On Tue, 2004-06-15 at 22:27, Nigel Kilner wrote:
I am presently running the sendmail-milter script via the command line.
I assume that the sendmail-milter is better run via the sendmail startup
script withe the following line:- ??
$SPF_MILTER -l 'include:local-forwarders' mail
What does local-forwarders mean? I don't understand the explaination below
can someone put it in laymans term please?
'where local-forwarders is the name of a 'pseudo-domain' holding an SPF
# record describing all hosts allowed to bypass SPF checks (typically,
# foreign hosts on which your users have set up .forwards pointing
# towards addresses hosted by you). If none of your users have set up
# any forwarding, you can leave this away'
My F.Q.D.N. IS master.kilner-vacuum-lifting.com
This facility provides a workaround for people at your company that have
"forwarding addresses" set up to forward mail to their work address. For
instance, suppose Joe Bloggs <bloggs(_at_)kilner-vacuum-lifting(_dot_)com> has
set
up an account at a forwarder like bigfoot.com, address
<joebloggs(_at_)bigfoot(_dot_)com> such that any mail sent to that address is
forwarded to <bloggs(_at_)kilner-vacuum-lifting(_dot_)com>. Suppose then that
somebody that has published SPF records for their own domain
<randomuser(_at_)example(_dot_)com> sends mail to
<joebloggs(_at_)bigfoot(_dot_)com>; this
will get forwarded to your server, which will reject the mail because
bigfoot.com's servers are not listed as authorized servers for the
example.com domain.
The workaround involves setting up a DNS zone on the nameservers that
your mail server uses that has an SPF record allowing mail in from
servers that legitimately forward mail to your users in this way.
For example:
forwarders-to-kilner-vacuum-lifting.local. TXT "v=spf1
ip4:195.102.244.128/28"
and then start spf-milter with:
-l include:forwarders-to-kilner-vacuum-lifting.local
This would then make all mail from 195.102.244.128/28 (not the addresses
of bigfoot.com's servers, but you get the gist) get an SPF "pass".
If you think this is a useful facility, you'll probably find you can do
it more easily with spf-milter's whitelisting facility. There are things
you can do with the DNS server that you can't do with the whitelist
(e.g. per-user forwarding exceptions) but that's getting quite
complicated.
Finally. when this is working.should I be able to detect/reject emails
coming from forged addresses? and do I need any additional run options todo
this.
SPF will only detect forgeries for domains that have published SPF
records, and where those forgeries don't come from the servers
authorized to send for the sender's domain. The forgeries will only be
rejected if the sender's SPF record uses "-all"; otherwise the mail will
be accepted and the Received-SPF: header will show a "neutral" or
"softfail" result.
Paul.
--
Paul Howarth <paul(_at_)city-fan(_dot_)org>