for spoofed e-mail. Then
add to it the fact that any or all three of the servers may send e-mail
from domain names not associated with the server's ptr records that too
may be considered spoofed depending on how the filter's are designed.
So this is why I really need to understand exactly how SPF is working so
I can see how to jump through this hoop and still get my e-mail through
to AOL and other ISPs that decide to use this filter method.

There is also the problem that I can't administer the Network
(subnet) on the reidschool.com domain. Thus I can't keep these people
safe at all. I run a very strict firewall/proxy server to help
alleviate the fact that I can't do anything (I don't even have keys to
that building) to really to secure that whole network. I order for my
boss to send e-mail (she works at that building, though usually she has
me send her e-mail anyway) I have to have that proxy server send out as
an SMTP server if needed though rare. But again, she is using an
xmission.com e-mail address, or she will use an ecri.cc [her main
business name] address if I ever get her to switch, but she is on a
reidschool.com network.

Then there is the web servers for all seven domain names.
Scripting for sending of e-mail is possible and may one day occure.
Currently only www.reidschool.com has any scripting in place that may
send notifications of updates to parents of children attending that
school [if they subscribe]. Right now that script is completely turned
off, but in preparing for the future, I want to be sure my e-mail can
get though to those parents that sign up for such a notification
system. And unfortunatly statistcs show that half or more of those
parents are going to be using AOL and even more that use other large
ISPs e-mail addresses. So I have to deal with being able to get my
outgoing e-mail through into these obnoxious ISPs for delivery to these
people for any and or all of my domain names coming out of any or all of
the three servers I run.

I really don't worry so much about people spoofing my e-mail. I
can show it wasn't my server should anyone try to accuse these
companies. So far, I have only had one incident that someone spoofed a
webmaster@domain.com address that we don't even use. Since I am the
webmaster, it ticked me off that day. Yes, that was annoying but I
disabled the "webmaster" e-mail address and all other RFCC compliant
adressresses, and said "I don't give a damm about the RFCC specs" if
people are going to spoof an e-mail address that isn't even used.
Anyone wanting to get ahold of me as the webmaster, can find a valid
company e-mail address on any of our web pages.

As for ever using SPF to filter incoming e-mail I would never
need to do that. The best way to control spam is to prosecute the
spammers. And since I give out seperate e-mail address, I will know
who either spammed me, or sold my name to spammers therefore aiding and
abetting criminals. AND I WILL PROSECUTE THEM!!!

Thus, over the past year since I started this proces, I have
reduced the spam to next to nothing. Mainly only to list servers like
this one where the e-mail address may be harvestable but certaily going
to unknown destinations and to the standard 20 or so RFCC e-mail address
per domiain, wich I recetnly got rid of anyway. It seems to me this way
is better than any filter, because all other filters will block
improtant e-mail as much or more commonly (percentage wise) as it blocks
spam.

I understand that most people CAN'T do it the way I do. The
ulitmate best way to avoid "spoofing" issues in particluar is to change
the SMTP protocol and add a in so the receiving SMTP server does a quick
check asking if the reply-to e-mail addrss and the retrun path are valid
e-mail addresses with a quick question and response method on the
protocol level. I.E. send one packet to each server authoritative for
the reply-to domain and to and return-path domain and receive one packet
back from each saying valid or invalid. Hardly any bandwitdh would be
needed and this would reduce the vast majority of current spam that runs
with spoofed addresses, without blocking the valid use of spoofed messages.

But, I still have to deal with ISPs that simply refuse e-mail
because I don't have the time or money to pay some ISP for e-mail
addresses, and remote connections to their e-mail servers, and
colocating our servers and all the other headaches. In fact, when it
comes to it I really don't understand how small businesses exist on the
web or communcate through e-mail anymore because they are so
descriminated against just because of spammers.

So down't to my real concern and questions: What exactly does
SPF do for the ISP that implements it. Exactly how does it work so I
can get my e-mail through reliably whether I have to spoof or not.
And, if I should setup these records, what are all the syntax structers
that are possible and what do they mean. For me it would be a lot
esaier to read technical information such as syntax structures than
figure out silly questions in a Wizard, since my situation isn't very
typical.

Thank's again for all your help. I appoligize if this sounded
like a rant.

Sincerly,
Nathan Tyler
"Computer Do All" for several small businesses.
Re: SPF setup without the wizard? [ In reply to ]
spf at leave-it-to-grace
Jul 11, 2005, 12:42 PM
Post #2 of 23 (10376 views)
Permalink
On Mon, 2005-07-11 at 12:47 -0600, Nathan Tyler wrote:

> Is there any documentation (I admit haven't searched yet) on
> the Syntax of these records so I know what all the possibilities are and
> how I should actually set mine up. A good technical reference or
> technical manual is always better than a Wizard for me.

Unfortunately, I don't have a link to the latest version of the draft
(in fact, I'm 850 messages behind on spf-discuss, and I believe some
documents have gained permanent addresses, but I don't know for sure.
Can someone else provide a link?


> So I have already had to jump though hundreds of hoops with AOL
> and other big companies just to get the few e-mail messages that I need
> to send to customers (typically no more than three messages per month)
> and some employees that use these stupid ISPs, and now I am thinking I
> need to jump though this SPF hoop too as well. Or maybe I don't.

It might be easier to jump through hoops to get the employees under
control than it is trying to reverse engineer all the goofy methods
employees can come up with to game the system because they don't
understand it. In the former, acrobatics only needs to be done once, in
the latter, you might as well join the circus because the hoop jumping
will be never-ending.


> It sounds like SPF is a way to limit what can be spoofed and what
> can't. This in itself seems much better to me than AOL's current way of
> blocking all spoofed e-mail But, it sounds like AOL is going to block
> anything that doesn't have SPF records, and, if I have SPF records I
> still may not be able to spoof when needed. So what do I do.

This is something you'll need to bring up with AOL. We can help you
with SPF setups and help notifying the correct parties who may not be
interpreting SPF records correctly, but if AOL is filtering/blocking
based on something else, that is beyond the scope of SPF.

If AOL blocking email from domains that don't have SPF records is a
concern, you can publish "v=spf1 ?all". This is a valid SPF record, so
you'll have one, but it essentially is the same as not having one.
Unfortunately, AOL could change their "policy" at any time to hamper the
delivery of email from domains that have what amounts to "open
policies" (which "v=spf1 ?all" really is). Again, this is AOL's
prerogative as an email receiver. AOL has been relatively good about
SPF and policies like these are AOL's way of throwing their weight
around to get quicker adoption of SPF, so while there might be upset in
the short term, part of the goal is to have it all shake out in the end
for the better.

> Here is the quandary. Right now my boss uses the e-mail address
> she has been using for nearly a decade for the main businesses e-mail
> address (published all over). It is an xmission.com address. However,
> I can't send my e-mail though xmission.com 1) we no longer even use
> xmission as an ISP so don't connect to xmssion.com 2) myself and
> several other employees use our business e-mail addresses for different
> domain names based one who we are commenting with and I can't send those
> through xmission.com (or they would be spoofed the other way). Thus, to
> continue to use the e-mail address my boss has published all over and in
> hundreds of thousands of printed documents not to mention that hundreds
> of web sites, portals, and contacts that she has given her e-mail
> address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
> address gets tons of spam still and most of that xmission filters which
> means we often miss important e-mail messages too.]

Obviously your boss is still paying for the xmission.com address.
xmission.com should set up a way for your boss to submit her outbound
mail to their servers if she wants to send from her xmission.com
address. Then this is a simple reconfiguration of her email client to
use xmission.com servers when sending xmission.com email.

Alternatively, she can send from xmission.com and set the Reply-to her
current address. But this is not ideal, since the xmission.com address
is the legacy address. The better method is that your boss not send
from xmission.com at all but only use her current address for all
correspondence. Her xmission.com address can forward to her current
mailbox (and if you are SPF filtering, you would need to whitelist
xmission.com). The whole goal of keeping an old email address alive is
so you can continue to receive mail sent to it, but the inverse (to send
from it) is not necessarily true.


> Now, there are other spoofing problems too. For instance on
> occasion, I send business related e-mail's from home using my home ISPs
> e-mail server. My work servers are so tight that I can't allow an
> incoming connection to anyone not on the LAN to send e-mail from it. To
> unsecure my mail servers (as I use dynamic IP address at home because I
> can't afford $350 per month at home for a static IP address) would be
> like asking for my currently secure servers to get used as spamming
> machines by remote attackers. So I utterly refuse to open my servers
> up. So again, there are legitimate reasons for spoofed e-mail.

This is not one of those legitimate reasons. Please see RFC2476
"Message Submission". You can set up a submission service on your mail
server(s) and use that, from wherever, to inject email into the internet
through known, controllable servers without opening it up as an open
relay. Depending on which SMTP server software you use, someone on this
list might be able to point you to the right document on how to set it
up. Here's one for postfix: http://www.postfix.org/SASL_README.html


> Then
> add to it the fact that any or all three of the servers may send e-mail
> from domain names not associated with the server's ptr records

This is why you shouldn't use "ptr" in your domains' SPF records.

> that too
> may be considered spoofed depending on how the filter's are designed.

"filtering" methods are beyond the scope of SPF -- SPF is about sender
policy. We can not assist you with anything having to do with
receiver's filtering/blocking policies other than how they relate to
SPF.

> Then there is the web servers for all seven domain names.
> Scripting for sending of e-mail is possible and may one day occure.
> Currently only www.reidschool.com has any scripting in place that may
> send notifications of updates to parents of children attending that
> school [if they subscribe]. Right now that script is completely turned
> off, but in preparing for the future, I want to be sure my e-mail can
> get though to those parents that sign up for such a notification
> system. And unfortunatly statistcs show that half or more of those
> parents are going to be using AOL and even more that use other large
> ISPs e-mail addresses. So I have to deal with being able to get my
> outgoing e-mail through into these obnoxious ISPs for delivery to these
> people for any and or all of my domain names coming out of any or all of
> the three servers I run.

You can do this with include and/or redirect.

>
> I really don't worry so much about people spoofing my e-mail. I
> can show it wasn't my server should anyone try to accuse these
> companies.

Then you have some interesting technology that you are not sharing :)

> So far, I have only had one incident that someone spoofed a
> webmaster@domain.com address that we don't even use. Since I am the
> webmaster, it ticked me off that day. Yes, that was annoying but I
> disabled the "webmaster" e-mail address and all other RFCC compliant
> adressresses, and said "I don't give a damm about the RFCC specs" if
> people are going to spoof an e-mail address that isn't even used.
> Anyone wanting to get ahold of me as the webmaster, can find a valid
> company e-mail address on any of our web pages.
>
> As for ever using SPF to filter incoming e-mail I would never
> need to do that. The best way to control spam is to prosecute the
> spammers. And since I give out seperate e-mail address, I will know
> who either spammed me, or sold my name to spammers therefore aiding and
> abetting criminals. AND I WILL PROSECUTE THEM!!!

If spammers could be effectively tracked down and prosecuted, they're be
a lot more of that. SPF tries to help that by having people document
their email infrastructure (in the SPF record) so email sources can be
tracked significantly more reliably than they can now.

...
> I understand that most people CAN'T do it the way I do. The
> ulitmate best way to avoid "spoofing" issues in particluar is to change
> the SMTP protocol and add a in so the receiving SMTP server does a quick
> check asking if the reply-to e-mail addrss and the retrun path are valid
> e-mail addresses with a quick question and response method on the
> protocol level.

That is what SPF tries to do. Using DNS (UDP) is much more efficient
than having callbacks over TCP. There are many exploitable DoS holes
that SPF has tried to close by making the protocol simple (although I
suppose exactly how simple is debatable :) ) and not bandwidth, query or
CPU hungry. For a few years now there have been a number of "competing"
anti-forgery systems, and SPF is, I believe, the leader in terms of
number of records deployed. Callback systems suffer from a much larger
chicken-and-egg problem because all SMTP servers essentially need to be
upgraded at once, where internet-wide SPF deployment can happen more
piecemeal (and AOL, by publicizing that they are enforcing SPF records
on the receiving end, is trying to give that more thrust).

> I.E. send one packet to each server authoritative for
> the reply-to domain and to and return-path domain and receive one packet
> back from each saying valid or invalid.

If you want to use this kind of measurement, SPF requires even fewer
packets over time because DNS responses are cached and SPF records can
be optimized to only include ip4 mechanisms (which, other than looking
up the SPF record, places near zero load on checking SPF).

