Mailing List Archive

On 26-Oct-09, at 5:48 PM, Sloan, Jocelyn wrote:

> Hello,
>
> I have ~200 users who use SMTP to send mail through my server. Most of
> my users send smtp mail via my mail server, and those generally work
> just fine. I would like to prevent spammers from sending messages on
> behalf of my company.
>
> For some of my users, their internet provider requires use of the
> ISP's
> smtp server for sending messages. I have a list of the ISPs sending
> mail
> servers, so that I can help my users setup their email accounts. Here
> are a couple examples: [smtp.utma.com] and [pop.farg.qwest.net].
>
> * How do I incorporate this information into my SPF record? I tried
> the
> wizard, but I'm not sure where to put the information.
>
> * I understand that I should not list the ISP unless they have an spf
> record. How do I know whether the ISP has an SPF record?


Usually ISPs restrict port 25, the SMTP port, to their own networks
but port 587 and port 465 both used for mail submission can and should
be used to allow your clients to relay mail through your mail server.
This way you don't have to worry about configuring SPF to include all
the various ISPs that your clients may use when out on the road.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Gino, I do not understand what you are suggesting. Do you mean that I
should open port 465 and/or 587 and direct it to my mail server?
-JS


From: Gino Cerullo <gcerullo@pixelpointstudios.com>
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] using ISP's smtp servers
Date: Mon, 26 Oct 2009 17:56:41 -0400

On 26-Oct-09, at 5:48 PM, Sloan, Jocelyn wrote:

> Hello,
>
> I have ~200 users who use SMTP to send mail through my server. Most of
> my users send smtp mail via my mail server, and those generally work
> just fine. I would like to prevent spammers from sending messages on
> behalf of my company.
>
> For some of my users, their internet provider requires use of the
> ISP's
> smtp server for sending messages. I have a list of the ISPs sending
> mail
> servers, so that I can help my users setup their email accounts. Here
> are a couple examples: [smtp.utma.com] and [pop.farg.qwest.net].
>
> * How do I incorporate this information into my SPF record? I tried
> the
> wizard, but I'm not sure where to put the information.
>
> * I understand that I should not list the ISP unless they have an spf
> record. How do I know whether the ISP has an SPF record?


Usually ISPs restrict port 25, the SMTP port, to their own networks
but port 587 and port 465 both used for mail submission can and should
be used to allow your clients to relay mail through your mail server.
This way you don't have to worry about configuring SPF to include all
the various ISPs that your clients may use when out on the road.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On 26-Oct-09, at 6:30 PM, Sloan, Jocelyn wrote:

> Gino, I do not understand what you are suggesting. Do you mean that I
> should open port 465 and/or 587 and direct it to my mail server?


In a sense yes. You'll need to direct one or both of those ports to
your server and set up the server to accept mail submissions to either
one or both of those ports. Port 587 is the more common port for this
though so you may only want/need to use that one.

All modern mail servers can accept mail submissions on port 587, some
mail servers can use port 465 as well. Your clients will need to
authenticate using their user names and passwords, which they should
be doing anyway.

Then, on the client side, you get your users to change the outgoing
mail server from port 25 to port 587 or 465, depending on how you've
configured your server. Then you don't have to worry about where they
connect from. They will always send their mail through your server. No
more worries about figuring out how to configure your SPF policy for
all those ISPs out their.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Mon, 26 Oct 2009 18:44:47 -0400 Gino Cerullo
<gcerullo@pixelpointstudios.com> wrote:
>On 26-Oct-09, at 6:30 PM, Sloan, Jocelyn wrote:
>
>> Gino, I do not understand what you are suggesting. Do you mean that I
>> should open port 465 and/or 587 and direct it to my mail server?
>
>
>In a sense yes. You'll need to direct one or both of those ports to
>your server and set up the server to accept mail submissions to either
>one or both of those ports. Port 587 is the more common port for this
>though so you may only want/need to use that one.
>
>All modern mail servers can accept mail submissions on port 587, some
>mail servers can use port 465 as well. Your clients will need to
>authenticate using their user names and passwords, which they should
>be doing anyway.
>
>Then, on the client side, you get your users to change the outgoing
>mail server from port 25 to port 587 or 465, depending on how you've
>configured your server. Then you don't have to worry about where they
>connect from. They will always send their mail through your server. No
>more worries about figuring out how to configure your SPF policy for
>all those ISPs out their.
>
This is really a current best practice and a generally good idea even indepent of SPF.

Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On 26-Oct-09, at 6:50 PM, Scott Kitterman wrote:

> This is really a current best practice and a generally good idea
> even indepent of SPF.


I agree!

