At 16:21 20/01/2010 Wednesday, Barry Say wrote:
Hi All,
I am new to this list having just been bitten by an SPF rejection problem on a
mail list I run.
Background. I am responsible for two hosting accounts on blackfoot.co.uk who
are a domain hosting company (no broadband or dial up) on account is PERSONAL
and the other I administer on behalf of an ORGANISATION. Blackfoot is rolling
out SPF checking for incoming mail and this is installed on the ORGANISATION
server but not on the PERSONAL server. I intend to publish SPF records for my
domains but there is a point I would like clarified before I do something
really stupid.
--------------------------------
Officers of the ORGANISATION have addresses such as
Chairman(_at_)organisation(_dot_)org(_dot_)uk(_dot_) Some of the more adept
officers have multiple identities on on their mailers so that they can send
mail as fred(_at_)isp(_dot_)co(_dot_)uk or
Chairman(_at_)organisation(_dot_)org(_dot_)uk(_dot_) They can pick up mail by
IMAP or POP3 from the appropriate servers but their mail will go out via
mail.isp.co.uk (or some similar service).
So if I publish SPF records for ORGANISATION and fred sends a message using
his chairman identity via mail.isp.co.uk, would that fail the SPF test?
I hope that makes sense
Barry
first you have several options
second no options have to cause failures {hardfail} EVER unless you
mis-configure something all records can be set to return softfail or neutral
for non-pass
first option is less complicated but more vulnerable to selective forgery
that is to setup one spf record for *(_at_)organisation
that lists all places that every address sends from as trusted
Thus any user(_at_)org can pass spf from any of the allowed isps {even
non-existant ones and forgeries by other users of the same isps }
second option if the users are not numerous is slightly more complex but easier
to rollout/test
and thats a per address SPF record so
user1(_at_)org will receive an SPF pass from only the isps user1 sends from
user2(_at_)org will recieve an SPF pass only when sending from user2's isp's
etc.
anything-else(_at_)org will recieve an SPF fail {as the address dosn't exist
thus its a forgery
but with either of the above everything can be much simplified if you
restructure your mail system to be slightly more compliant to standard practices
post 1998, by providing {as currently pop/imap} and additionally a 587
{authenticated smtp subission} server
so all users(_at_)org can directly send via the one isp {the organisations own
server}, i am unaware of any currently available mailserver software that does
not have this facility as either default or optional extra
{this alone would rid you of any need to worry about potential forgeries by
related {using the sae isp as one of your users} 3rd parties
I would still recommend the second option for spf as it does additionally
hardfail all non-existant users {obvious forgeries} if you decided to go with
neutral or softfail as the result for non-passing checks {to allow badly* setup
mailserver users to receive non-srs-forwarded mail for example}
*badly being ones providing no method for users to whitelist their
non-srs-forwarders mail from SPF checking
but without more detail about any of the setup i couldn't advise further but as
always feel free to IM phone whatever to go through the options in detail
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com