You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Bijayant <bi...@yahoo.com> on 2008/12/30 12:44:09 UTC
Implementing SPF
Hi,
I am a newbie so please excuse me if its a very silly question. I have been
searching the forums and Internet about my query but could not found
satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my mail
server. We get many spam mails from our own emails. Then we came to know
that SPF can prevent this. I want to implement this but do not know how to
do this. We have created the SPF records for our domains and about to put in
to DNS.
But I have a some confusion. I want to give some sa-score based on spf
check.
For this, 1) does postfix has to be also configured to support SPF or insert
some headers or spam-assassin alone can be used?
2) If yes then what?
3) If not then, How the headers will be inserted regarding SPF checks?
Please suggest me how to proceed or some doc/links pointing in to right
direction.
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21216090.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Implementing SPF
Posted by ram <ra...@netcore.co.in>.
On Tue, 2008-12-30 at 21:30 -0800, Bijayant wrote:
> >From all the discussions and reading all the replies in this thread I have
> understood many things like
> 1) We use smtp-auth for sending the mails. So, I can reject all mails which
> are not generating from my mail server, right? This will be a good tactics.
> Now the SPF parts,
> 2) If the SPF records is configured in DNS, then we do not have to do any
> additional configuration in Postfix and spamassassin. We can create the Meta
> rules in local.cf to increase/decrease the score, right?
No need for a meta rule. You can redefine the score in local.cf and that
will override the default
> 3) Gmail adds a header like "Received-SPF: fail/pass/neutral". I think MTA
> is adding this header. How this type of headers can be added?
>
>
Try Google search , or ask in the MTA mailing list. That is off-topic
here
Thanks
Ram
BTW: Any post you make to the list I see multiple copies. I am not sure
why anyway
> Martin Gregorie-2 wrote:
> >
> > On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote:
> >> On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
> >> > Hi,
> >> >
> >> > I am a newbie so please excuse me if its a very silly question. I have
> >> been
> >> > searching the forums and Internet about my query but could not found
> >> > satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
> >> > mail server. We get many spam mails from our own emails. Then we came
> >> to
> >> > know that SPF can prevent this. I want to implement this but do not
> >> know
> >> > how to do this. We have created the SPF records for our domains and
> >> about
> >> > to put in to DNS.
> >> > But I have a some confusion. I want to give some sa-score based on spf
> >> > check.
> >> > For this, 1) does postfix has to be also configured to support SPF or
> >> > insert some headers or spam-assassin alone can be used?
> >>
> >> no. SPF will be checked against the last host outside your trusted
> >> path.
> >> the defaults should be perfectly fine for a simple setup were you only
> >> have
> >> one.
> >>
> > Here's a description of what SPF is and what its meant to do:
> > http://www.openspf.org/
> >
> > As others have said, SA can check incoming messages against the alleged
> > sender's domain to see if that's where the message really came from
> > provided the SPF plugin is installed and enabled.
> >
> > Most modern MTAs can also use SPF records to see if undeliverable mail
> > has a forged sender address. If so, they won't send a rejection slip
> > since that would go to the wrong place. Such rejection slips are known
> > as 'backscatter' and are a real annoyance, so be kind to other mail
> > users and set up an SPF record for your domain. There are wizards and
> > test tools to help you create a valid record here:
> > http://www.kitterman.com/spf/validate.html
> >
> >
> > Martin
> >
> >
> >
>
Re: Implementing SPF
Posted by Bijayant <bi...@yahoo.com>.
>From all the discussions and reading all the replies in this thread I have
understood many things like
1) We use smtp-auth for sending the mails. So, I can reject all mails which
are not generating from my mail server, right? This will be a good tactics.
Now the SPF parts,
2) If the SPF records is configured in DNS, then we do not have to do any
additional configuration in Postfix and spamassassin. We can create the Meta
rules in local.cf to increase/decrease the score, right?
3) Gmail adds a header like "Received-SPF: fail/pass/neutral". I think MTA
is adding this header. How this type of headers can be added?
Martin Gregorie-2 wrote:
>
> On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote:
>> On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
>> > Hi,
>> >
>> > I am a newbie so please excuse me if its a very silly question. I have
>> been
>> > searching the forums and Internet about my query but could not found
>> > satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
>> > mail server. We get many spam mails from our own emails. Then we came
>> to
>> > know that SPF can prevent this. I want to implement this but do not
>> know
>> > how to do this. We have created the SPF records for our domains and
>> about
>> > to put in to DNS.
>> > But I have a some confusion. I want to give some sa-score based on spf
>> > check.