> Hardly any bandwitdh would be
> needed and this would reduce the vast majority of current spam that runs
> with spoofed addresses, without blocking the valid use of spoofed messages.

If you have a "valid use of spoofed messages", SPF supports that by not
requiring you to publish an SPF record, or publish SPF records on a per-
user basis using macros.

> But, I still have to deal with ISPs that simply refuse e-mail
> because I don't have the time or money to pay some ISP for e-mail
> addresses, and remote connections to their e-mail servers, and
> colocating our servers and all the other headaches.

Incidentally, what you've described so far sounds to me like such a huge
headache, I'd be willing to go to the trouble to bring everything under
my own control to avoid having to deal with other ISPs connectivity and
email and payment policies. ;)

> So down't to my real concern and questions: What exactly does
> SPF do for the ISP that implements it.

On the sending side, it tells the world where your email comes from, so
they can detect forgeries easier.

On the receiving side, it allows rejection of the email before the DATA
phase, thereby saving transmission bandwidth, and disk space and
processing power in post-acceptance filters.

> Exactly how does it work so I
> can get my e-mail through reliably whether I have to spoof or not.

The ideal situation is to get your email infrastructure under control,
so you don't have to spoof.

--
Andy Bakun <spf@leave-it-to-grace.com>
Re: SPF setup without the wizard? [ In reply to ]
steve at teamITS
Jul 11, 2005, 1:46 PM
Post #3 of 23 (10338 views)
Permalink
On Mon, 11 Jul 2005 12:47:50 -0600
Nathan Tyler <spf@gbesco.com> wrote:

> While working with AOL it has come to my attention that AOL is
> not only blocking all e-mail from dynamic IP addresses

There are available block lists of dynamic IPs, under the theory
that a "home user" is far more likely to have a virus spewing out
itself, than a legitimate mail server. AOL is not the only one to have
this policy.

It's purely defensive...we work with a data center that was
tallying 2 billion blocked e-mails per month...and that didn't count the
spam that got through.

> Then AOL was blocking anything without reverse DNS set

Many ISPs do this. Most check only that there IS *some* reverse
DNS, not if it resolves to the HELO.

By the way...you might see http://postmaster.aol.com/guidelines/bestprac.html .

> It sounds like SPF is a way to limit what can be spoofed and what
> can't.

Yes, exactly. And that's all.

> to
> continue to use the e-mail address my boss has published all over and in
> hundreds of thousands of printed documents not to mention that hundreds
> of web sites, portals, and contacts that she has given her e-mail
> address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS.

Does she need to SEND mail with it? Why not just use that for
incoming e-mail, and use her "new" (real?) e-mail address for
outgoing/new e-mail?

> So I have to deal with being able to get my
> outgoing e-mail through into these obnoxious ISPs for delivery to these
> people for any and or all of my domain names coming out of any or all of
> the three servers I run.

So each domain name would need its SPF record to reference all
three IP addresses (one per server).

> I really don't worry so much about people spoofing my e-mail.

This sounds funny after the security comments above. You really
wouldn't mind me sending mail to your customers saying that "gbesco.com
has been bought out, please refer all sales calls to ITS"?

> ulitmate best way to avoid "spoofing" issues in particluar is to change
> the SMTP protocol and add a in so the receiving SMTP server does a quick
> check asking if the reply-to e-mail addrss and the retrun path are valid
> e-mail addresses

Hey, sounds like SPF. :)

> So down't to my real concern and questions: What exactly does
> SPF do for the ISP that implements it. Exactly how does it work so I
> can get my e-mail through reliably whether I have to spoof or not.

SPF simply runs through the list of servers in the sender's
domain's SPF record, and sees if the IP address from which the message
arrived matches one of those. If not, the message is fake.

- Steve Yates
- ITS, Inc.
- D.A.M. Mothers Against Dyslexia

~ Taglines by Taglinator 4 - www.srtware.com ~
Re: SPF setup without the wizard? [ In reply to ]
steve at teamITS
Jul 11, 2005, 1:46 PM
Post #4 of 23 (10333 views)
Permalink
On Mon, 11 Jul 2005 14:42:30 -0500
Andy Bakun <spf@leave-it-to-grace.com> wrote:

> On Mon, 2005-07-11 at 12:47 -0600, Nathan Tyler wrote:
>
> > Is there any documentation (I admit haven't searched yet) on
> > the Syntax of these records so I know what all the possibilities are and
> > how I should actually set mine up. A good technical reference or
> > technical manual is always better than a Wizard for me.
>
> Unfortunately, I don't have a link to the latest version of the draft

At http://spf.pobox.com/sitemap.html , there are a few documents
not really linked to from elsewhere on that site, AFAIK. From there see
"SPF: RFC background reading" for the draft and "SPF Mechanisms / Syntax"
for explanations. Not sure if either are up to date. :)

- Steve Yates
- ITS, Inc.
- A pun is its own reword.

~ Taglines by Taglinator 4 - www.srtware.com ~
Re: SPF setup without the wizard? [ In reply to ]
steve at teamITS
Jul 11, 2005, 1:46 PM
Post #5 of 23 (10328 views)
Permalink
On Mon, 11 Jul 2005 12:47:50 -0600
Nathan Tyler <spf@gbesco.com> wrote:

> (Steve Yates? I know that name from somewhere. Do you
> publish computer information [i.e. news, reviews, or tech info]
> online?)

Hmm, I am famous? :) We have a newsletter, at
www.teamITS.com/connection ...?

- Steve Yates
- ITS, Inc.
- Warning: Dates in calendar are closer than they appear.

~ Taglines by Taglinator 4 - www.srtware.com ~
Re: SPF setup without the wizard? [ In reply to ]
bulk at mehnle
Jul 11, 2005, 3:00 PM
Post #6 of 23 (10383 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Bakun wrote:
> On Mon, 2005-07-11 at 12:47 -0600, Nathan Tyler wrote:
> > Is there any documentation (I admit haven't searched yet) on
> > the Syntax of these records so I know what all the possibilities are
> > and how I should actually set mine up. A good technical reference or
> > technical manual is always better than a Wizard for me.
>
> Unfortunately, I don't have a link to the latest version of the draft
> (in fact, I'm 850 messages behind on spf-discuss, and I believe some
> documents have gained permanent addresses, but I don't know for sure.
> Can someone else provide a link?

http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html

or

http://www.ietf.org/internet-drafts/draft-schlitt-spf-classic-02.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0uwPwL7PKlBZWjsRAuVgAJ9olbJpeZW7t1sOWQS5hB+p+NcScACgxpno
o9CGTRuAfAGBKN0ctJVY6CQ=
=fxHf
-----END PGP SIGNATURE-----
Re: SPF setup without the wizard? [ In reply to ]
spf at gbesco
Jul 11, 2005, 3:22 PM
Post #7 of 23 (10344 views)
Permalink
Oh, man am I in over my head. Thanks to those who responded
to my lengthy e-mail. It appears to me I am NOT being understood very
well, and that is probably because I am in over my head. I am expected
on a regular 40 hour work week to be a Network Administrator (for two
networks), a Database Server Administrator, an E-mail Server
Administrator, a Webmaster/Web Developer, a Desktop Publisher (which
includes word processing, typesetting, illustration artistry, graphics
artistry, etc.), a Software/Application Developer, Security Adviser /
Implementor, I am also the entire Help Desk and IT support staff, I am
also an e-mail assistant, and even just a general secretary a lot of the
time, as well as the occasional physical laborer, and if it involves a
computer in any way I am expected to be able to do it. And all this on
one half the wages that most people doing any one of the more technical
jobs (I listed above) would get. On top of that my bosses refuse to
help pay for any schooling or training, so I can't get any real training
on any of this stuff. I have to learn in the school of hard knocks. I
have already spent over $10,000 of my own money and in big debt for the
little development training I received until the Utah State Board of
Education decided to close the school I was attending down making it
impossible for me to get the rest of the training I had paid for.


Andy Bakun wrote:

>On Mon, 2005-07-11 at 12:47 -0600, Nathan Tyler wrote:
>
>
>
>>Is there any documentation (I admit haven't searched yet) on
>>the Syntax of these records so I know what all the possibilities are and
>>how I should actually set mine up. A good technical reference or
>>technical manual is always better than a Wizard for me.
>>
>>
>
>Unfortunately, I don't have a link to the latest version of the draft
>(in fact, I'm 850 messages behind on spf-discuss, and I believe some
>documents have gained permanent addresses, but I don't know for sure.
>Can someone else provide a link?
>
>
I found this one on the site map. Didn't see any links from the main
pages, but when I got to the site map, I found it.

>> So I have already had to jump though hundreds of hoops with AOL
>>and other big companies just to get the few e-mail messages that I need
>>to send to customers (typically no more than three messages per month)
>>and some employees that use these stupid ISPs, and now I am thinking I
>>need to jump though this SPF hoop too as well. Or maybe I don't.
>>
>>
>
>It might be easier to jump through hoops to get the employees under
>control than it is trying to reverse engineer all the goofy methods
>employees can come up with to game the system because they don't
>understand it. In the former, acrobatics only needs to be done once, in
>the latter, you might as well join the circus because the hoop jumping
>will be never-ending.
>
>
>
The hoops I am referring to, is simply taking the appropriate steps as
an e-mail server administrator to allow messages coming out of my
servers to be accepted at other companies and ISPs, and because other
companies and ISPs keep changing their policies and filters I keep
having to jump thought hoops. But, I see no other way around it unless
we want to forgo all e-mail whatsoever.

>
>
>> It sounds like SPF is a way to limit what can be spoofed and what
>>can't. This in itself seems much better to me than AOL's current way of
>>blocking all spoofed e-mail But, it sounds like AOL is going to block
>>anything that doesn't have SPF records, and, if I have SPF records I
>>still may not be able to spoof when needed. So what do I do.
>>
>>
>
>This is something you'll need to bring up with AOL. We can help you
>with SPF setups and help notifying the correct parties who may not be
>interpreting SPF records correctly, but if AOL is filtering/blocking
>based on something else, that is beyond the scope of SPF.
>
>If AOL blocking email from domains that don't have SPF records is a
>concern, you can publish "v=spf1 ?all". This is a valid SPF record, so
>you'll have one, but it essentially is the same as not having one.
>Unfortunately, AOL could change their "policy" at any time to hamper the
>delivery of email from domains that have what amounts to "open
>policies" (which "v=spf1 ?all" really is). Again, this is AOL's
>prerogative as an email receiver. AOL has been relatively good about
>SPF and policies like these are AOL's way of throwing their weight
>around to get quicker adoption of SPF, so while there might be upset in
>the short term, part of the goal is to have it all shake out in the end
>for the better.
>
>
Right, I am not accusing SPF of anything here, just AOL. I have been
fighting with AOL for months and months just to get one or two messages
per month through to their users, seems like a big headache for such a
small thing, then I notice they are now encouraging spammers, one of
their whitelist filters actually say you have to send more than 100
messages per day to their networks WTF? Seems to me AOL is promoting
SPAM not trying to get rid of it.

>> Here is the quandary. Right now my boss uses the e-mail address
>>she has been using for nearly a decade for the main businesses e-mail
>>address (published all over). It is an xmission.com address. However,
>>I can't send my e-mail though xmission.com 1) we no longer even use
>>xmission as an ISP so don't connect to xmssion.com 2) myself and
>>several other employees use our business e-mail addresses for different
>>domain names based one who we are commenting with and I can't send those
>>through xmission.com (or they would be spoofed the other way). Thus, to
>>continue to use the e-mail address my boss has published all over and in
>>hundreds of thousands of printed documents not to mention that hundreds
>>of web sites, portals, and contacts that she has given her e-mail
>>address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
>>address gets tons of spam still and most of that xmission filters which
>>means we often miss important e-mail messages too.]
>>
>>
>
>Obviously your boss is still paying for the xmission.com address.
>xmission.com should set up a way for your boss to submit her outbound
>mail to their servers if she wants to send from her xmission.com
>address.
>
Yes, XMission says use IMAP. Unfortunately IMAP has too many cons to
bother. First and foremost is that the mailbox gets full in three days
without using POP, second is sending IMAP keeps no records here but on
XMission's server (I haven't yet found a way to POP messages out of the
"outbox"), third getting my boss just to pick up POP mail with a very
simplistic e-mail client has been a struggle for the past 6 years, there
is no way I could ever teach her IMAP interfaces let alone xmission's
interfaces that they change every 6 months or so.