I would go so far as to say that in this day and age it should be the
default configuration of all mail servers and clients.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 21:48 26/10/2009 Monday, Sloan, Jocelyn wrote:
>Hello,
>
>
>
>I have ~200 users who use SMTP to send mail through my server.

they should not be doing so in this day and age they should be using submission instead
{esmtp on port 587 for authenticated outgoing mail submission}
port 25 smtp should only carry inbound mail to your users

> Most of my users send smtp mail via my mail server, and those generally work
>just fine. I would like to prevent spammers from sending messages on
>behalf of my company.
>
>
>
>For some of my users, their internet provider requires use of the ISP's
>smtp server for sending messages.

you'll find the usually do not.
they just do not allow users to connect to external mail servers on port 25
{to stop them sending direct to MX spam}
they usually place no restriction on valid client submission to submission servers on port 587
{so as Gino said this will fix you issue if you configure your server/users correctly}

{port 465 is/was a tls always on submission port used by some older tls broken clients, i hae yet to see a user that needed it {but as both are available on all mta's i have seen its a trivial issue to configure usually}

> I have a list of the ISPs sending mail servers, so that I can help my users setup their email accounts. Here are a couple examples: [smtp.utma.com] and [pop.farg.qwest.net].

these are of limited use as these are their submission servers, often they are also the sending servers but for some large isp's they are different, for SPF's use you need the Ip's these servers will send mail from

>* How do I incorporate this information into my SPF record? I tried the
>wizard, but I'm not sure where to put the information.

I wouldn't use the wizard no

>* I understand that I should not list the ISP unless they have an spf
>record. How do I know whether the ISP has an SPF record?

you would ask them, as if they have an SPF record designed for customers to include within their SPF it is usually entirely unrelated to their own SPF record

like i provide these for my customers to use within their spf records
but i do not use these general ones myself for mail from my own domain

but aside from the changing to mail-submission {that will fix your spf issues}
but should be done because it is the only correct way to accept remote user submissions

it is a good mental exercise to show you how you can make per-user SPF records that allow you to add your users ISP's IP's to their SPF record only {rather than allowing all users to be forged via that ISP

this would require you to have access to a dns server capable of holding wildcard dns records {such as bind}
if you have such a server I'll gladly walk you through it



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Sloan, Jocelyn wrote on Tue, Oct 27 2009 at 12:01 pm:

> Thank you for the help everyone; I appreciate your insights and
> suggestions. I am not quite sure how to setup esmtp on my Exch2003
> server. If anyone knows a website with instructions, I'd be quite
> grateful.

http://support.microsoft.com/kb/823019

from
http://support.microsoft.com/search/default.aspx?mode=r&query=exchange+2
003+smtp&spid=global&catalog=LCID%3D1033&1033comm=1&res=20

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Carl Sagan as a child: "There must be HUNDREDS of 'em!"

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

At 17:42 27/10/2009 Tuesday, Steve Yates wrote:
>Sloan, Jocelyn wrote on Tue, Oct 27 2009 at 12:01 pm:
>
>> Thank you for the help everyone; I appreciate your insights and
>> suggestions. I am not quite sure how to setup esmtp on my Exch2003
>> server. If anyone knows a website with instructions, I'd be quite
>> grateful.
>
>http://support.microsoft.com/kb/823019

yup that pretty much covers it, i would strongly recommend using moving to tls {encription} also {if not doing already}, and either self-signed or cacert/free cert

{BTW exchange only talks esmtp {extended smtp} on any port, {the extensions allow authentication to be possible}}
what your wanting to setup is an esmtp-submission server on the correct port,
as opposed to combining esmtp-incomming and esmtp-submission functions on port 25 {like you were doing}

so what you are wanting to do is just add another [e]smtp connector that is bound to port 587 instead of port 25
then copy all the existing user authentication and relay settings form your port25 connector to your port587 connector
{as your port25 one is working for your users at the moment so its user auth and relay settings should work fine}
ensure your firewall allows users to connect to the new service
then after testing with one user, migrate all users to using 587

then remove authentication and relay from the options available on your port25 service {making it an incoming mail only listener}

also for any exchange setup I'd recommend ensuring you have backscatter dealt with also, feel free to look at the outdated but links are still good howto here http://www.alandoherty.net/info/mailservers/exchange/

and if any seems to much i can always assist via vnc/rdp or whatever {i personally prefer a server initiated {ultra}vnc connection as it requires you giving me 0 auth details and opening no incoming connections on your firewall, and thus me not being a suspect in any crackery later}



>from
>http://support.microsoft.com/search/default.aspx?mode=r&query=exchange+2
>003+smtp&spid=global&catalog=LCID%3D1033&1033comm=1&res=20
>
>-----
>SPF FAQ: http://www.openspf.org/FAQ
>Common mistakes: http://www.openspf.org/FAQ/Common_mistakes
>
> - Steve Yates
> - ITS, Inc.
> - Carl Sagan as a child: "There must be HUNDREDS of 'em!"
>
>~ Taglines by Taglinator: www.srtware.com ~
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com