>> > For this, 1) does postfix has to be also configured to support SPF or
>> > insert some headers or spam-assassin alone can be used?
>>
>> no. SPF will be checked against the last host outside your trusted
>> path.
>> the defaults should be perfectly fine for a simple setup were you only
>> have
>> one.
>>
> Here's a description of what SPF is and what its meant to do:
> http://www.openspf.org/
>
> As others have said, SA can check incoming messages against the alleged
> sender's domain to see if that's where the message really came from
> provided the SPF plugin is installed and enabled.
>
> Most modern MTAs can also use SPF records to see if undeliverable mail
> has a forged sender address. If so, they won't send a rejection slip
> since that would go to the wrong place. Such rejection slips are known
> as 'backscatter' and are a real annoyance, so be kind to other mail
> users and set up an SPF record for your domain. There are wizards and
> test tools to help you create a valid record here:
> http://www.kitterman.com/spf/validate.html
>
>
> Martin
>
>
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21227529.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Implementing SPF
Posted by Martin Gregorie <ma...@gregorie.org>.
On Sun, 2009-01-04 at 21:51 -0800, Bijayant wrote:
> 2) What should I do to whitelist the senders because, if I will whitelist
> the senders then it will not check for the Spam and the mail will passed
> without the spam TAG.
>
I have a database containing an automatically built list of everybody
I've sent mail to that I use as an automatic whitelist.
I created a plugin by modifying the SentOutDB.pm plugin I found at
http://whatever.frukt.org/ - you may not need to do this, but I had to
since that's a MySQL plugin and I run PostgreSQL.
That's used in the following rule set:
describe MA_WHITELIST Mail Archive holds mail sent to this sender
header __MA_WL1 eval:MAwhitelist_reply()
header __MA_WL2 From =~ /\@mydomain.com/i
header __MA_WL3 From =~ /myself\@users\.sourceforge\.net/i
meta MA_WHITELIST (__MA_WL1 && (__MA_WL2==0 && __MA_WL3==0))
score MA_WHITELIST -50.0
where 'mydomain' is my domain name and 'myself' is my login at
sourceforge. The subrules __MA_WL2 and __MA_WL3 are used to prevent
messages with myself as a forged sender being whitelisted.
'mydomain' appears as a sender as a result of test messages I've sent
and source forge appears as the inevitable result of sending messages to
other project owners. This is a straight-forward if simple-minded
solution to the 'self-as-forged-sender' problem.
As the whitelist is simply a data base view a better solution would be
to add a 'self' flag to the address list and exclude addresses that
carry it from the whitelist view. That is on my enhancements list: apart
from this issue this whitelisting scheme works well.
Martin
Re: Implementing SPF
Posted by Bijayant <bi...@yahoo.com>.
Benny Pedersen wrote:
>
>
> On Wed, December 31, 2008 06:29, Bijayant wrote:
>>
>> From all the discussions and reading all the replies in this thread
>> I have understood many things like
>> 1) We use smtp-auth for sending the mails. So, I can reject all
>> mails which are not generating from my mail server,
>
> reject sender domains with do not auth and are local
>
>> right? This will be a good tactics.
>
> yes
>
> Slightly offtopic, but when I tried this I am getting the Bounce message
> because the email-id is local and valid. Perhaps I need to do more R & D.
>
>> Now the SPF parts,
>> 2) If the SPF records is configured in DNS, then we do not have to
>> do any additional configuration in Postfix and spamassassin.
>
> in postfix no change
>
> in spamassassin:
>
> i use the below php code that dumps squirreelmail address book to
> whitelist_auth
>
> <?php
>
> include_once('./conf.inc.php');
>
> mysql_connect ($HostName, $UserNameSQ, $PassWordSQ); // or die
> ('connect error');
> mysql_select_db ($DataBaseSQ); // or die ('database error');
>
> // CREATE TABLE `address` (
> // `owner` varchar(255) NOT NULL,
> // `nickname` varchar(255) NOT NULL,
> // `firstname` varchar(255) NOT NULL,
> // `lastname` varchar(255) NOT NULL,
> // `email` varchar(255) NOT NULL,
> // `label` varchar(255) NOT NULL
> // ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='squirrelmail
> address book';
>
> $query = "SELECT email FROM address ORDER BY 'owner' ASC";
> $handle = mysql_query ($query); // or die(mysql_error());
> for ($count = 1; $row = mysql_fetch_row ($handle); ++$count) {
> print "whitelist_auth $row[0]\n"; }
> ?>
>
> cron the above so its part of the sa-update
>
> php whitelist_auth_from_squirrelmail.php >
> /path/to/local.cf/00_local_whitelist_auth.cf
>
>> We can create the Meta
>
> dont mess it more
>
>> rules in local.cf to increase/decrease the score, right?