>Then this is a simple reconfiguration of her email client to
>use xmission.com servers when sending xmission.com email.
>
Nope, I can't reconfigure her e-mail client to send out of anything but
our proxy server. The only alternative would be IMAP and even then I am
not sure if IMAP will work using this strict firewall proxy
configuration. I admit there are better implementations I could use,
but for what we need to do and our legal interests, any other comparable
implementation would cost many thousands of dollars (including
repetitive costs) that my bosses aren't willing to pay. So I have to
make do with a very poor implementation but one that keeps that network
at least not tooooooo vulnerable to attack. [.Though I never claim to be
a security expert in the least.]

>Alternatively, she can send from xmission.com and set the Reply-to her
>current address. But this is not ideal, since the xmission.com address
>is the legacy address. The better method is that your boss not send
>from xmission.com at all but only use her current address for all
>correspondence. Her xmission.com address can forward to her current
>mailbox (and if you are SPF filtering, you would need to whitelist
>xmission.com). The whole goal of keeping an old email address alive is
>so you can continue to receive mail sent to it, but the inverse (to send
>from it) is not necessarily true.
>
No the problem with using Reply-to for either to her old or a new one I
could setup doesn't matter. Using any "spoofed" e-mail address gets
blocked by AOL, whether its in the "From" the "Reply-To" or the
"Return-Path" Anyone one of those not being at checked as legit for the
same network as that of the sending SMTP server AOL it blocks it. I was
hoping I could just have her send out of the new address and have people
reply to the old one, but that didn't work.

>> Now, there are other spoofing problems too. For instance on
>>occasion, I send business related e-mail's from home using my home ISPs
>>e-mail server. My work servers are so tight that I can't allow an
>>incoming connection to anyone not on the LAN to send e-mail from it. To
>>unsecure my mail servers (as I use dynamic IP address at home because I
>>can't afford $350 per month at home for a static IP address) would be
>>like asking for my currently secure servers to get used as spamming
>>machines by remote attackers. So I utterly refuse to open my servers
>>up. So again, there are legitimate reasons for spoofed e-mail.
>>
>>
>
>This is not one of those legitimate reasons. Please see RFC2476
>"Message Submission". You can set up a submission service on your mail
>server(s) and use that, from wherever, to inject email into the internet
>through known, controllable servers without opening it up as an open
>relay. Depending on which SMTP server software you use, someone on this
>list might be able to point you to the right document on how to set it
>up. Here's one for postfix: http://www.postfix.org/SASL_README.html
>
>
>
Like I said I am learning in the school of hard knocks. Thank you for
this link, I will look into it. It so happens I am using postfix, so
maybe I can figure this out. Though the last time I tried to figure
anything out with post fix, I just got it screwed up and had to start
all over and setup up the original way again.

>>Then
>>add to it the fact that any or all three of the servers may send e-mail
>>from domain names not associated with the server's ptr records
>>
>>
>
>This is why you shouldn't use "ptr" in your domains' SPF records.
>
>
I am assuming here you are talking again about certain SPF record syntax
that I haven't yet read completely though (sine I decided to respond to
this message). (I do know I have to have ptr DNS records in order for
AOL not to block the e-mail.)

>
>
>>that too
>>may be considered spoofed depending on how the filter's are designed.
>>
>>
>
>"filtering" methods are beyond the scope of SPF -- SPF is about sender
>policy. We can not assist you with anything having to do with
>receiver's filtering/blocking policies other than how they relate to
>SPF.
>
>
Am I going mad, or isn't the whole point of SPF is to enable people to
setup filtering. What I was referring to here is that I need to know
exactly what an SPF enabled e-mail server is doing with those SPF
records so I know the best way to setup the SPF records to maximize my
ability to get my messages through to anyone who uses SPf in their flitting.

>> Then there is the web servers for all seven domain names.
>>Scripting for sending of e-mail is possible and may one day occur.
>>Currently only www.reidschool.com has any scripting in place that may
>>send notifications of updates to parents of children attending that
>>school [if they subscribe]. Right now that script is completely turned
>>off, but in preparing for the future, I want to be sure my e-mail can
>>get though to those parents that sign up for such a notification
>>system. And unfortunately statistics show that half or more of those
>>parents are going to be using AOL and even more that use other large
>>ISPs e-mail addresses. So I have to deal with being able to get my
>>outgoing e-mail through into these obnoxious ISPs for delivery to these
>>people for any and or all of my domain names coming out of any or all of
>>the three servers I run.
>>
>>
>
>You can do this with include and/or redirect.
>
I am not sure if you are talking n the SPF record or some setting on the
e-mail server. [.So many words and so many definitions of any given
word in the technology area that it gets confusing when and which is
being referred to.]

>> I really don't worry so much about people spoofing my e-mail. I
>>can show it wasn't my server should anyone try to accuse these
>>companies.
>>
>>
>
>Then you have some interesting technology that you are not sharing :)
>
What? Looking at the headers it shows the IP address of the sending
SMTP server and any and all servers in-between [minus any rewriting,
which my servers don't do]. So, since my servers are very tight, I can
look, if the last server before the destination server is not mine, then
the message claiming to come from me was spoofed. I have heard of IP
address spoofing, and that might be a concern, but the rarity of that
makes that one of the least of my concerns. I just want my real and
valid e-mail to get delivered properly.

>>So far, I have only had one incident that someone spoofed a
>>webmaster@domain.com address that we don't even use. Since I am the
>>webmaster, it ticked me off that day. Yes, that was annoying but I
>>disabled the "webmaster" e-mail address and all other RFCC compliant
>>adressresses, and said "I don't give a damm about the RFCC specs" if
>>people are going to spoof an e-mail address that isn't even used.
>>Anyone wanting to get ahold of me as the webmaster, can find a valid
>>company e-mail address on any of our web pages.
>>
>> As for ever using SPF to filter incoming e-mail I would never
>>need to do that. The best way to control spam is to prosecute the
>>spammers. And since I give out seperate e-mail address, I will know
>>who either spammed me, or sold my name to spammers therefore aiding and
>>abetting criminals. AND I WILL PROSECUTE THEM!!!
>>
>>
>
>If spammers could be effectively tracked down and prosecuted, they're be
>a lot more of that. SPF tries to help that by having people document
>their email infrastructure (in the SPF record) so email sources can be
>tracked significantly more reliably than they can now.
>
That is why I use a special system of giving out a new and seperate
e-mail address to any given individual or organization. If I get spam,
I know exactly how to track it. And the individual or company will be
held liable even if they didn't send the spam, because they aided those
who did. That doesn't work for such things as this though because of
the anonymity of the group and the archives that make the e-mail address
harvestable. Even then, ISPs have the ability to track it, if they
would take the time to do it, they won't, instead they just setup new
filters to keep blocking things, making me have to jump through hoops
just to get my e-mail delivered even though I definitely don't send
spam. [.Although I note, I am sending a lot more e-mail like this,
trying to resolve e-mail problems that it is almost like me sending spam.]

> ...
>
>
>>I understand that most people CAN'T do it the way I do. The
>>ulitmate best way to avoid "spoofing" issues in particluar is to change
>>the SMTP protocol and add a in so the receiving SMTP server does a quick
>>check asking if the reply-to e-mail addrss and the retrun path are valid
>>e-mail addresses with a quick question and response method on the
>>protocol level.
>>
>>
>
>That is what SPF tries to do. Using DNS (UDP) is much more efficient
>than having callbacks over TCP. There are many exploitable DoS holes
>that SPF has tried to close by making the protocol simple (although I
>suppose exactly how simple is debatable :) ) and not bandwidth, query or
>CPU hungry. For a few years now there have been a number of "competing"
>anti-forgery systems, and SPF is, I believe, the leader in terms of
>number of records deployed. Callback systems suffer from a much larger
>chicken-and-egg problem because all SMTP servers essentially need to be
>upgraded at once, where internet-wide SPF deployment can happen more
>piecemeal (and AOL, by publicizing that they are enforcing SPF records
>on the receiving end, is trying to give that more thrust).
>
>>I.E. send one packet to each server authoritative for
>>the reply-to domain and to and return-path domain and receive one packet
>>back from each saying valid or invalid.
>>
>>
>
>If you want to use this kind of measurement, SPF requires even fewer
>packets over time because DNS responses are cached and SPF records can
>be optimized to only include ip4 mechanisms (which, other than looking
>up the SPF record, places near zero load on checking SPF).
>
>
AHH! That is good news. You see, I mentioned I didn't understand what
SPF was and how it works. That sounds fine then, though I would like to
get into the nitty gritty if I ever have time. Like I said earlier,
reading up a little on the web site it sounds a lot better than what
most ISPs are doing to block spam, and this part here encourages me more
that this is a better technology. I still have my reservations about
the setting up of SPf records and the necessary spoofing in this
companies instance, but at least the industry is on the right track.

>>Hardly any bandwitdh would be
>>needed and this would reduce the vast majority of current spam that runs
>>with spoofed addresses, without blocking the valid use of spoofed messages.
>>
>>
>
>If you have a "valid use of spoofed messages", SPF supports that by not
>requiring you to publish an SPF record, or publish SPF records on a per-
>user basis using macros.
>
Except it's not SPF that is requiring me to publish SPF records, but
companies that use SPF in their filters like AOL. Therefore if AOL says
they block everything without SPF records and I want my e-mail to be
delivered I HAVE TO SETUP SPF RECORDS.

>> But, I still have to deal with ISPs that simply refuse e-mail
>>because I don't have the time or money to pay some ISP for e-mail
>>addresses, and remote connections to their e-mail servers, and
>>colocating our servers and all the other headaches.
>>
>>
>
>Incidentally, what you've described so far sounds to me like such a huge
>headache, I'd be willing to go to the trouble to bring everything under
>my own control to avoid having to deal with other ISPs connectivity and
>email and payment policies. ;)
>
>
What? Having my own control is exactly what I am trying to do here.
Bringing everything under my control rather than some stupid ISP, is the
point of running my own e-mail server with my own domain names, rather
than co-locating servers or hosting such services through an ISP.
However, my control is limited to my own servers. I still can't control
AOL and its filtering policies. That is why I convinced my bosses to
pay the hundreds per month on both sites to use an ISP that allows me my
own control. ALL other ISPs I have looked at (literally dozens) utterly
refuse to allow the user any control. None of them want to allow a
business to run a business using their own services through the ISP
connectivity except three, and of those only one that offered the type
of access we wanted. What I wonder is how all other companies go about
this, maybe they give up the control and let their ISPs control their
servers by co-locating and or pay for hosting services, which they have
no control over at all.

[.I make this analogy: that most ISPs Internet connectivity are
like toilets, the ISPs know every business needs internet access (like
every business needs a bathroom), but they don't want that business to
conduct business (i.e. make any money) using their internet
connectivity. But, they want to sell additional services such as e-mail
hosting if people want ot send e-mail, or web hosting for web servers.
Its like that toilet company that will also sell cell phones so you can
make business calls while in the bathroom.]

>> So down't to my real concern and questions: What exactly does
>>SPF do for the ISP that implements it.
>>
>>
>
>On the sending side, it tells the world where your email comes from, so
>they can detect forgeries easier.
>
Right, this is why I want to know how the SPF works, so I know how
companies like AOL are detecting forgeries and get my servers/DNS setup
to maximize my ability to communicate with those companies doing the
filtered receiving.

>On the receiving side, it allows rejection of the email before the DATA
>phase, thereby saving transmission bandwidth, and disk space and
>processing power in post-acceptance filters.
>
>
Exactly, someone out there IS using SPF for flitting!!! Not me, I have
better ways.

>
>
>>Exactly how does it work so I
>>can get my e-mail through reliably whether I have to spoof or not.
>>
>>
>
>The ideal situation is to get your email infrastructure under control,
>so you don't have to spoof.
>
>
AGREED!!!! But, unlikely in this particular strange and obnoxious
little business SETUP I find myself in.
Re: SPF setup without the wizard? [ In reply to ]
steve at teamITS
Jul 11, 2005, 4:23 PM
Post #8 of 23 (10314 views)
Permalink
On Mon, 11 Jul 2005 16:22:00 -0600
Nathan Tyler <spf@gbesco.com> wrote:

> Looking at the headers it shows the IP address of the sending
> SMTP server and any and all servers in-between [minus any rewriting,
> which my servers don't do]. So, since my servers are very tight, I can
> look, if the last server before the destination server is not mine, then
> the message claiming to come from me was spoofed.

