Solved

SPF setup

Posted on 2004-09-16
6
399 Views
Last Modified: 2010-04-20
HI

Am I correct in believeing that SPF is now the final and standard "Sender ID" method that will be used by most people? If so, I'd like to get some info on the configuration for my domains.

Currently all my domains have zone files that look typically like this:

----------------------------------------------------------------------
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

----------------------------------------------------------------


ie, this server is both the primary DNS AND www, ftp, mail etc host for most of my domains.

I won't have ANY "fancy" mail configurations, like relaying from other hosts etc. All my users (for all my virtual domains) use this server to send and receive e-mail, and they must authenticate before they can send.

Can someone show me by means of adding the appropriate lines to zone file above,  how a zone file should look to "work" with SPF, also, what do I need to do on my server to also make sure that all e-mail received "complies" with SPF.


0
Comment
Question by:psimation
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
ID: 12074901
I'm not sure about the DNS side of things, but you will need to make changes to your MTA software if you want your server to block messages based on SPF. You don't mention what MTA you use, but there are documented HOWTOs for most of them.

Out of curiosity, how are you authing your users before they can send mail ? pop before SMTP or SMTP auth ?
0
 
LVL 17

Author Comment

by:psimation
ID: 12075106
Hi Anonymouslemming:

MTA = sendmail, and I use SMTP Auth

I read on sendmail.org that you need a milter?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12075272
I hope that the sample above isn't what you have in the zone file since it is missing A records for alpha and beta and should look like:

$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
alpha    IN  A      999.999.999.998
beta      IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

Since you only have a single MX and since that points to your only mail server the SPF information could be "v=spf1 mx -all". Which means that you'd add a TXT record for the domain, like:

             IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
              IN  TXT "v=spf1 mx -all"
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 17

Author Comment

by:psimation
ID: 12075441
HI Jim
Yes, you are right ( as always), my example is of one of my virtual domains, and the zone file for the "real" domain (the FQDN of the server) looks exactly as you state.

So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files and restart named?

Are you also using SPF on your servers, or am I barking up the wrong tree (ie, is "this the way to go"  - I don't want to waste my time setting up SPF just to find out there is another "standard" that is actually the industry standard for checking sender id?)

Do you know what needs to be done on sendmail's side in irder to also check incoming mail for SPF, and what are the implications of running it now for incoming mail while everyone might not yet be configured that way ( will it refuse mail, quarantine it or still deliver?)


0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 12075925
> So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files

No it must be added immediately after the A record for the domain, like I showed above.

I've started publishing the SPF data for sites, but I haven't yet started checking it at the sendmail level. It looks to me like SPF will be widely adopted as measure of spam control, since it has reached RFC status. What I'll probably do initially is to bump the SpamAssassin score up for messages that don't have the SPF 'seal of approval" and down for those that do.

I'm not so sure about M$'s SecureID. Unless they change the license agreement it doesn't look like any of the OpenSource advocates will use it. I saw that the Apache project has rejected it on the basis of the license and have heard that others intend to announce the same.

See http://spf.pobox.com/ for lots of information about SPF.
0
 
LVL 17

Author Comment

by:psimation
ID: 12077497
Thanks Jim

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now