Mailing List Archive: Outbound Relay and SPF

Outbound Relay and SPF

Jul 27, 2004, 11:11 AM

Post #1 of 3 (3081 views)

I just set up SPF, and this may be a FAQ, but I searched the archive,
and didn't find any info about this issue, so here goes:

I run my own mail server (sendmail), and have set up SPF for it:

reedtz.com. IN TXT "v=spf1 ip4:66.53.195.131 -all"

All MUAs/webmail on my network connect to smtp.reedtz.com
(66.53.195.131) and all mail goes out that way.

However, when using spfmilter, I get a 'fail' status when I send myself
a test message. The problem appears to be that spfmilter sees the
Received: line containing my SMTP connection from my MUA (66.53.195.135)
to my outbound relay (66.53.195.131) as the 'client IP' (or originating
host).

What should I do? I'd really rather not have to maintain SPF records for
all MUAs. Or is this simply how it works?

I could of course put my entire /28 in the SPF record, but I'd really
like to find out how to designate my outbound server as the only allowed
server, without getting rejected.

Any help is appreciated.

Thanks,
Per

--
Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
V: 209 883 4102 | pthomsen@reedtz.com | C: 415 425 4025
GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Re: Outbound Relay and SPF [ In reply to ]

spf at metro

Jul 27, 2004, 1:55 PM

Post #2 of 3 (2968 views)

Permalink

Hi,

This is a faq, but not one easily answered. Search the archives for
something like 'whitelist' or 'local policy', you will find the answer
(it was asked just one or two weeks ago iirc). It all depends on your
implementation, but the proper solution is i think to whitelist your
other mta's on your outbound relay, such that your outbound relay will
PASS mail from those servers.

I believe in the sendmail milter there is an option for a file named
'whitelist' in some predetermined directory, although i myself use the
local policy option :

/usr/bin/perl /usr/local/libexec/sendmail-milter-spf-1.40.pl -l
'include:trusted-forwarders' spf mx

where trusted-forwarders is a dns entry with an spf record that defines
my internal smtp servers.

Sorry I can't be more specific, it's a bit late in my current space-time
frame atm.

Koen

On Tue, Jul 27, 2004 at 11:11:50AM -0700, Per Thomsen wrote:
> I just set up SPF, and this may be a FAQ, but I searched the archive,
> and didn't find any info about this issue, so here goes:
>
> I run my own mail server (sendmail), and have set up SPF for it:
>
> reedtz.com. IN TXT "v=spf1 ip4:66.53.195.131 -all"
>
> All MUAs/webmail on my network connect to smtp.reedtz.com
> (66.53.195.131) and all mail goes out that way.
>
> However, when using spfmilter, I get a 'fail' status when I send myself
> a test message. The problem appears to be that spfmilter sees the
> Received: line containing my SMTP connection from my MUA (66.53.195.135)
> to my outbound relay (66.53.195.131) as the 'client IP' (or originating
> host).
>
> What should I do? I'd really rather not have to maintain SPF records for
> all MUAs. Or is this simply how it works?
>
> I could of course put my entire /28 in the SPF record, but I'd really
> like to find out how to designate my outbound server as the only allowed
> server, without getting rejected.
>
> Any help is appreciated.
>
> Thanks,
> Per
>
> --
> Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
> V: 209 883 4102 | pthomsen@reedtz.com | C: 415 425 4025
> GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Re: Outbound Relay and SPF [ In reply to ]

pthomsen at reedtz

Jul 27, 2004, 9:55 PM

Post #3 of 3 (3042 views)

Permalink

On 7/27/04 1:55 PM, Koen Martens wrote:

>Hi,
>
>This is a faq, but not one easily answered. Search the archives for
>something like 'whitelist' or 'local policy', you will find the answer
>(it was asked just one or two weeks ago iirc). It all depends on your
>implementation, but the proper solution is i think to whitelist your
>other mta's on your outbound relay, such that your outbound relay will
>PASS mail from those servers.
>
>I believe in the sendmail milter there is an option for a file named
>'whitelist' in some predetermined directory, although i myself use the
>local policy option :
>
>/usr/bin/perl /usr/local/libexec/sendmail-milter-spf-1.40.pl -l
>'include:trusted-forwarders' spf mx
>
>where trusted-forwarders is a dns entry with an spf record that defines
>my internal smtp servers.
>
>Sorry I can't be more specific, it's a bit late in my current space-time
>frame atm.
>
>
I figured it out, for those of us that use spfmilter (not the perl stuff).

The spfmilter executable has an option '--localpolicy' (or '-l' for
short) which lets you apply a policy to local transactions (like when my
MUA is contacting my outbound relay). The value of the '--localpolicy'
option is simply another SPF record. I used "v=spf1 ip4:aa.bb.cc.dd/28
-all", and my outbound mail now passes.

On Linux (I installed the RPM) the file /etc/sysconfig/spfmilter holds
the options that you need to tweak. Mine looks like this now:

SPFMILTER_OPTIONS="--localpolicy \"v=spf1 ip4:aa.bb.cc.dd/28 -all\"
--markonly"

Note the '\' in front of the double quotes.

Hope this helps others.

Thanks,
Per

>On Tue, Jul 27, 2004 at 11:11:50AM -0700, Per Thomsen wrote:
>
>
>>I just set up SPF, and this may be a FAQ, but I searched the archive,
>>and didn't find any info about this issue, so here goes:
>>
>>I run my own mail server (sendmail), and have set up SPF for it:
>>
>>reedtz.com. IN TXT "v=spf1 ip4:66.53.195.131 -all"
>>
>>All MUAs/webmail on my network connect to smtp.reedtz.com
>>(66.53.195.131) and all mail goes out that way.
>>
>>However, when using spfmilter, I get a 'fail' status when I send myself
>>a test message. The problem appears to be that spfmilter sees the
>>Received: line containing my SMTP connection from my MUA (66.53.195.135)
>>to my outbound relay (66.53.195.131) as the 'client IP' (or originating
>>host).
>>
>>What should I do? I'd really rather not have to maintain SPF records for
>>all MUAs. Or is this simply how it works?
>>
>>I could of course put my entire /28 in the SPF record, but I'd really
>>like to find out how to designate my outbound server as the only allowed
>>server, without getting rejected.
>>
>>Any help is appreciated.
>>
>>Thanks,
>>Per
>>
>>--
>>Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
>>V: 209 883 4102 | pthomsen@reedtz.com | C: 415 425 4025
>>GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen
>>
>>-------
>>Archives at http://archives.listbox.com/spf-help/current/
>>Donate! http://spf.pobox.com/donations.html
>>To unsubscribe, change your address, or temporarily deactivate your
>>subscription, please go to
>>http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>>
>>
>
>
>

--
Per Reedtz Thomsen | The Reedtz Corporation | F: 209 883 4119
V: 209 883 4102 | pthomsen@reedtz.com | C: 415 425 4025
GPG ID: 1209784F | Yahoo! Chat: pthomsen | AIM: pthomsen

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com