What you are describing doing manually, is the purpose of SPF.

SPF doesn't "filter" spam out of inbound mail a la SpamAssassin,
K9, Spamhaus SBL/XBL, etc. It helps filter out forged e-mail.

As for mail servers behind dynamic IPs, I believe it would work
to sign up with a service like no-ip.com, since that gives you an A
record that can be included into your SPF (gbesco.no-ip.com). The
software runs on your home PC to update the IP every time you get a new
one.

- Steve Yates
- ITS, Inc.
- Money can't buy happiness but it can certainly rent it for a couple of hours.

~ Taglines by Taglinator 4 - www.srtware.com ~
Re: SPF setup without the wizard? [ In reply to ]
alex at ergens
Jul 11, 2005, 4:51 PM
Post #9 of 23 (10363 views)
Permalink
On Mon, Jul 11, 2005 at 06:23:49PM -0500, Steve Yates wrote:

> > Looking at the headers it shows the IP address of the sending
> > SMTP server and any and all servers in-between [minus any rewriting,
> > which my servers don't do]. So, since my servers are very tight, I can
> > look, if the last server before the destination server is not mine, then
> > the message claiming to come from me was spoofed.
>
> What you are describing doing manually, is the purpose of SPF.
>
> SPF doesn't "filter" spam out of inbound mail a la SpamAssassin,
> K9, Spamhaus SBL/XBL, etc. It helps filter out forged e-mail.
>
> As for mail servers behind dynamic IPs, I believe it would work
> to sign up with a service like no-ip.com, since that gives you an A
> record that can be included into your SPF (gbesco.no-ip.com). The
> software runs on your home PC to update the IP every time you get a new
> one.

Note that SPF is actually used in spam filters such as
SpamAssassin. If this test is delayed, there is a slight
possibility that the IP address, thus the A record, has
changed and verification fails.

I wouldn't worry about this slim chance however one should
be aware of it.

Alex
RE: SPF setup without the wizard? [ In reply to ]
rth777 at comcast
Jul 11, 2005, 5:41 PM
Post #10 of 23 (10379 views)
Permalink
>Oh, man am I in over my head. Thanks to those who responded
>to my lengthy e-mail. It appears to me I am NOT being understood very
>well, and that is probably because I am in over my head. I am expected

>on a regular 40 hour work week to be a Network Administrator (for two
>networks), a Database Server Administrator, an E-mail Server
>Administrator, a Webmaster/Web Developer, a Desktop Publisher (which
>includes word processing, typesetting, illustration artistry, graphics
>artistry, etc.), a Software/Application Developer, Security Adviser /
>Implementor, I am also the entire Help Desk and IT support staff, I am
>also an e-mail assistant, and even just a general secretary a lot of
the
>time, as well as the occasional physical laborer, and if it involves a
>computer in any way I am expected to be able to do it. And all this
on
>one half the wages that most people doing any one of the more technical

>jobs (I listed above) would get. On top of that my bosses refuse to
>help pay for any schooling or training, so I can't get any real
training
>on any of this stuff. I have to learn in the school of hard knocks. I

>have already spent over $10,000 of my own money and in big debt for the

>little development training I received until the Utah State Board of
>Education decided to close the school I was attending down making it
>impossible for me to get the rest of the training I had paid for.


Welcome to the club! Sounds like a pretty typical day in my IT Mngr
world... ;-)

And, this is why I'm taking my time studying and learning the SPF world
before making ANY DNS changes. Learned a lot off this list!



-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com]On Behalf Of Nathan Tyler
Sent: Monday, July 11, 2005 3:22 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF setup without the wizard?


Oh, man am I in over my head. Thanks to those who responded
to my lengthy e-mail. It appears to me I am NOT being understood very
well, and that is probably because I am in over my head. I am expected
on a regular 40 hour work week to be a Network Administrator (for two
networks), a Database Server Administrator, an E-mail Server
Administrator, a Webmaster/Web Developer, a Desktop Publisher (which
includes word processing, typesetting, illustration artistry, graphics
artistry, etc.), a Software/Application Developer, Security Adviser /
Implementor, I am also the entire Help Desk and IT support staff, I am
also an e-mail assistant, and even just a general secretary a lot of the

time, as well as the occasional physical laborer, and if it involves a
computer in any way I am expected to be able to do it. And all this on

one half the wages that most people doing any one of the more technical
jobs (I listed above) would get. On top of that my bosses refuse to
help pay for any schooling or training, so I can't get any real training

on any of this stuff. I have to learn in the school of hard knocks. I
have already spent over $10,000 of my own money and in big debt for the
little development training I received until the Utah State Board of
Education decided to close the school I was attending down making it
impossible for me to get the rest of the training I had paid for.


Andy Bakun wrote:

>On Mon, 2005-07-11 at 12:47 -0600, Nathan Tyler wrote:
>
>
>
>>Is there any documentation (I admit haven't searched yet) on
>>the Syntax of these records so I know what all the possibilities are
and
>>how I should actually set mine up. A good technical reference or
>>technical manual is always better than a Wizard for me.
>>
>>
>
>Unfortunately, I don't have a link to the latest version of the draft
>(in fact, I'm 850 messages behind on spf-discuss, and I believe some
>documents have gained permanent addresses, but I don't know for sure.
>Can someone else provide a link?
>
>
I found this one on the site map. Didn't see any links from the main
pages, but when I got to the site map, I found it.

>> So I have already had to jump though hundreds of hoops with AOL

>>and other big companies just to get the few e-mail messages that I
need
>>to send to customers (typically no more than three messages per month)

>>and some employees that use these stupid ISPs, and now I am thinking I

>>need to jump though this SPF hoop too as well. Or maybe I don't.
>>
>>
>
>It might be easier to jump through hoops to get the employees under
>control than it is trying to reverse engineer all the goofy methods
>employees can come up with to game the system because they don't
>understand it. In the former, acrobatics only needs to be done once,
in
>the latter, you might as well join the circus because the hoop jumping
>will be never-ending.
>
>
>
The hoops I am referring to, is simply taking the appropriate steps as
an e-mail server administrator to allow messages coming out of my
servers to be accepted at other companies and ISPs, and because other
companies and ISPs keep changing their policies and filters I keep
having to jump thought hoops. But, I see no other way around it unless
we want to forgo all e-mail whatsoever.

>
>
>> It sounds like SPF is a way to limit what can be spoofed and
what
>>can't. This in itself seems much better to me than AOL's current way
of
>>blocking all spoofed e-mail But, it sounds like AOL is going to block

>>anything that doesn't have SPF records, and, if I have SPF records I
>>still may not be able to spoof when needed. So what do I do.
>>
>>
>
>This is something you'll need to bring up with AOL. We can help you
>with SPF setups and help notifying the correct parties who may not be
>interpreting SPF records correctly, but if AOL is filtering/blocking
>based on something else, that is beyond the scope of SPF.
>
>If AOL blocking email from domains that don't have SPF records is a
>concern, you can publish "v=spf1 ?all". This is a valid SPF record, so
>you'll have one, but it essentially is the same as not having one.
>Unfortunately, AOL could change their "policy" at any time to hamper
the
>delivery of email from domains that have what amounts to "open
>policies" (which "v=spf1 ?all" really is). Again, this is AOL's
>prerogative as an email receiver. AOL has been relatively good about
>SPF and policies like these are AOL's way of throwing their weight
>around to get quicker adoption of SPF, so while there might be upset in
>the short term, part of the goal is to have it all shake out in the end
>for the better.
>
>
Right, I am not accusing SPF of anything here, just AOL. I have been
fighting with AOL for months and months just to get one or two messages
per month through to their users, seems like a big headache for such a
small thing, then I notice they are now encouraging spammers, one of
their whitelist filters actually say you have to send more than 100
messages per day to their networks WTF? Seems to me AOL is promoting
SPAM not trying to get rid of it.

>> Here is the quandary. Right now my boss uses the e-mail
address
>>she has been using for nearly a decade for the main businesses e-mail
>>address (published all over). It is an xmission.com address.
However,
>>I can't send my e-mail though xmission.com 1) we no longer even use
>>xmission as an ISP so don't connect to xmssion.com 2) myself and
>>several other employees use our business e-mail addresses for
different
>>domain names based one who we are commenting with and I can't send
those
>>through xmission.com (or they would be spoofed the other way). Thus,
to
>>continue to use the e-mail address my boss has published all over and
in
>>hundreds of thousands of printed documents not to mention that
hundreds
>>of web sites, portals, and contacts that she has given her e-mail
>>address to, I HAVE TO SPOOF THAT E-MAIL ADDRESS. [.Yes, that e-mail
>>address gets tons of spam still and most of that xmission filters
which
>>means we often miss important e-mail messages too.]
>>
>>
>
>Obviously your boss is still paying for the xmission.com address.
>xmission.com should set up a way for your boss to submit her outbound
>mail to their servers if she wants to send from her xmission.com
>address.
>
Yes, XMission says use IMAP. Unfortunately IMAP has too many cons to
bother. First and foremost is that the mailbox gets full in three days
without using POP, second is sending IMAP keeps no records here but on
XMission's server (I haven't yet found a way to POP messages out of the
"outbox"), third getting my boss just to pick up POP mail with a very
simplistic e-mail client has been a struggle for the past 6 years, there

is no way I could ever teach her IMAP interfaces let alone xmission's
interfaces that they change every 6 months or so.

>Then this is a simple reconfiguration of her email client to
>use xmission.com servers when sending xmission.com email.
>
Nope, I can't reconfigure her e-mail client to send out of anything but
our proxy server. The only alternative would be IMAP and even then I am

not sure if IMAP will work using this strict firewall proxy
configuration. I admit there are better implementations I could use,
but for what we need to do and our legal interests, any other comparable

implementation would cost many thousands of dollars (including
repetitive costs) that my bosses aren't willing to pay. So I have to
make do with a very poor implementation but one that keeps that network
at least not tooooooo vulnerable to attack. [.Though I never claim to be

a security expert in the least.]

>Alternatively, she can send from xmission.com and set the Reply-to her
>current address. But this is not ideal, since the xmission.com address
>is the legacy address. The better method is that your boss not send
>from xmission.com at all but only use her current address for all
>correspondence. Her xmission.com address can forward to her current
>mailbox (and if you are SPF filtering, you would need to whitelist
>xmission.com). The whole goal of keeping an old email address alive is
>so you can continue to receive mail sent to it, but the inverse (to
send
>from it) is not necessarily true.
>
No the problem with using Reply-to for either to her old or a new one I
could setup doesn't matter. Using any "spoofed" e-mail address gets
blocked by AOL, whether its in the "From" the "Reply-To" or the
"Return-Path" Anyone one of those not being at checked as legit for the

same network as that of the sending SMTP server AOL it blocks it. I was

hoping I could just have her send out of the new address and have people

reply to the old one, but that didn't work.

>> Now, there are other spoofing problems too. For instance on
>>occasion, I send business related e-mail's from home using my home
ISPs
>>e-mail server. My work servers are so tight that I can't allow an
>>incoming connection to anyone not on the LAN to send e-mail from it.
To
>>unsecure my mail servers (as I use dynamic IP address at home because
I
>>can't afford $350 per month at home for a static IP address) would be
>>like asking for my currently secure servers to get used as spamming
>>machines by remote attackers. So I utterly refuse to open my servers
>>up. So again, there are legitimate reasons for spoofed e-mail.
>>
>>
>
>This is not one of those legitimate reasons. Please see RFC2476
>"Message Submission". You can set up a submission service on your mail
>server(s) and use that, from wherever, to inject email into the
internet
>through known, controllable servers without opening it up as an open
>relay. Depending on which SMTP server software you use, someone on
this
>list might be able to point you to the right document on how to set it
>up. Here's one for postfix: http://www.postfix.org/SASL_README.html
>
>
>
Like I said I am learning in the school of hard knocks. Thank you for

this link, I will look into it. It so happens I am using postfix, so
maybe I can figure this out. Though the last time I tried to figure
anything out with post fix, I just got it screwed up and had to start
all over and setup up the original way again.