>
> no whitelist trusted senders that are known in local via spf pass
> and or dkim
>
>> 3) Gmail adds a header like "Received-SPF: fail/pass/neutral".
>
> ignore that header it can be faked !
> I
>> think MTA is adding this header.
>
> no its a python spf checker
>
>> How this type of headers can be added?
>
> spamassassin have its own spf checker, dont use another
>
>
> to rule maintainers: can we change default scores for whitelist_from
> now ?
>
> --
> Benny Pedersen
> Need more webspace ? http://www.servage.net/?coupon=cust37098
>
>
Thanks, now its getting clearer to me that I have to do any change in SA
only. I tried to simulate the scenario for SPF and found that SA added one
test like "X-Spam-Status: SPF_NEUTRAL=1.069". When I greped this like
grep -ilr "SPF_NEUTRAL" /etc/mail/spamassassin/*, I found nothing.
1) So, how could I start increase/decrease the scores based on SPF results.
2) What should I do to whitelist the senders because, if I will whitelist
the senders then it will not check for the Spam and the mail will passed
without the spam TAG.
Please suggest me, I am also doing google and reading more about the SA.
Happy New Year !!!
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21285944.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Implementing SPF
Posted by Benny Pedersen <me...@junc.org>.
On Wed, December 31, 2008 06:29, Bijayant wrote:
>
> From all the discussions and reading all the replies in this thread
> I have understood many things like
> 1) We use smtp-auth for sending the mails. So, I can reject all
> mails which are not generating from my mail server,
reject sender domains with do not auth and are local
> right? This will be a good tactics.
yes
> Now the SPF parts,
> 2) If the SPF records is configured in DNS, then we do not have to
> do any additional configuration in Postfix and spamassassin.
in postfix no change
in spamassassin:
i use the below php code that dumps squirreelmail address book to
whitelist_auth
<?php
include_once('./conf.inc.php');
mysql_connect ($HostName, $UserNameSQ, $PassWordSQ); // or die
('connect error');
mysql_select_db ($DataBaseSQ); // or die ('database error');
// CREATE TABLE `address` (
// `owner` varchar(255) NOT NULL,
// `nickname` varchar(255) NOT NULL,
// `firstname` varchar(255) NOT NULL,
// `lastname` varchar(255) NOT NULL,
// `email` varchar(255) NOT NULL,
// `label` varchar(255) NOT NULL
// ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COMMENT='squirrelmail
address book';
$query = "SELECT email FROM address ORDER BY 'owner' ASC";
$handle = mysql_query ($query); // or die(mysql_error());
for ($count = 1; $row = mysql_fetch_row ($handle); ++$count) {
print "whitelist_auth $row[0]\n"; }
?>
cron the above so its part of the sa-update
php whitelist_auth_from_squirrelmail.php >
/path/to/local.cf/00_local_whitelist_auth.cf
> We can create the Meta
dont mess it more
> rules in local.cf to increase/decrease the score, right?
no whitelist trusted senders that are known in local via spf pass
and or dkim
> 3) Gmail adds a header like "Received-SPF: fail/pass/neutral".
ignore that header it can be faked !
I
> think MTA is adding this header.
no its a python spf checker
> How this type of headers can be added?
spamassassin have its own spf checker, dont use another
to rule maintainers: can we change default scores for whitelist_from
now ?
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Implementing SPF
Posted by Bijayant <bi...@yahoo.com>.
Bijayant wrote:
>
> From all the discussions and reading all the replies in this thread I have
> understood many things like
> 1) We use smtp-auth for sending the mails. So, I can reject all mails
> which are not generating from my mail server, right? This will be a good
> tactics.
> Now the SPF parts,
> 2) If the SPF records is configured in DNS, then we do not have to do any
> additional configuration in Postfix and spamassassin. We can create the
> Meta rules in local.cf to increase/decrease the score, right?
> 3) Gmail adds a header like "Received-SPF: fail/pass/neutral". I think MTA
> is adding this header. How this type of headers can be added?
>
> Sorry for replying my own message, but I tried the option1 and found that
> I am getting undelivered notification because it was destined to my
> email-id. Any comments ?
