Mailing List Archive

On Tue, Aug 10, 2004 at 10:22:23AM -0400, leonard.gray@srs.gov wrote:
> We intend to use SPF initially as a "whitelist" tool, but are interested
> in publishing our SPF records soon
> after implementation here.
>
> We have one sendmail server with SPF set up. This server operates as an
> MTA, receiving mail from the
> internet, and transferring mail out as well.
>
> Incoming connections can come from any IP address, which SPF should handle
> just fine. However, mail
> originating from the inside going out will always come from a 192.168.x.y
> address, and will contain our
> domain (srs.gov) in the senders address. To me, this means I would need
> to publish an SPF record to include
> the 192.168.x.y address as a legit mail server address, just to allow our
> outbound email to pass. I'm afraid if
> I do that, it would be easy for someone to pick that 192.168 address out
> of DNS and use it to defeat SPF.
>
> Am I missing something here?

Hmm, to use 'security by obscurity' you can add a local policy, eg +ip4:192.168.0.0/16 to your spf implementation (how? depends on what sendmail spf implementation you are using). Some spf implementations also give you the options to add an explicit whitelist file..

If you want to be on the safe side, set up your firewall such that it will block any request coming in on the outside interface that comes from 192.168.0.0/16. This is common practice, failing to do so will give you more serious problems compared to bypassing of spf. You should do this anyway if you're not already doing so!!!

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Thanks as that opened up another question for our firewall folks, but
maybe I missed my point (or just don't understand this as well as I
thought I did).

If I publish an SPF record in DNS for 192.168.0.0/16, wouldn't that allow
someone anywhere to fake an IP address of 192.168.2.3 and forge mail from
my domain? Wouldn't that cause SPF to "let it pass"?

I saw something in the sendmail-milter script (which we'll be using) that
indicated a "local trust domain', that almost looks like it would do what
I need, if I could understand how it works. It looks like you set up a
"new" domain, and tell the milter to trust mail from that domain?

If anyone understands this concept, please try to help enlighten me. I
may not be fast, but I'm certainly slow! :-)

Thanks!




Koen Martens <spf@metro.cx>
Sent by: owner-spf-help@v2.listbox.com
08/10/2004 10:39 AM
Please respond to
spf-help@v2.listbox.com


To
spf-help@v2.listbox.com
cc

Subject
Re: [spf-help] SPF on Sendmail MTA server






On Tue, Aug 10, 2004 at 10:22:23AM -0400, leonard.gray@srs.gov wrote:
> We intend to use SPF initially as a "whitelist" tool, but are interested
> in publishing our SPF records soon
> after implementation here.
>
> We have one sendmail server with SPF set up. This server operates as an
> MTA, receiving mail from the
> internet, and transferring mail out as well.
>
> Incoming connections can come from any IP address, which SPF should
handle
> just fine. However, mail
> originating from the inside going out will always come from a
192.168.x.y > address, and will contain our
> domain (srs.gov) in the senders address. To me, this means I would need
> to publish an SPF record to include
> the 192.168.x.y address as a legit mail server address, just to allow
our > outbound email to pass. I'm afraid if
> I do that, it would be easy for someone to pick that 192.168 address out
> of DNS and use it to defeat SPF.
>
> Am I missing something here?

Hmm, to use 'security by obscurity' you can add a local policy, eg
+ip4:192.168.0.0/16 to your spf implementation (how? depends on what
sendmail spf implementation you are using). Some spf implementations also
give you the options to add an explicit whitelist file..

If you want to be on the safe side, set up your firewall such that it will
block any request coming in on the outside interface that comes from
192.168.0.0/16. This is common practice, failing to do so will give you
more serious problems compared to bypassing of spf. You should do this
anyway if you're not already doing so!!!

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Tue, Aug 10, 2004 at 02:52:10PM -0400, leonard.gray@srs.gov wrote:
> Thanks as that opened up another question for our firewall folks, but
> maybe I missed my point (or just don't understand this as well as I
> thought I did).
>
> If I publish an SPF record in DNS for 192.168.0.0/16, wouldn't that allow
> someone anywhere to fake an IP address of 192.168.2.3 and forge mail from
> my domain? Wouldn't that cause SPF to "let it pass"?

If you whitelist your lan by saying 'everything from 192.168.0.0/16' is
allowed without putting it in the public dns, you still have a problem
when someone fakes 192.168.2.3 ..
Only thing is, they won't know if you're actually using 192.168, but as
there are only three private ip spaces, it's an easy guess. Just hiding
the 192.168.0.0/16 is not enough. You really need to close your lan for
traffic from outside having a source ip of 192.168.0.0/16.
That's why i called that 'security by obscurity'.

> I saw something in the sendmail-milter script (which we'll be using) that
> indicated a "local trust domain', that almost looks like it would do what
> I need, if I could understand how it works. It looks like you set up a
> "new" domain, and tell the milter to trust mail from that domain?
>
> If anyone understands this concept, please try to help enlighten me. I
> may not be fast, but I'm certainly slow! :-)

Yes, you can add a local policy like that. Put up a domain in your
_local_ dns, for example trusted.local.domain and set it to "v=spf1
+ip4:192.168.0.0/16 -all" ..

Now start the milter with the option -l, i did it like this:

/usr/bin/perl /usr/local/libexec/sendmail-milter-spf-1.40.pl -l 'include:trusted.local.domain' spf mx

It will now 'include' the local policy into it's checks.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

> > If I publish an SPF record in DNS for 192.168.0.0/16, wouldn't that
> > allow someone anywhere to fake an IP address of 192.168.2.3
> and forge
> > mail from my domain? Wouldn't that cause SPF to "let it pass"?
>
> If you whitelist your lan by saying 'everything from
> 192.168.0.0/16' is allowed without putting it in the public
> dns, you still have a problem when someone fakes 192.168.2.3 ..
> Only thing is, they won't know if you're actually using
> 192.168, but as there are only three private ip spaces, it's
> an easy guess. Just hiding the 192.168.0.0/16 is not enough.
> You really need to close your lan for traffic from outside
> having a source ip of 192.168.0.0/16.
> That's why i called that 'security by obscurity'.
>

I think the question being asked is "what if someone spoofs my IP and domain
name to send email to someone else."


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On 8/10/2004 10:22, leonard.gray@srs.gov wrote:

> We intend to use SPF initially as a "whitelist" tool, but are interested
> in publishing our SPF records soon
> after implementation here.

The importent detail you left out is whether your private addresses
(192.168...) are sending mail directly to other internet hosts (this
would be bad) or if they are relaying through your mail server (the
probable case).

if it is "the probable case" you just need to put the address of your
mail server in your SPF record.

~Jason

--

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Tue, Aug 10, 2004 at 08:23:18PM +0100, Mark Smith wrote:
> > If you whitelist your lan by saying 'everything from
> > 192.168.0.0/16' is allowed without putting it in the public
> > dns, you still have a problem when someone fakes 192.168.2.3 ..
> > Only thing is, they won't know if you're actually using
> > 192.168, but as there are only three private ip spaces, it's
> > an easy guess. Just hiding the 192.168.0.0/16 is not enough.
> > You really need to close your lan for traffic from outside
> > having a source ip of 192.168.0.0/16.
> > That's why i called that 'security by obscurity'.
> >
>
> I think the question being asked is "what if someone spoofs my IP and domain
> name to send email to someone else."

Ok, I was under the impression he was particularly worried about
exposing his internal IP's. However, ip spoofing in general is a problem
for spf, yes. I don't believe it is that easy to accomplish though,
especially not for trojans and/or spammers.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com