>>Then
>>add to it the fact that any or all three of the servers may send
e-mail
>>from domain names not associated with the server's ptr records
>>
>>
>
>This is why you shouldn't use "ptr" in your domains' SPF records.
>
>
I am assuming here you are talking again about certain SPF record syntax

that I haven't yet read completely though (sine I decided to respond to
this message). (I do know I have to have ptr DNS records in order for
AOL not to block the e-mail.)

>
>
>>that too
>>may be considered spoofed depending on how the filter's are designed.
>>
>>
>
>"filtering" methods are beyond the scope of SPF -- SPF is about sender
>policy. We can not assist you with anything having to do with
>receiver's filtering/blocking policies other than how they relate to
>SPF.
>
>
Am I going mad, or isn't the whole point of SPF is to enable people to
setup filtering. What I was referring to here is that I need to know
exactly what an SPF enabled e-mail server is doing with those SPF
records so I know the best way to setup the SPF records to maximize my
ability to get my messages through to anyone who uses SPf in their
flitting.

>> Then there is the web servers for all seven domain names.
>>Scripting for sending of e-mail is possible and may one day occur.
>>Currently only www.reidschool.com has any scripting in place that may
>>send notifications of updates to parents of children attending that
>>school [if they subscribe]. Right now that script is completely
turned
>>off, but in preparing for the future, I want to be sure my e-mail can
>>get though to those parents that sign up for such a notification
>>system. And unfortunately statistics show that half or more of those
>>parents are going to be using AOL and even more that use other large
>>ISPs e-mail addresses. So I have to deal with being able to get my
>>outgoing e-mail through into these obnoxious ISPs for delivery to
these
>>people for any and or all of my domain names coming out of any or all
of
>>the three servers I run.
>>
>>
>
>You can do this with include and/or redirect.
>
I am not sure if you are talking n the SPF record or some setting on the

e-mail server. [.So many words and so many definitions of any given
word in the technology area that it gets confusing when and which is
being referred to.]

>> I really don't worry so much about people spoofing my e-mail.
I
>>can show it wasn't my server should anyone try to accuse these
>>companies.
>>
>>
>
>Then you have some interesting technology that you are not sharing :)
>
What? Looking at the headers it shows the IP address of the sending
SMTP server and any and all servers in-between [minus any rewriting,
which my servers don't do]. So, since my servers are very tight, I can
look, if the last server before the destination server is not mine, then

the message claiming to come from me was spoofed. I have heard of IP
address spoofing, and that might be a concern, but the rarity of that
makes that one of the least of my concerns. I just want my real and
valid e-mail to get delivered properly.

>>So far, I have only had one incident that someone spoofed a
>>webmaster@domain.com address that we don't even use. Since I am the
>>webmaster, it ticked me off that day. Yes, that was annoying but I
>>disabled the "webmaster" e-mail address and all other RFCC compliant
>>adressresses, and said "I don't give a damm about the RFCC specs" if
>>people are going to spoof an e-mail address that isn't even used.
>>Anyone wanting to get ahold of me as the webmaster, can find a valid
>>company e-mail address on any of our web pages.
>>
>> As for ever using SPF to filter incoming e-mail I would never
>>need to do that. The best way to control spam is to prosecute the
>>spammers. And since I give out seperate e-mail address, I will know
>>who either spammed me, or sold my name to spammers therefore aiding
and
>>abetting criminals. AND I WILL PROSECUTE THEM!!!
>>
>>
>
>If spammers could be effectively tracked down and prosecuted, they're
be
>a lot more of that. SPF tries to help that by having people document
>their email infrastructure (in the SPF record) so email sources can be
>tracked significantly more reliably than they can now.
>
That is why I use a special system of giving out a new and seperate
e-mail address to any given individual or organization. If I get spam,
I know exactly how to track it. And the individual or company will be
held liable even if they didn't send the spam, because they aided those
who did. That doesn't work for such things as this though because of
the anonymity of the group and the archives that make the e-mail address

harvestable. Even then, ISPs have the ability to track it, if they
would take the time to do it, they won't, instead they just setup new
filters to keep blocking things, making me have to jump through hoops
just to get my e-mail delivered even though I definitely don't send
spam. [.Although I note, I am sending a lot more e-mail like this,
trying to resolve e-mail problems that it is almost like me sending
spam.]

> ...
>
>
>>I understand that most people CAN'T do it the way I do. The
>>ulitmate best way to avoid "spoofing" issues in particluar is to
change
>>the SMTP protocol and add a in so the receiving SMTP server does a
quick
>>check asking if the reply-to e-mail addrss and the retrun path are
valid
>>e-mail addresses with a quick question and response method on the
>>protocol level.
>>
>>
>
>That is what SPF tries to do. Using DNS (UDP) is much more efficient
>than having callbacks over TCP. There are many exploitable DoS holes
>that SPF has tried to close by making the protocol simple (although I
>suppose exactly how simple is debatable :) ) and not bandwidth, query
or
>CPU hungry. For a few years now there have been a number of
"competing"
>anti-forgery systems, and SPF is, I believe, the leader in terms of
>number of records deployed. Callback systems suffer from a much larger
>chicken-and-egg problem because all SMTP servers essentially need to be
>upgraded at once, where internet-wide SPF deployment can happen more
>piecemeal (and AOL, by publicizing that they are enforcing SPF records
>on the receiving end, is trying to give that more thrust).
>
>>I.E. send one packet to each server authoritative for
>>the reply-to domain and to and return-path domain and receive one
packet
>>back from each saying valid or invalid.
>>
>>
>
>If you want to use this kind of measurement, SPF requires even fewer
>packets over time because DNS responses are cached and SPF records can
>be optimized to only include ip4 mechanisms (which, other than looking
>up the SPF record, places near zero load on checking SPF).
>
>
AHH! That is good news. You see, I mentioned I didn't understand what
SPF was and how it works. That sounds fine then, though I would like to

get into the nitty gritty if I ever have time. Like I said earlier,
reading up a little on the web site it sounds a lot better than what
most ISPs are doing to block spam, and this part here encourages me more

that this is a better technology. I still have my reservations about
the setting up of SPf records and the necessary spoofing in this
companies instance, but at least the industry is on the right track.

>>Hardly any bandwitdh would be
>>needed and this would reduce the vast majority of current spam that
runs
>>with spoofed addresses, without blocking the valid use of spoofed
messages.
>>
>>
>
>If you have a "valid use of spoofed messages", SPF supports that by not
>requiring you to publish an SPF record, or publish SPF records on a
per-
>user basis using macros.
>
Except it's not SPF that is requiring me to publish SPF records, but
companies that use SPF in their filters like AOL. Therefore if AOL says

they block everything without SPF records and I want my e-mail to be
delivered I HAVE TO SETUP SPF RECORDS.

>> But, I still have to deal with ISPs that simply refuse e-mail
>>because I don't have the time or money to pay some ISP for e-mail
>>addresses, and remote connections to their e-mail servers, and
>>colocating our servers and all the other headaches.
>>
>>
>
>Incidentally, what you've described so far sounds to me like such a
huge
>headache, I'd be willing to go to the trouble to bring everything under
>my own control to avoid having to deal with other ISPs connectivity and
>email and payment policies. ;)
>
>
What? Having my own control is exactly what I am trying to do here.
Bringing everything under my control rather than some stupid ISP, is the

point of running my own e-mail server with my own domain names, rather
than co-locating servers or hosting such services through an ISP.
However, my control is limited to my own servers. I still can't control

AOL and its filtering policies. That is why I convinced my bosses to
pay the hundreds per month on both sites to use an ISP that allows me my

own control. ALL other ISPs I have looked at (literally dozens) utterly

refuse to allow the user any control. None of them want to allow a
business to run a business using their own services through the ISP
connectivity except three, and of those only one that offered the type
of access we wanted. What I wonder is how all other companies go about

this, maybe they give up the control and let their ISPs control their
servers by co-locating and or pay for hosting services, which they have
no control over at all.

[.I make this analogy: that most ISPs Internet connectivity are
like toilets, the ISPs know every business needs internet access (like
every business needs a bathroom), but they don't want that business to
conduct business (i.e. make any money) using their internet
connectivity. But, they want to sell additional services such as e-mail

hosting if people want ot send e-mail, or web hosting for web servers.
Its like that toilet company that will also sell cell phones so you can
make business calls while in the bathroom.]

>> So down't to my real concern and questions: What exactly does
>>SPF do for the ISP that implements it.
>>
>>
>
>On the sending side, it tells the world where your email comes from, so
>they can detect forgeries easier.
>
Right, this is why I want to know how the SPF works, so I know how
companies like AOL are detecting forgeries and get my servers/DNS setup
to maximize my ability to communicate with those companies doing the
filtered receiving.

>On the receiving side, it allows rejection of the email before the DATA
>phase, thereby saving transmission bandwidth, and disk space and
>processing power in post-acceptance filters.
>
>
Exactly, someone out there IS using SPF for flitting!!! Not me, I have

better ways.

>
>
>>Exactly how does it work so I
>>can get my e-mail through reliably whether I have to spoof or not.
>>
>>
>
>The ideal situation is to get your email infrastructure under control,
>so you don't have to spoof.
>
>
AGREED!!!! But, unlikely in this particular strange and obnoxious
little business SETUP I find myself in.

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?member_id=1851834&user_secret=28fbc370
Re: SPF setup without the wizard? [ In reply to ]
gerberb at zenez
Jul 11, 2005, 5:59 PM
Post #11 of 23 (10408 views)
Permalink
On Mon, 11 Jul 2005, Nathan Tyler wrote:
> > delivery of email from domains that have what amounts to "open
> > policies" (which "v=spf1 ?all" really is). Again, this is AOL's
> > prerogative as an email receiver. AOL has been relatively good about
> > SPF and policies like these are AOL's way of throwing their weight
> > around to get quicker adoption of SPF, so while there might be upset in
> > the short term, part of the goal is to have it all shake out in the end
> > for the better.
> Right, I am not accusing SPF of anything here, just AOL. I have been
> fighting with AOL for months and months just to get one or two messages per
> month through to their users, seems like a big headache for such a small
> thing, then I notice they are now encouraging spammers, one of their whitelist
> filters actually say you have to send more than 100 messages per day to their
> networks WTF? Seems to me AOL is promoting SPAM not trying to get rid of
> it.

I tend to agree with you here.

> > > Here is the quandary. Right now my boss uses the e-mail
> > > address she has been using for nearly a decade for the main businesses
> > > e-mail address (published all over). It is an xmission.com address.
> > > However, I can't send my e-mail though xmission.com 1) we no longer
> > > even use xmission as an ISP so don't connect to xmssion.com 2) myself
> > > and several other employees use our business e-mail addresses for
> > > different domain names based one who we are commenting with and I
> > > can't send those through xmission.com (or they would be spoofed the
> > > other way). Thus, to continue to use the e-mail address my boss has
> > > published all over and in hundreds of thousands of printed documents
> > > not to mention that hundreds of web sites, portals, and contacts that
> > > she has given her e-mail address to, I HAVE TO SPOOF THAT E-MAIL
> > > ADDRESS. [.Yes, that e-mail address gets tons of spam still and most
> > > of that xmission filters which means we often miss important e-mail
> > > messages too.]

XMission allows you to disable the filters. That is what I do. I have
everything that goes to an Xmission email address forward to me. I use
Xmission as my backup when I have DSL or outages. They will setup SPF for
your use. They setup SPF for me on the MX server I use of theirs. They
also will setup SRS/SES when asked.

> > Obviously your boss is still paying for the xmission.com address.
> > xmission.com should set up a way for your boss to submit her outbound
> > mail to their servers if she wants to send from her xmission.com
> > address.
> Yes, XMission says use IMAP. Unfortunately IMAP has too many cons to bother.
> First and foremost is that the mailbox gets full in three days without using
> POP, second is sending IMAP keeps no records here but on XMission's server (I
> haven't yet found a way to POP messages out of the "outbox"), third getting my
> boss just to pick up POP mail with a very simplistic e-mail client has been a
> struggle for the past 6 years, there is no way I could ever teach her IMAP
> interfaces let alone xmission's interfaces that they change every 6 months or
> so.
> > Then this is a simple reconfiguration of her email client to
> > use xmission.com servers when sending xmission.com email.
> >
> Nope, I can't reconfigure her e-mail client to send out of anything but our
> proxy server. The only alternative would be IMAP and even then I am not sure
> if IMAP will work using this strict firewall proxy configuration. I admit
> there are better implementations I could use, but for what we need to do and
> our legal interests, any other comparable implementation would cost many
> thousands of dollars (including repetitive costs) that my bosses aren't
> willing to pay. So I have to make do with a very poor implementation but one
> that keeps that network at least not tooooooo vulnerable to attack. [.Though I
> never claim to be a security expert in the least.]