>
>
> Martin Gregorie-2 wrote:
>>
>> On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote:
>>> On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
>>> > Hi,
>>> >
>>> > I am a newbie so please excuse me if its a very silly question. I have
>>> been
>>> > searching the forums and Internet about my query but could not found
>>> > satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on
>>> my
>>> > mail server. We get many spam mails from our own emails. Then we came
>>> to
>>> > know that SPF can prevent this. I want to implement this but do not
>>> know
>>> > how to do this. We have created the SPF records for our domains and
>>> about
>>> > to put in to DNS.
>>> > But I have a some confusion. I want to give some sa-score based on spf
>>> > check.
>>> > For this, 1) does postfix has to be also configured to support SPF or
>>> > insert some headers or spam-assassin alone can be used?
>>>
>>> no. SPF will be checked against the last host outside your trusted
>>> path.
>>> the defaults should be perfectly fine for a simple setup were you only
>>> have
>>> one.
>>>
>> Here's a description of what SPF is and what its meant to do:
>> http://www.openspf.org/
>>
>> As others have said, SA can check incoming messages against the alleged
>> sender's domain to see if that's where the message really came from
>> provided the SPF plugin is installed and enabled.
>>
>> Most modern MTAs can also use SPF records to see if undeliverable mail
>> has a forged sender address. If so, they won't send a rejection slip
>> since that would go to the wrong place. Such rejection slips are known
>> as 'backscatter' and are a real annoyance, so be kind to other mail
>> users and set up an SPF record for your domain. There are wizards and
>> test tools to help you create a valid record here:
>> http://www.kitterman.com/spf/validate.html
>>
>>
>> Martin
>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21228928.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Implementing SPF
Posted by Bijayant <bi...@yahoo.com>.
>From all the discussions and reading all the replies in this thread I have
understood many things like
1) We use smtp-auth for sending the mails. So, I can reject all mails which
are not generating from my mail server, right? This will be a good tactics.
Now the SPF parts,
2) If the SPF records is configured in DNS, then we do not have to do any
additional configuration in Postfix and spamassassin. We can create the Meta
rules in local.cf to increase/decrease the score, right?
3) Gmail adds a header like "Received-SPF: fail/pass/neutral". I think MTA
is adding this header. How this type of headers can be added?
Martin Gregorie-2 wrote:
>
> On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote:
>> On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
>> > Hi,
>> >
>> > I am a newbie so please excuse me if its a very silly question. I have
>> been
>> > searching the forums and Internet about my query but could not found
>> > satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
>> > mail server. We get many spam mails from our own emails. Then we came
>> to
>> > know that SPF can prevent this. I want to implement this but do not
>> know
>> > how to do this. We have created the SPF records for our domains and
>> about
>> > to put in to DNS.
>> > But I have a some confusion. I want to give some sa-score based on spf
>> > check.
>> > For this, 1) does postfix has to be also configured to support SPF or
>> > insert some headers or spam-assassin alone can be used?
>>
>> no. SPF will be checked against the last host outside your trusted
>> path.
>> the defaults should be perfectly fine for a simple setup were you only
>> have
>> one.
>>
> Here's a description of what SPF is and what its meant to do:
> http://www.openspf.org/
>
> As others have said, SA can check incoming messages against the alleged
> sender's domain to see if that's where the message really came from
> provided the SPF plugin is installed and enabled.
>
> Most modern MTAs can also use SPF records to see if undeliverable mail
> has a forged sender address. If so, they won't send a rejection slip
> since that would go to the wrong place. Such rejection slips are known
> as 'backscatter' and are a real annoyance, so be kind to other mail
> users and set up an SPF record for your domain. There are wizards and
> test tools to help you create a valid record here:
> http://www.kitterman.com/spf/validate.html
>
>
> Martin
>
>
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21227527.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Implementing SPF
Posted by Martin Gregorie <ma...@gregorie.org>.
On Tue, 2008-12-30 at 15:36 +0100, Arvid Ephraim Picciani wrote:
> On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
> > Hi,
> >
> > I am a newbie so please excuse me if its a very silly question. I have been
> > searching the forums and Internet about my query but could not found
> > satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
> > mail server. We get many spam mails from our own emails. Then we came to
> > know that SPF can prevent this. I want to implement this but do not know
> > how to do this. We have created the SPF records for our domains and about
> > to put in to DNS.
> > But I have a some confusion. I want to give some sa-score based on spf
> > check.
> > For this, 1) does postfix has to be also configured to support SPF or
> > insert some headers or spam-assassin alone can be used?
>
> no. SPF will be checked against the last host outside your trusted path.
> the defaults should be perfectly fine for a simple setup were you only have
> one.
