Solved

SPF setup

Posted on 2004-09-16
6
402 Views
Last Modified: 2010-04-20
HI

Am I correct in believeing that SPF is now the final and standard "Sender ID" method that will be used by most people? If so, I'd like to get some info on the configuration for my domains.

Currently all my domains have zone files that look typically like this:

----------------------------------------------------------------------
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

----------------------------------------------------------------


ie, this server is both the primary DNS AND www, ftp, mail etc host for most of my domains.

I won't have ANY "fancy" mail configurations, like relaying from other hosts etc. All my users (for all my virtual domains) use this server to send and receive e-mail, and they must authenticate before they can send.

Can someone show me by means of adding the appropriate lines to zone file above,  how a zone file should look to "work" with SPF, also, what do I need to do on my server to also make sure that all e-mail received "complies" with SPF.


0
Comment
Question by:psimation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
ID: 12074901
I'm not sure about the DNS side of things, but you will need to make changes to your MTA software if you want your server to block messages based on SPF. You don't mention what MTA you use, but there are documented HOWTOs for most of them.

Out of curiosity, how are you authing your users before they can send mail ? pop before SMTP or SMTP auth ?
0
 
LVL 17

Author Comment

by:psimation
ID: 12075106
Hi Anonymouslemming:

MTA = sendmail, and I use SMTP Auth

I read on sendmail.org that you need a milter?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 12075272
I hope that the sample above isn't what you have in the zone file since it is missing A records for alpha and beta and should look like:

$TTL 86400
@ IN  SOA          alpha.mydomain.com. me.mydomain.com. (
      2004042805   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     alpha.mydomain.com.
              IN  NS     beta.mydomain.com.

              IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
alpha    IN  A      999.999.999.998
beta      IN  A      999.999.999.999
ftp           IN  CNAME  alpha.mydomain.com.
mail          IN  CNAME  alpha.mydomain.com.
www           IN  CNAME  alpha.mydomain.com.

Since you only have a single MX and since that points to your only mail server the SPF information could be "v=spf1 mx -all". Which means that you'd add a TXT record for the domain, like:

             IN  MX 10  alpha.mydomain.com.

              IN  A      999.999.999.998
              IN  TXT "v=spf1 mx -all"
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 17

Author Comment

by:psimation
ID: 12075441
HI Jim
Yes, you are right ( as always), my example is of one of my virtual domains, and the zone file for the "real" domain (the FQDN of the server) looks exactly as you state.

So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files and restart named?

Are you also using SPF on your servers, or am I barking up the wrong tree (ie, is "this the way to go"  - I don't want to waste my time setting up SPF just to find out there is another "standard" that is actually the industry standard for checking sender id?)

Do you know what needs to be done on sendmail's side in irder to also check incoming mail for SPF, and what are the implications of running it now for incoming mail while everyone might not yet be configured that way ( will it refuse mail, quarantine it or still deliver?)


0
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
ID: 12075925
> So I can just add the IN TXT "v=spf1 mx -all" at the bottom of each of my zone files

No it must be added immediately after the A record for the domain, like I showed above.

I've started publishing the SPF data for sites, but I haven't yet started checking it at the sendmail level. It looks to me like SPF will be widely adopted as measure of spam control, since it has reached RFC status. What I'll probably do initially is to bump the SpamAssassin score up for messages that don't have the SPF 'seal of approval" and down for those that do.

I'm not so sure about M$'s SecureID. Unless they change the license agreement it doesn't look like any of the OpenSource advocates will use it. I saw that the Apache project has rejected it on the basis of the license and have heard that others intend to announce the same.

See http://spf.pobox.com/ for lots of information about SPF.
0
 
LVL 17

Author Comment

by:psimation
ID: 12077497
Thanks Jim

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to configure linux OS using Ubuntu 7 69
expand ext4 on centos 6 5 56
Apache LDAP Authentication 20 55
RPM creation 6 23
Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question