XMission will do SMTP AUTH. That should solve some problems. If
everything you do using the XMission email account is with SMTP AUTH you
should not have a problem. I have used fetchmail to move all email from
XMission to a local machine. I have it do it every 6 hours.

> > Alternatively, she can send from xmission.com and set the Reply-to her
> > current address. But this is not ideal, since the xmission.com address
> > is the legacy address. The better method is that your boss not send
> > from xmission.com at all but only use her current address for all
> > correspondence. Her xmission.com address can forward to her current
> > mailbox (and if you are SPF filtering, you would need to whitelist
> > xmission.com). The whole goal of keeping an old email address alive is
> > so you can continue to receive mail sent to it, but the inverse (to send
> > from it) is not necessarily true.
>
> No the problem with using Reply-to for either to her old or a new one I could
> setup doesn't matter. Using any "spoofed" e-mail address gets blocked by AOL,
> whether its in the "From" the "Reply-To" or the "Return-Path" Anyone one of
> those not being at checked as legit for the same network as that of the
> sending SMTP server AOL it blocks it. I was hoping I could just have her send
> out of the new address and have people reply to the old one, but that didn't
> work.

Using SMTP AUTH should fix this problem. You are using their servers and
it will be from them.

> > up. Here's one for postfix: http://www.postfix.org/SASL_README.html
> >
> Like I said I am learning in the school of hard knocks. Thank you for this
> link, I will look into it. It so happens I am using postfix, so maybe I can
> figure this out. Though the last time I tried to figure anything out with
> post fix, I just got it screwed up and had to start all over and setup up the
> original way again.
...
> Am I going mad, or isn't the whole point of SPF is to enable people to setup
> filtering. What I was referring to here is that I need to know exactly what
> an SPF enabled e-mail server is doing with those SPF records so I know the
> best way to setup the SPF records to maximize my ability to get my messages
> through to anyone who uses SPf in their flitting.

I am sorry you are having so much trouble. I have been with XMission for
over 10 years, Since they first started. So it may be more than 15 years.
I have never had problems. I wish you luck.


--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
Re: SPF setup without the wizard? [ In reply to ]
nobody at xyzzy
Jul 11, 2005, 10:11 PM
Post #12 of 23 (10373 views)
Permalink
Nathan Tyler wrote:

> Thus, I realized that the "Wizard" is just preparing a string
> for TXT records that I would put in there. And it makes me
> think I don't even need to use a Wizard.

Yes, the wizard tries to help you if you have no clear idea
what SPF does, or to get a second opinion, but of course it's
only a more or less stupid script, garbage in, garbage out.

> Is there any documentation

Sure. For a simple and not exactly up to date introduction see
<http://www.openspf.com/mechanisms.html>

Skip the part about "ptr" for the moment and ignore extensions,
the latter was removed later because it won't work as expected.

For the complete experimental RfC (waiting to get a number) see
<http://ietf.org/internet-drafts/draft-schlitt-spf-classic-02>

> A good technical reference or technical manual is always
> better than a Wizard for me.

Actually there are only a few tricky points:
- "ptr" might be not what you want
- for "include" read the spec., it's not exactly obvious
- ignore "ip6" IPv6 if you don't have it
- ignore exoctic macros, "exists", and "exp=" for the moment

Anything else is plain simple, various ways to enumerate IPs
sending MAIL FROM you to third parties, you can use the CIDR
notation to permit (or forbid) blocks of IPs, you can specify
IPs directly with "ip4", or by name "a", or even by "mx".

For each set of IPs you can say + (PASS = "it's me"), - (FAIL),
~ (SOFTFAIL, e.g. for testing), ? (NEUTRAL, moo).

And finally for the set of all IPs not covered before you can
say -all, ~all, ?all, and +all, or use redirect= to another
policy again with sets of IPs plus corresponding results.

> I am still trying to decide if SPF is a good thing for me or
> not.

If a spammer forges MAIL FROM one of your domains and you get
tons of bogus bounces it's probably good (not only for you).

The only problem can be forwarded mails, if the receiver gets
MAIL FROM you RCPT TO box1, and forwards it RCPT TO box2. If
box2 checks SPF it won't find any IP of box1 in your policy,
so that's a case of FUBAR on the side of this user@box1.

Your mail would be rejected by box2 if the IP of box1 resulted
in a FAIL with your policy, and box1 would then bounce it back
to you. It's not your fault, it's not the fault of box2, and
arguably even box1 didn't do anything wrong: user@box1 tried
to forward MAIL FROM you instead of using his own MAIL FROM.

So if you're very worried about this case you can't use FAIL,
and without a FAIL SPF is partially pointless (some big ISPs
like AOL still use PASS results for white lists, so maybe you
would want SPF even without FAIL).

> blocking all e-mail from dynamic IP addresses (causing me to
> have to switch ISPs and pay hundreds per month for static IP
> addresses)

A cheaper solution is an external mail provider (sending), and
with a dynamic IP you'd probably also need a third party as MX,
so you just need a full mail provider. DynDNS offers these
services for less than "hundreds per month". Just an example,
because I use some of their free services and created a simple
DynDNS update client for OS/2.

> sometimes "spoofing" e-mail is absolutely necessary and
> legitimate

Don't spoof my MAIL FROM, that won't work because I have a FAIL
policy, and that's more or less the idea of SPF, you cannot do
anything about my policy. Unless you happen to be a sysadmin
at de.clara.net ;-)

> some companies have decided all "spoofed" e-mail is bad.

No, it was always bad. Some spammers decided that it's "good"
causing billions of bogus bounces to innocent bystanders. SPF
(the FAIL part of SPF) terminates this particular abuse for
those who want it.

> now I am thinking I need to jump though this SPF hoop too as
> well. Or maybe I don't.

If you "spoof" MAIL FROM addresses of third parties you don't
need SPF, in fact you can't use it at all. Only domain owners
can publish a sender policy, nobody else.

> it sounds like AOL is going to block anything that doesn't
> have SPF records

AOL is sometimes weird, that's not limited to SPF. Actually I
don't think that they block all mails without SPF records, as
far as I know they only use PASS results for white listing. So
they don't even block clear FAIL results, they just use a part
of SPF as one of several steps in their anti-spam operations.

> I can't send my e-mail though xmission.com 1) we no longer
> even use xmission as an ISP so don't connect to xmssion.com

Only the owner of xmission.com can create a sender policy for
addreses in this domain. If that policy doesn't cover your IPs
you cannot use this adress anymore for sending mails from your
IPs.

> I HAVE TO SPOOF THAT E-MAIL ADDRESS.

If they permit it, see `nslookup -q=txt xmission.com` They
have a sender policy ending with ?all (NEUTRAL) for all other
IPs probably including your IPs. So that's no FAIL or SOFTFAIL
- no spoofing as far as SPF is concerned. NEUTRAL is NEUTRAL.

> I told my boss that she will need to lose this e-mail address

Not completely, receiving is no problem, only sending is an
issue. Maybe your boss can discuss it with xmission.com: If
you have a sender policy whatever.example "v=spf1 your-IP(s)",
and they add "include:whatever.example" to their policy, then
your IPs would get a PASS for MAIL FROM your.boss@xmission.com

Obviously xmission.com won't be delighted by this idea, but in
theory it's possible. Sorry, but your article was rather long,
I snipped the rest concentrating on the one thorny issue. Bye
Re: SPF setup without the wizard? [ In reply to ]
spf at gbesco
Jul 12, 2005, 10:08 AM
Post #13 of 23 (10343 views)
Permalink
Dear Boyd Gerbe (and other list members),

I appreciate your help. I have fought with Xmission on this
e-mail and other issues for so long that I gave up about a year ago even
dealing with them. They may as you say be willing to setup SPF for my
use, but even then I still have the connectivity problem.

>XMission allows you to disable the filters. That is what I do. I have
>everything that goes to an Xmission email address forward to me. I use
>Xmission as my backup when I have DSL or outages. They will setup SPF for
>your use. They setup SPF for me on the MX server I use of theirs. They
>also will setup SRS/SES when asked.


Actually Xmission doesn't let you disable all the filters. They
have some "User" filters that you can enable, disable, and/or customize.
Then they have may other system filters that they refuse to turn on or
off on a per user bases. This includes BAYES filters, there there is
SpamAssassin which they automatically delete anything with a SA rating
of 25 or over. And that was a year ago that I last dealt with them, so I
am sure they have lots more filters. They certainly didn't get rid of
any filters, or my boss's e-mail would be getting a lot more spam. She
used to get 200-250 messages per day, now she only gets about 50-60.
And for over a year I had to keep track of it ALL e-mail including all
the spam, and print it ALL, and even (heaven forbid) my boss insisted
that I respond to the spam by clicking on the links and/or replying to
supposedly remove from a list. So that is why I noticed when XMission
turned on deleting SA ratings of 25 or higher, and then again a sudden
drop when they truend on BAYES (which they had some problem with, turned
it off after about a week, and then back on about a month or so
later). I tried to tell her and get her to understand about all that
spam and she wouldn't listen, she just said, "I am paying to to do what
I say, printed it and respond to it." And maybe that gives you an idea
as to the unability to work with my boss on the e-mail issue. I did
draw the line and said I wouldn't open and attempt to print ALL
attachemnts, but she was really pissed when I put my foot down there.

>XMission will do SMTP AUTH. That should solve some problems. If
>everything you do using the XMission email account is with SMTP AUTH you
>should not have a problem. I have used fetchmail to move all email from
>XMission to a local machine. I have it do it every 6 hours.


Everyone keeps pointing to this as a reason not to spoof. But, I
have never gotten remote sending of e-mail to work right. Anytime I have
ever tried any remote form of sending through an SMTP sever (i.e. when I
am connected to a different network) all I get is an error that says
"Relay is not allowed." Once upon a time Xmission did setup so I could
relay from my IP address, but then several other problems occurred.
First, I kept changing IP addresses, because of having to switch ISPs
because idiot ISPs kept selling me a service on lies. Second, when I
setup our mail server and I wanted to send gbesco.com mail from our mail
server. For a time I tried still using Xmission SMTP relayed for the
xmission account and the gbesco.com SMTP for the gbesco.com e-mail.
Unfortunately that was a disaster as the software kept mixing up SMTP
servers, and after a bit it wouldn't send at all. I blame that on the
software, but still I gave up ever trying to use multiple outgoing SMTP
servers, because I had to format and re-install my entire Windows system
just to get to do e-mail at all again.

So, I don't know if SMTP AUTH is something new and can be setup
different than relayed. I don't know if it works or doesn't work with
regular e-mail clients (which are a must) and I don't know if it takes
more than a user name and password (if so it wouldn't work through our
proxy), nor do I know if it runs through a different port (wouldn't work
through our firewall which can't be configured, [its tied into the
proxy], and this firewall/proxy is the only one I can find that works
with the filtering software that we legally have to have in that
building). I could get a different filtering software, but the last I
looked they were charging $600 per year for the cheapest server side
filter which my boss won't go fo.

As for fetchmail, I don't even have that. I currently use
Netscape (only until the next time I reformat the hard drive then I am
switching to Thunderbird). Then there is the problem with my boss. I
think I setup Mozilla suite for her computer, there is no way she is
going to learn anything else, its been a struggle just to get her to
download e-mail using a POP client and to view it so I don't have to
print it all out for her. As far as I know Netscape, nor
Mozilla/Mozilla Thunderbird will access anything but what is in the
Inbox on the server.

When it comes to my bosses e-mail, its very tricky because of
who my boss is, how our systems are setup, etc. For instance, with the
weird firewall/proxy/filter server we have that my boss has to be
behind, it took me over a day and a half just to get it to pass through
a regular user name and pass word to a POP account and download the mail
and pass it onto the client. (And that was something it said it was
designed to do, it doesn't even give options for most other things, the
firewall bit is unconfigurable except a few checkboxes to allow some
standard ports.) On any other regular network it should have been a
three minute job. Then, the fact that she might send e-mail, or I might
send e-mail, and we work completely in two different locations, etc.
There are just way too many complications to ever use any of the
'simple" suggestions that people have put here.

I am sorry you are having so much trouble. I have been with XMission for
over 10 years, Since they first started. So it may be more than 15 years.
I have never had problems. I wish you luck.