>
Here's a description of what SPF is and what its meant to do:
http://www.openspf.org/
As others have said, SA can check incoming messages against the alleged
sender's domain to see if that's where the message really came from
provided the SPF plugin is installed and enabled.
Most modern MTAs can also use SPF records to see if undeliverable mail
has a forged sender address. If so, they won't send a rejection slip
since that would go to the wrong place. Such rejection slips are known
as 'backscatter' and are a real annoyance, so be kind to other mail
users and set up an SPF record for your domain. There are wizards and
test tools to help you create a valid record here:
http://www.kitterman.com/spf/validate.html
Martin
Re: Implementing SPF
Posted by Arvid Ephraim Picciani <ae...@asgaartech.com>.
On Tuesday 30 December 2008 12:44:09 Bijayant wrote:
> Hi,
>
> I am a newbie so please excuse me if its a very silly question. I have been
> searching the forums and Internet about my query but could not found
> satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
> mail server. We get many spam mails from our own emails. Then we came to
> know that SPF can prevent this. I want to implement this but do not know
> how to do this. We have created the SPF records for our domains and about
> to put in to DNS.
> But I have a some confusion. I want to give some sa-score based on spf
> check.
> For this, 1) does postfix has to be also configured to support SPF or
> insert some headers or spam-assassin alone can be used?
no. SPF will be checked against the last host outside your trusted path.
the defaults should be perfectly fine for a simple setup were you only have
one.
> 2) If yes then what?
> 3) If not then, How the headers will be inserted regarding SPF checks?
what kind of headers are you talking about? SPF!=domainkey
SPF is a very simple (read stupid) method that basicly just gives you a
lost of hosts that send email for a specific domain. the required info for
verification is:
- who is the sender? (thats in the Sender field)
- whats the SPF for the senders domain (sa will grab it iself if you didnt
disable network tests)
- whats the last machine that it passed through before ending in your network
(thats the trusted path and the received headers inserted by your postfix.
should be there by default.)
>
> Please suggest me how to proceed or some doc/links pointing in to right
> direction.
if you already know how to assemble an SPF record, you should be set. if sa
doesnt score, check if you have Mail::SPF::Query installed.
--
best regards
Arvid Ephraim Picciani
Asgaard Technologies
--
The software engineer tribe.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Bijayant a écrit :
>>
>> It means that if the mails are not SPAM it will not add the headers or it
>> will not check for SPF.
it will always add SPF headers when appropriate. this has nothing to do
with the fact that the message is spam or not.
The message that I am replying to has:
X-Spam-Status: No, score=-5.489 required=5 tests=[..., SPF_PASS=-0.001,
...
Please run through -D as suggested before.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Bijayant <bi...@yahoo.com>.
mouss-2 wrote:
>
> Bijayant a écrit :
>> Thanks, but I do not want to reject those mails.
>
> you can replace "REJECT" with "PREPEND X-Suspected: blah blah" and use
> this in an SA rule. but it looks like you really want SPF ;-p
>
>> I want only some scores to be added if it fails the SPF test.
>> So, should I have to configure postfix
>
> If it's for SPF scoring, then you don't need to touch postfix.
>
>> also for this settings.
>
> SA already has SPF rules. so first make sure that it hits the spam you
> are talking about.
>
>
> then create a meta rule that combines SPF fail _and_ the fact that the
> sender is in your domain. (don't simply increase the scores of the SPF
> test).
>
> It means that if the mails are not SPAM it will not add the headers or it
> will not check for SPF.
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21216953.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Bijayant a écrit :
> Thanks, but I do not want to reject those mails.
you can replace "REJECT" with "PREPEND X-Suspected: blah blah" and use
this in an SA rule. but it looks like you really want SPF ;-p
> I want only some scores to be added if it fails the SPF test.
> So, should I have to configure postfix
If it's for SPF scoring, then you don't need to touch postfix.
> also for this settings.
SA already has SPF rules. so first make sure that it hits the spam you
are talking about.
then create a meta rule that combines SPF fail _and_ the fact that the
sender is in your domain. (don't simply increase the scores of the SPF
test).
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl a écrit :
>> good planning is
>> needed
>
> This is a platitude.
In theory, yes. In practice, not always...
> And I don't mean that rude.
>
> Kai
>
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Kai Schaetzl <ma...@conactive.com>.
> good planning is
> needed
This is a platitude. And I don't mean that rude.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl a écrit :
> Mouss wrote on Tue, 30 Dec 2008 19:01:12 +0100:
>
>> the problem is
>
> Frankly, problems are there to be overcome. It depends on what is more
> painful, the current implementation or the way to change it.
>
I am not saying one shouldn't do it. just saying that good planning is
needed (yes, as for any serious task).
the university of Strasbourg (french university, 50K users) have
migrated to "submission" this year. the project started in Jan and on 30
September, (outbound) port 25 was closed. (since many people were
involved, planning and communication tasks took time and resources...).
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Kai Schaetzl <ma...@conactive.com>.
Mouss wrote on Tue, 30 Dec 2008 19:01:12 +0100:
> the problem is
Frankly, problems are there to be overcome. It depends on what is more
painful, the current implementation or the way to change it.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Kai Schaetzl a écrit :
> Ram wrote on Tue, 30 Dec 2008 19:32:16 +0530:
>
>> "I always used my Outlook
>
> and Outlook always supported SMTP AUTH. Even grandgrandmothers can use it.
> It's a standard procedure. So, please stop exaggerating.
>
the problem is that users have long forgotten, how they configured it.
or maybe it was configured by an admin when they were hired (long ago)...
>> And Worse, there are still some archaic smtp relay servers in use that
>> dont support smtp-auth!!. Can you get them all to upgrade at once ??
>
> how does that matter here?
>
well, in a large site, migrating to SASL/TLS submission does take time
and resources. not only for implementation, but also for planning,
communication, documentation, ... and waiting for different groups to do
their part of work.
if some people are using programs/scripts to submit mail, you need to
collect this info (yes, "they" never told you about it!).
In some places, you can go for the "scream test" (*), but it is not
always possible...
(*) if you don't know who uses a service, you could ask, but you won't
get an answer (people are too busy to reply, have forgotten, or ignore
your mail). instead, stop the service and wait! someone will scream "it
doesn't work...". now you know ;-p [use with caution, and at your own
risks]. if you feel in trouble, simply claim that the last windows
update was broken and that you downloaded a fix for that ("not running
windows" you say? well, you should always have a windows box be it just
for this excuse ;-p)
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Kai Schaetzl <ma...@conactive.com>.
Ram wrote on Tue, 30 Dec 2008 19:32:16 +0530:
> "I always used my Outlook
and Outlook always supported SMTP AUTH. Even grandgrandmothers can use it.
It's a standard procedure. So, please stop exaggerating.
> And Worse, there are still some archaic smtp relay servers in use that
> dont support smtp-auth!!. Can you get them all to upgrade at once ??
how does that matter here?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tue, 2008-12-30 at 13:38 +0000, Ned Slider wrote:
> > Restrict $mynetworks to only allow 127.0.0.0/8 so anyone *not* on
> > localhost *has* to authenticate.
On 30.12.08 19:32, ram wrote:
> And what if your Boss ( or your client ) yells at you , "How dare my
> mails get rejected at your server ?".
configure his mail client properly.
> And Worse, there are still some archaic smtp relay servers in use that
> dont support smtp-auth!!. Can you get them all to upgrade at once ??
is that your server that does not support smtp auth? It's the only one you
need to care about.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by ram <ra...@netcore.co.in>.
On Tue, 2008-12-30 at 13:38 +0000, Ned Slider wrote:
> ram wrote:
> > On Tue, 2008-12-30 at 04:11 -0800, Bijayant wrote:
> >> Thanks, but I do not want to reject those mails.
> > Why not?
>
> I agree - this is by far the simplest method of tackling this problem.
> SPF is meant as a mechanism for *others* to block mail spoofed from your
> domain.
>
> > The only reason I see is that legitimate senders also send to the same
> > mail server. Get them to use smtp-auth and send the messages.
> > (I know its easier said than done )
> >
>
> What's not easy, implementing smtp-auth or forcing users to use it?
>
> Seems easy to me:
>
> Implementing:
>
> http://www.postfix.org/SASL_README.html#server_sasl
> http://wiki.centos.org/HowTos/postfix_sasl
>
> Forcing users to use it:
>
> Restrict $mynetworks to only allow 127.0.0.0/8 so anyone *not* on
> localhost *has* to authenticate.
>
And what if your Boss ( or your client ) yells at you , "How dare my
mails get rejected at your server ?".
Dealing with technology is very easy, not the same for people.
The typical response I will get in such a situation is
"I always used my Outlook to send mails and now this stopped working. So
it is *your* fault and *you* have to fix it"
And Worse, there are still some archaic smtp relay servers in use that
dont support smtp-auth!!. Can you get them all to upgrade at once ??
We have done all this and know it is a pain. Getting those important
IP's writing special rules in postfix to allow etc etc ....
Thanks
Ram
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Ned Slider <ne...@unixmail.co.uk>.
ram wrote:
> On Tue, 2008-12-30 at 04:11 -0800, Bijayant wrote:
>> Thanks, but I do not want to reject those mails.
> Why not?
I agree - this is by far the simplest method of tackling this problem.
SPF is meant as a mechanism for *others* to block mail spoofed from your
domain.
> The only reason I see is that legitimate senders also send to the same
> mail server. Get them to use smtp-auth and send the messages.
> (I know its easier said than done )
>
What's not easy, implementing smtp-auth or forcing users to use it?
Seems easy to me:
Implementing:
http://www.postfix.org/SASL_README.html#server_sasl
http://wiki.centos.org/HowTos/postfix_sasl
Forcing users to use it:
Restrict $mynetworks to only allow 127.0.0.0/8 so anyone *not* on
localhost *has* to authenticate.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by ram <ra...@netcore.co.in>.
On Tue, 2008-12-30 at 04:11 -0800, Bijayant wrote:
> Thanks, but I do not want to reject those mails.
Why not?
The only reason I see is that legitimate senders also send to the same
mail server. Get them to use smtp-auth and send the messages.
(I know its easier said than done )
> I want only some scores to
> be added if it fails the SPF test. So, should I have to configure postfix
> also for this settings.
>
You can do SPF test at the MTA level , but then that wont help you much
on scoring The SPF plugin in SA can help you score mails forged with
from as your domain
But If legitimate senders, of your domain, are also sending to the same
server , your SPF record should include all of their ips.:-)
Read more on SPF records and where they are useful.
http://www.openspf.org/FAQ
Thanks
Ram
>
> mouss-2 wrote:
> >
> > Bijayant a écrit :
> >> Hi,
> >>
> >> I am a newbie so please excuse me if its a very silly question. I have
> >> been
> >> searching the forums and Internet about my query but could not found
> >> satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
> >> mail
> >> server. We get many spam mails from our own emails. Then we came to know
> >> that SPF can prevent this. I want to implement this but do not know how
> >> to
> >> do this. We have created the SPF records for our domains and about to put
> >> in
> >> to DNS.
> >> But I have a some confusion. I want to give some sa-score based on spf
> >> check.
> >> For this, 1) does postfix has to be also configured to support SPF or
> >> insert
> >> some headers or spam-assassin alone can be used?
> >> 2) If yes then what?
> >> 3) If not then, How the headers will be inserted regarding SPF checks?
> >>
> >> Please suggest me how to proceed or some doc/links pointing in to right
> >> direction.
> >
> > you can reject such mail in postfix:
> >
> > smtpd_recipient_restrictions =
> > permit_mynetworks
> > permit_sasl_authenticated
> > reject_unauth_destination
> > check_sender_access hash:/etc/postfix/access_sender
> > ...
> >
> > == access_sender:
> > mydomain.example REJECT blah blah
> > .mydomain.example REJECT blah blah
> >
> > with this, your domain can be used as sender only if mail comes from
> > your networks or was SASL authenticated.
> >
> > PS. do not put the check_sender_access before reject_unauth_destination.
> >
> > if you have questions regarding this, post on the postfix-users list.
> >
> >
> >
> >
>
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Bijayant a écrit :
>
> But if a genuine sender who does not have SPF records might gets blocked,
> right? Or I misunderstood something.
the config I posted blocks mail claiming to be from _your_ domain. it
has nothing to do with SPF. I don't implement SPF and the checks won't
block me.
>>
>> I am not getting any header/clue regarding SPF checks/score.
>>
run a sample message like this:
spamassassin -D -t 2>&1 < message.eml | tee sa.out
then look for SPF things in sa.out
>> To insert SPF headers so that SA can understand that it has to apply SPF
>> tests.
SA already does SPF checks if they are not disabled.
>>
>> How spam-assassin will understand that it has to do SPF checks or SA will
>> run the SPF checks for every mails.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Benny Pedersen <me...@junc.org>.
On Tue, December 30, 2008 14:00, Bijayant wrote:
>> To insert SPF headers so that SA can understand that it has to
>> apply SPF tests.
no you must NOT insert any header at all in mta
all you need to do is tell spamassassin what envelope header your
mta use for postfix i do this
put this in a file with file name like same dir as you have local.cf
00_local_header_envelope_sender.cf
# mta is postfix with have default to
# Return-Path for the envelope-sender
#
envelope_sender_header Return-Path
# we trust postfix :)
always_trust_envelope_sender 1
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Bijayant <bi...@yahoo.com>.
Benny Pedersen wrote:
>
>
> On Tue, December 30, 2008 13:11, Bijayant wrote:
>> Thanks, but I do not want to reject those mails.
>
> but you should
>
> But if a genuine sender who does not have SPF records might gets blocked,
> right? Or I misunderstood something.
>
>> I want only some scores to be added if it fails the SPF test.
>
> default in spamassassin if spf fails, you can add more to the
> default score if you want it, but spf fails mail mostly have other
> signs of spam
>
> perldoc Mail::SpamAssassin::Plugin::SPF
> perldoc Mail::SpamAssassin::Conf
>
> I am not getting any header/clue regarding SPF checks/score.
>
>> So, should I have to configure postfix also for this settings.
>
> what settings ?
>
> To insert SPF headers so that SA can understand that it has to apply SPF
> tests.
>
> How spam-assassin will understand that it has to do SPF checks or SA will
> run the SPF checks for every mails.
> Hope I am clear on my question.
> --
> Benny Pedersen
> Need more webspace ? http://www.servage.net/?coupon=cust37098
>
>
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21216881.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Benny Pedersen <me...@junc.org>.
On Tue, December 30, 2008 13:11, Bijayant wrote:
> Thanks, but I do not want to reject those mails.
but you should
> I want only some scores to be added if it fails the SPF test.
default in spamassassin if spf fails, you can add more to the
default score if you want it, but spf fails mail mostly have other
signs of spam
perldoc Mail::SpamAssassin::Plugin::SPF
perldoc Mail::SpamAssassin::Conf
> So, should I have to configure postfix also for this settings.
what settings ?
--
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Blocking sender spoofing [Was: Implementing SPF]
Posted by Bijayant <bi...@yahoo.com>.
Thanks, but I do not want to reject those mails. I want only some scores to
be added if it fails the SPF test. So, should I have to configure postfix
also for this settings.
mouss-2 wrote:
>
> Bijayant a écrit :
>> Hi,
>>
>> I am a newbie so please excuse me if its a very silly question. I have
>> been
>> searching the forums and Internet about my query but could not found
>> satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my
>> mail
>> server. We get many spam mails from our own emails. Then we came to know
>> that SPF can prevent this. I want to implement this but do not know how
>> to
>> do this. We have created the SPF records for our domains and about to put
>> in
>> to DNS.
>> But I have a some confusion. I want to give some sa-score based on spf
>> check.
>> For this, 1) does postfix has to be also configured to support SPF or
>> insert
>> some headers or spam-assassin alone can be used?
>> 2) If yes then what?
>> 3) If not then, How the headers will be inserted regarding SPF checks?
>>
>> Please suggest me how to proceed or some doc/links pointing in to right
>> direction.
>
> you can reject such mail in postfix:
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
> check_sender_access hash:/etc/postfix/access_sender
> ...
>
> == access_sender:
> mydomain.example REJECT blah blah
> .mydomain.example REJECT blah blah
>
> with this, your domain can be used as sender only if mail comes from
> your networks or was SASL authenticated.
>
> PS. do not put the check_sender_access before reject_unauth_destination.
>
> if you have questions regarding this, post on the postfix-users list.
>
>
>
>
--
View this message in context: http://www.nabble.com/Implementing-SPF-tp21216090p21216424.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Blocking sender spoofing [Was: Implementing SPF]
Posted by mouss <mo...@netoyen.net>.
Bijayant a écrit :
> Hi,
>
> I am a newbie so please excuse me if its a very silly question. I have been
> searching the forums and Internet about my query but could not found
> satisfactory answer. I am using Postfix+amavisd-new+spam-assassin on my mail
> server. We get many spam mails from our own emails. Then we came to know
> that SPF can prevent this. I want to implement this but do not know how to
> do this. We have created the SPF records for our domains and about to put in
> to DNS.
> But I have a some confusion. I want to give some sa-score based on spf
> check.
> For this, 1) does postfix has to be also configured to support SPF or insert
> some headers or spam-assassin alone can be used?
> 2) If yes then what?
> 3) If not then, How the headers will be inserted regarding SPF checks?
>
> Please suggest me how to proceed or some doc/links pointing in to right
> direction.
you can reject such mail in postfix:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/etc/postfix/access_sender
...
== access_sender:
mydomain.example REJECT blah blah
.mydomain.example REJECT blah blah
with this, your domain can be used as sender only if mail comes from
your networks or was SASL authenticated.
PS. do not put the check_sender_access before reject_unauth_destination.
if you have questions regarding this, post on the postfix-users list.