Well, I am sure Xmission is good for a lot of people, but they
[Xmission] are unable or unwilling to provide us with the services we
need. I admit our needs are very uncommon to most households and even
most small businesses. But such as it is, I have to work with it. And
with as much as I have had to fight with XMission they aren't willing to
work with me at all anymore. Thank you though for your thoughts though.

Nathan
RE: SPF setup without the wizard? [ In reply to ]
romand at hammacher
Jul 12, 2005, 10:21 AM
Post #14 of 23 (10361 views)
Permalink
Hi group,

I have a question...or two...and they are semi-technical:

1. Are there any pitfalls or possible downfalls that could result if a
direct marketing firm, which is utilizing email to sell products,
certifies its email servers through this SPF program? In other words,
should we certify or not?
2.How complicated is this thing...if I'm not technically inclined?

Thanks so much for your help and time.

Regards,
Roman


-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Nathan Tyler
Sent: Tuesday, July 12, 2005 12:09 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] SPF setup without the wizard?

Dear Boyd Gerbe (and other list members),

I appreciate your help. I have fought with Xmission on this
e-mail and other issues for so long that I gave up about a year ago even
dealing with them. They may as you say be willing to setup SPF for my
use, but even then I still have the connectivity problem.

>XMission allows you to disable the filters. That is what I do. I have

>everything that goes to an Xmission email address forward to me. I use

>Xmission as my backup when I have DSL or outages. They will setup SPF
>for your use. They setup SPF for me on the MX server I use of theirs.

>They also will setup SRS/SES when asked.


Actually Xmission doesn't let you disable all the filters. They
have some "User" filters that you can enable, disable, and/or customize.

Then they have may other system filters that they refuse to turn on or
off on a per user bases. This includes BAYES filters, there there is
SpamAssassin which they automatically delete anything with a SA rating
of 25 or over. And that was a year ago that I last dealt with them, so I
am sure they have lots more filters. They certainly didn't get rid of
any filters, or my boss's e-mail would be getting a lot more spam. She
used to get 200-250 messages per day, now she only gets about 50-60.
And for over a year I had to keep track of it ALL e-mail including all
the spam, and print it ALL, and even (heaven forbid) my boss insisted
that I respond to the spam by clicking on the links and/or replying to
supposedly remove from a list. So that is why I noticed when XMission
turned on deleting SA ratings of 25 or higher, and then again a sudden
drop when they truend on BAYES (which they had some problem with, turned
it off after about a week, and then back on about a month or so
later). I tried to tell her and get her to understand about all that
spam and she wouldn't listen, she just said, "I am paying to to do what
I say, printed it and respond to it." And maybe that gives you an idea
as to the unability to work with my boss on the e-mail issue. I did
draw the line and said I wouldn't open and attempt to print ALL
attachemnts, but she was really pissed when I put my foot down there.

>XMission will do SMTP AUTH. That should solve some problems. If
>everything you do using the XMission email account is with SMTP AUTH
>you should not have a problem. I have used fetchmail to move all email

>from XMission to a local machine. I have it do it every 6 hours.


Everyone keeps pointing to this as a reason not to spoof. But, I
have never gotten remote sending of e-mail to work right. Anytime I have
ever tried any remote form of sending through an SMTP sever (i.e. when I
am connected to a different network) all I get is an error that says
"Relay is not allowed." Once upon a time Xmission did setup so I could
relay from my IP address, but then several other problems occurred.
First, I kept changing IP addresses, because of having to switch ISPs
because idiot ISPs kept selling me a service on lies. Second, when I
setup our mail server and I wanted to send gbesco.com mail from our mail
server. For a time I tried still using Xmission SMTP relayed for the
xmission account and the gbesco.com SMTP for the gbesco.com e-mail.
Unfortunately that was a disaster as the software kept mixing up SMTP
servers, and after a bit it wouldn't send at all. I blame that on the
software, but still I gave up ever trying to use multiple outgoing SMTP
servers, because I had to format and re-install my entire Windows system
just to get to do e-mail at all again.

So, I don't know if SMTP AUTH is something new and can be setup
different than relayed. I don't know if it works or doesn't work with
regular e-mail clients (which are a must) and I don't know if it takes
more than a user name and password (if so it wouldn't work through our
proxy), nor do I know if it runs through a different port (wouldn't work
through our firewall which can't be configured, [its tied into the
proxy], and this firewall/proxy is the only one I can find that works
with the filtering software that we legally have to have in that
building). I could get a different filtering software, but the last I
looked they were charging $600 per year for the cheapest server side
filter which my boss won't go fo.

As for fetchmail, I don't even have that. I currently use
Netscape (only until the next time I reformat the hard drive then I am
switching to Thunderbird). Then there is the problem with my boss. I
think I setup Mozilla suite for her computer, there is no way she is
going to learn anything else, its been a struggle just to get her to
download e-mail using a POP client and to view it so I don't have to
print it all out for her. As far as I know Netscape, nor
Mozilla/Mozilla Thunderbird will access anything but what is in the
Inbox on the server.

When it comes to my bosses e-mail, its very tricky because of
who my boss is, how our systems are setup, etc. For instance, with the
weird firewall/proxy/filter server we have that my boss has to be
behind, it took me over a day and a half just to get it to pass through
a regular user name and pass word to a POP account and download the mail
and pass it onto the client. (And that was something it said it was
designed to do, it doesn't even give options for most other things, the
firewall bit is unconfigurable except a few checkboxes to allow some
standard ports.) On any other regular network it should have been a
three minute job. Then, the fact that she might send e-mail, or I might
send e-mail, and we work completely in two different locations, etc.
There are just way too many complications to ever use any of the
'simple" suggestions that people have put here.

I am sorry you are having so much trouble. I have been with XMission
for over 10 years, Since they first started. So it may be more than 15
years.
I have never had problems. I wish you luck.


Well, I am sure Xmission is good for a lot of people, but they
[Xmission] are unable or unwilling to provide us with the services we
need. I admit our needs are very uncommon to most households and even
most small businesses. But such as it is, I have to work with it. And
with as much as I have had to fight with XMission they aren't willing to

work with me at all anymore. Thank you though for your thoughts though.

Nathan

-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?member_id=2087220&user_secret=7fd19b48
Re: SPF setup without the wizard? [ In reply to ]
steve at teamITS
Jul 12, 2005, 11:12 AM
Post #15 of 23 (10328 views)
Permalink
On Tue, 12 Jul 2005 11:08:46 -0600
Nathan Tyler <spf@gbesco.com> wrote:

> I don't know if SMTP AUTH is something new

Not really. In Outlook Express for instance it's under
Tools/Accounts/Properties/Servers tab, "my server requires
authentication." Usually it's just a matter of checking a box since
most ISPs set it up to use the same login as the POP login.

> different than relayed

Relaying implies connecting to a server to have it send mail
somewhere else. If you did not log in to our mail server as described
above, for instance, it sees you as "inbound mail" that is asking our
server to relay a message. Hence, "relaying denied."

If your in-house servers are not set up for SMTP Auth or to only
relay mail from the local network's IP range, that's probably the
trouble you mentioned before...if you allow anyone to send mail using
your servers you would be helping spammers and your IP(s) would be
quickly blacklisted in the ORDB database, etc. By requiring users to
log in, anyone else trying to connect to your server would not be able
to send mail out ("relaying denied").

- Steve Yates
- ITS, Inc.
- I'm not lost, I'm directionally challenged.

~ Taglines by Taglinator 4 - www.srtware.com ~
Re: SPF error messsages make no sense [ In reply to ]
spf at gbesco
Jul 12, 2005, 2:56 PM
Post #16 of 23 (10395 views)
Permalink
Dear List Persons,

OK, I lied, I will send another message through here. I setup
SPF records according to my understanding of what they are. But I get a
silly error message now when I try to send.. Here is hoping I can even
send to the list now. I sent this out of 66.182.81.42 which is
explicitely said to allow, however, somewhere it claims it is being sent
from 208.187.121.248, which I don't understand. Somebody please tell
me what is going on?

What is SPF? SPF is an extension to Internet email. It prevents
unauthorized people from forging your email address. But for it to work,
you may need to change some settings in your email program. Otherwise,
the system may mistake you for an unauthorized person. If your mail was
inadvertently blocked by a receiver who uses SPF, read on.


xenau.zenez.com rejected a message claiming to be from spf@gbesco.com.

xenau.zenez.com saw a message coming from the IP address 208.187.121.248
which is cust-208-187-121-248.bbsc.net; the sender claimed to be
spf@gbesco.com.

However, gbesco.com has announced using SPF <http://spf.pobox.com/> that
it does not send mail out through 208.187.121.248. That is why the mail
was rejected.


If you are spf@gbesco.com:

gbesco.com should have given you a way to send mail through an approved
server.

If you are using a mail program instead of webmail, you may need to
update the SMTP server configuration setting according to your ISP's
instructions. You may also need to turn on authentication, and enter
your username and password in your mail program's "Preferences".

If you run your own MTA, you may need to set a smarthost or relayhost.
If you are mailing from outside your ISP's network, you may also need to
make your MTA authenticate SMTP using SASL. Ideally your server should
listen on port 587 as well as port 25.

If your mail was correctly sent, but was rejected because it passed
through a forwarding service, you can either mail the final destination
address directly (it should be shown in the bounce message) or you ask
the forwarder to implement SRS <http://spf.pobox.com/srs.html>. If
neither of these suggestions is practical, change your "-all" to "?all"
until a more comprehensive approach to sender authentication involving
cryptography solves the forwarding problem for good. For more
information on this problem, see pages 15-16 of the SPF Whitepaper.
<http://spf.pobox.com/whitepaper.pdf>

<http://spf.pobox.com/whitepaper.pdf>

You can also try emailing your recipient at an alternative email
address. <http://spf.pobox.com/whitepaper.pdf>

<http://spf.pobox.com/whitepaper.pdf>

Please contact your ISP for further assistance; ask them for help in
configuring outbound SMTP email. <http://spf.pobox.com/whitepaper.pdf>

<http://spf.pobox.com/whitepaper.pdf>

If your company needs further help, we provide a full range of
<http://spf.pobox.com/whitepaper.pdf>consulting services
<http://spf.pobox.com/services.html> to help you resolve these problems
quickly.


If you are confident your mail did go through an approved
server:

The system administrator for gbesco.com may have incorrectly
configured its SPF record. This is a common cause of mistakes.

Here's what you can do. Contact the system administrator responsible
for gbesco.com and tell them that they need to change its SPF record
so that it contains cust-208-187-121-248.bbsc.net. For example, they
could change the record to something like

v=spf1 +ip4:66.182.81.42 +ip4:66.182.85.50 +ip4:66.182.85.51 a:cust-208-187-121-248.bbsc.net -all

If you can show this web page to your system administrator, they
should be able to solve the problem.


If you did not send the message:

SPF successfully blocked a forgery attempt; someone tried to send mail
pretending to be from you, but the message was rejected before anybody
saw it. If you received a bounce message, you can delete it. This means
SPF is working as designed.




>
>
RE: SPF error messsages make no sense [ In reply to ]
spf2 at kitterman
Jul 12, 2005, 3:06 PM
Post #17 of 23 (10336 views)
Permalink
>-----Original Message-----
>From: owner-spf-help@v2.listbox.com
>[mailto:owner-spf-help@v2.listbox.com]On Behalf Of Nathan Tyler
>Sent: Tuesday, July 12, 2005 5:56 PM
>To: spf-help@v2.listbox.com
>Subject: Re: [spf-help] SPF error messsages make no sense
>
>
>Dear List Persons,
>
> OK, I lied, I will send another message through here. I setup
>SPF records according to my understanding of what they are. But I get a
>silly error message now when I try to send.. Here is hoping I can even
>send to the list now. I sent this out of 66.182.81.42 which is
>explicitely said to allow, however, somewhere it claims it is being sent
>from 208.187.121.248, which I don't understand. Somebody please tell
>me what is going on?

First, change your record to end in ?all until you know you have it worked
out. This should prevent mail rejections.

Second, you are sending from 208.187.121.248. From the header of the
message you just sent to the list:

Received: from mail.gbesco.com (cust-208-187-121-248.bbsc.net
[208.187.121.248])

The error message may not be entirely clear, but it was accurate. SPF did
what you told it to do.

Scott K
Re: SPF error messsages make no sense [ In reply to ]
alex at ergens
Jul 12, 2005, 3:32 PM
Post #18 of 23 (10342 views)
Permalink
On Tue, Jul 12, 2005 at 03:56:23PM -0600, Nathan Tyler wrote:
> Dear List Persons,
>
> OK, I lied, I will send another message through here. I setup
> SPF records according to my understanding of what they are. But I get a
> silly error message now when I try to send.. Here is hoping I can even
> send to the list now. I sent this out of 66.182.81.42 which is
> explicitely said to allow, however, somewhere it claims it is being sent
> from 208.187.121.248, which I don't understand. Somebody please tell
> me what is going on?

Do take Scott's suggestion serious, however I'd like to elaborate
on this paragraph.

You sent the mail from 66.182.81.43, not 66.182.81.42 (typo?).
However, this is not important. What _is_ important is where
other people's mail servers (such as the list mail server) see
the mail coming from.

> Received: from mail.gbesco.com
> (cust-208-187-121-248.bbsc.net [208.187.121.248])
> by apex.listbox.com (Postfix) with ESMTP id 7F01E5579D
> for <spf-help@v2.listbox.com>;
> Tue, 12 Jul 2005 17:54:57 -0400 (EDT)
> Received: from gbesco.com
> (cust-66-182-81-43.bbsc.net [66.182.81.43])
> by mail.gbesco.com (Postfix) with ESMTP id D54F534D27
> for <spf-help@v2.listbox.com>;
> Tue, 12 Jul 2005 15:54:01 -0400 (EDT)

Your server delivers the mail to mail.gbesco.com and that server
is delivering it to the listbox.com mail server. That last step,
the first "Received" line I quoted, it the one where SPF kicks in.

> xenau.zenez.com saw a message coming from the IP address 208.187.121.248
> which is cust-208-187-121-248.bbsc.net; the sender claimed to be
> spf@gbesco.com.
>
> However, gbesco.com has announced using SPF <http://spf.pobox.com/> that
> it does not send mail out through 208.187.121.248. That is why the mail
> was rejected.

And this message is correct.

> If you run your own MTA, you may need to set a smarthost or relayhost.

This is probably what you have. You have to list this smarthost as
the one being authorized. According to your current SPF record, you
did that already:
"v=spf1 +ip4:208.187.121.248
+ip4:66.182.81.42
+ip4:66.182.85.50
+ip4:66.182.85.51
+ip4:66.182.76.7
-all"

You can leave out "+" as this is the default. You do not need to list
all servers involved in delivering your mail, only the servers handing
your mail over to a third party (i.e. you can probably skip 66.182.81.42)

Alex
Re: SPF error messsages make no sense [ In reply to ]
spf at gbesco
Jul 12, 2005, 3:47 PM
Post #19 of 23 (10361 views)
Permalink
Now I am still confused. Does an e-mail client send e-amil not to the
SMTP server, but to the SMTP server of the destination? I thought the
point of specifying an SMTP server in an e-mail client is so my mail
goes there first. However, what you are seeing confuses me. I did not
typo what I thought should be happening, obviously its not happening.

I am sitting at 66.182.81.43 -- My e-mail client is stup to SMTP to
66.182.81.42 which is what I explicitly said to count as authortative as
that is my outgoing mail server. Then, for some reason as it appears
its being sent out of 208.187.121.248. This appears to be my boarder
router. I had BBSC setup reverse DNS for my server on 66.182.81.42 but
not on the border router. I can add that IP address to the SPF record,
as you noticed I already had by the time you did a lookup on it. But,
do I also need BBSC to do reverse DNS for the border router too? And if
so what should I call it. This is the only server on tis subnet so I
could just as easily call is mail.gbesco.com as well, but what about on
the sebnet for reidshchool.com in the which I still have one boarder
rouer but two servers, do I do the reverse DNS to say
www.reidschool.com, or lab2srv.reidschool.com or just plain reidschool.com

Do I need to all all my IP addresses for all hosts connecting to my
server such as the fact that I am sitting at 66.182.81.43 to the SPF
record too?

Alex van den Bogaerdt wrote:

>On Tue, Jul 12, 2005 at 03:56:23PM -0600, Nathan Tyler wrote:
>
>
>>Dear List Persons,
>>
>> OK, I lied, I will send another message through here. I setup
>>SPF records according to my understanding of what they are. But I get a
>>silly error message now when I try to send.. Here is hoping I can even
>>send to the list now. I sent this out of 66.182.81.42 which is
>>explicitely said to allow, however, somewhere it claims it is being sent
>>from 208.187.121.248, which I don't understand. Somebody please tell
>>me what is going on?
>>
>>
>
>Do take Scott's suggestion serious, however I'd like to elaborate
>on this paragraph.
>
>You sent the mail from 66.182.81.43, not 66.182.81.42 (typo?).
>However, this is not important. What _is_ important is where
>other people's mail servers (such as the list mail server) see
>the mail coming from.
>
>
>
>>Received: from mail.gbesco.com
>> (cust-208-187-121-248.bbsc.net [208.187.121.248])
>> by apex.listbox.com (Postfix) with ESMTP id 7F01E5579D
>> for <spf-help@v2.listbox.com>;
>> Tue, 12 Jul 2005 17:54:57 -0400 (EDT)
>>Received: from gbesco.com
>> (cust-66-182-81-43.bbsc.net [66.182.81.43])
>> by mail.gbesco.com (Postfix) with ESMTP id D54F534D27
>> for <spf-help@v2.listbox.com>;
>> Tue, 12 Jul 2005 15:54:01 -0400 (EDT)
>>
>>
>
>Your server delivers the mail to mail.gbesco.com and that server
>is delivering it to the listbox.com mail server. That last step,
>the first "Received" line I quoted, it the one where SPF kicks in.
>
>
>
>>xenau.zenez.com saw a message coming from the IP address 208.187.121.248
>>which is cust-208-187-121-248.bbsc.net; the sender claimed to be
>>spf@gbesco.com.
>>
>>However, gbesco.com has announced using SPF <http://spf.pobox.com/> that
>>it does not send mail out through 208.187.121.248. That is why the mail
>>was rejected.
>>
>>
>
>And this message is correct.
>
>
>
>>If you run your own MTA, you may need to set a smarthost or relayhost.
>>
>>
>
>This is probably what you have. You have to list this smarthost as
>the one being authorized. According to your current SPF record, you
>did that already:
> "v=spf1 +ip4:208.187.121.248
> +ip4:66.182.81.42
> +ip4:66.182.85.50
> +ip4:66.182.85.51
> +ip4:66.182.76.7
> -all"
>
>You can leave out "+" as this is the default. You do not need to list
>all servers involved in delivering your mail, only the servers handing
>your mail over to a third party (i.e. you can probably skip 66.182.81.42)
>
>Alex
>
>-------
>Archives at http://archives.listbox.com/spf-help/current/ or
>http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?member_id=2083030&user_secret=f4577b09
>
>
>
Re: SPF error messsages make no sense [ In reply to ]
alex at ergens
Jul 12, 2005, 4:07 PM
Post #20 of 23 (10357 views)
Permalink
On Tue, Jul 12, 2005 at 04:47:53PM -0600, Nathan Tyler wrote:

> Now I am still confused. Does an e-mail client send e-amil not to the
> SMTP server, but to the SMTP server of the destination? I thought the
> point of specifying an SMTP server in an e-mail client is so my mail
> goes there first. However, what you are seeing confuses me. I did not
> typo what I thought should be happening, obviously its not happening.
>
> I am sitting at 66.182.81.43 -- My e-mail client is stup to SMTP to
> 66.182.81.42 which is what I explicitly said to count as authortative as
> that is my outgoing mail server. Then, for some reason as it appears

Maybe it's 66.182.81.42 on your side but it really is
208.187.121.248 from our point of view. A host can have more
than one network interface, one interface accepting mail from
you, the other interface delivering mail to us.

> Do I need to all all my IP addresses for all hosts connecting to my
> server such as the fact that I am sitting at 66.182.81.43 to the SPF
> record too?

Simple, just picture what happens:

-1- what host is going to use SPF to check validity of your email?
-2- what is this host going to check?
-3- does it match?
-4- does it allow the transaction?

#1: this could be the list server should you send mail to this list.
#2: _your_ name, and IP address 208.187.121.248 (maybe others as well?)
#3: it does (as 208.187.121.248 is included)
#4: it does (as the prefix is "+")

(you previously had:
#3 it does (as "all" is included)
#4 it does not (as the prefix is "-")
)

For each of the meachanisms in your record:
Is any host on the internet going to check SPF on it?
Yes: keep it.
No: remove it.

Hypothetically 66.182.81.42 could also use SPF and verify that
you at 66.182.81.43 are authorized. This is however not a common
setup. Usually there's only one place in the chain of servers
where SPF kicks in, this is the place where mail flows from one
trust-domain (your provider and all connected computers) into
the next (the listserver's MX hosts).


Please stop top-posting and do trim irrelevant text.

Alex
Re: SPF error messsages make no sense [ In reply to ]
gerberb at zenez
Jul 12, 2005, 4:37 PM
Post #21 of 23 (10363 views)
Permalink
On Wed, 13 Jul 2005, Alex van den Bogaerdt wrote:
> On Tue, Jul 12, 2005 at 04:47:53PM -0600, Nathan Tyler wrote:
> > Now I am still confused. Does an e-mail client send e-amil not to the
> > SMTP server, but to the SMTP server of the destination? I thought the
> > point of specifying an SMTP server in an e-mail client is so my mail
> > goes there first. However, what you are seeing confuses me. I did not
> > typo what I thought should be happening, obviously its not happening.
> >
> > I am sitting at 66.182.81.43 -- My e-mail client is stup to SMTP to
> > 66.182.81.42 which is what I explicitly said to count as authortative as
> > that is my outgoing mail server. Then, for some reason as it appears
>
> Maybe it's 66.182.81.42 on your side but it really is
> 208.187.121.248 from our point of view. A host can have more
> than one network interface, one interface accepting mail from
> you, the other interface delivering mail to us.

BBSC.NET often does this. One of my clients has the same problem. You
have to include what BBSC uses for your system. I checked on the BBSC
network and you are going to have to include the ip address. I suggest
you use the ip4 for it.


--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
Re: SPF setup without the wizard? [ In reply to ]
nobody at xyzzy
Jul 12, 2005, 4:56 PM
Post #22 of 23 (10424 views)
Permalink
Roman Dzadzic wrote:

> 1. Are there any pitfalls or possible downfalls that could
> result if a direct marketing firm, which is utilizing email
> to sell products, certifies its email servers through this
> SPF program?

See <http://mid.gmane.org/42D350EE.1131@xyzzy.claranet.de> -
apparently Nathan didn't understand it, but maybe you get it.

> In other words, should we certify or not?

It's more like "do you want a (SOFT) FAIL policy", otherwise
SPF is almost toothless and can't bite you.

> 2.How complicated is this thing...if I'm not technically
> inclined?

If you have a couple of MTAs and know their IPs it's trivial.

If you have no clue what an "MTA" or an "IP" might be better
stay away from it for the moment and find a good introduction
to "SMTP" (hint: S = simple ;-)
Bye, Frank
RE: Re: SPF setup without the wizard? [ In reply to ]
romand at hammacher
Jul 12, 2005, 5:14 PM
Post #23 of 23 (10358 views)
Permalink
Thanks Frank. It's much appreciated!

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Frank Ellermann
Sent: Tuesday, July 12, 2005 6:57 PM
To: spf-help@v2.listbox.com
Subject: [spf-help] Re: SPF setup without the wizard?

Roman Dzadzic wrote:

> 1. Are there any pitfalls or possible downfalls that could result if a

> direct marketing firm, which is utilizing email to sell products,
> certifies its email servers through this SPF program?

See <http://mid.gmane.org/42D350EE.1131@xyzzy.claranet.de> - apparently
Nathan didn't understand it, but maybe you get it.

> In other words, should we certify or not?

It's more like "do you want a (SOFT) FAIL policy", otherwise SPF is
almost toothless and can't bite you.

> 2.How complicated is this thing...if I'm not technically inclined?

If you have a couple of MTAs and know their IPs it's trivial.

If you have no clue what an "MTA" or an "IP" might be better stay away
from it for the moment and find a good introduction to "SMTP" (hint: S =
simple ;-)
Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search) To
unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?member_id=2087220&user_secret=7fd19b48

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal