Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 24 Feb 2010 12:41:29 +0100
Per Jessen <pe...@computer.org> wrote:

> Christian Brel wrote:
> 
> > On Wed, 24 Feb 2010 11:39:43 +0100
> > "Rob Sterenborg" <R....@netsourcing.nl> wrote:
> > 
> >> On 2010-02-24, Kai Schaetzl wrote:
> >> 
> >> > > Postfix:  I would have two different smtpd daemons - one for
> >> 
> >> > You don't have to run two postfixes for this.
> >> 
> >> I think Per means: 2 smtpd processes, not 2 Postfixes..
> >> 
> >> 
> >> --
> >> Rob
> >> 
> > 
> > Humour me. Does this not mean a need to change the outbound to
> > either a different IP or port? 
> 
> IP yes.  I assume your external and internal network are on different
> IP-ranges. 

What about my home workers? I don't have a VPN, they hook in by DSL
from any number of different providers from outside using SASL/TLS.

It's like you say, you were thinking out loud and I can see where you
are coming from, but it's not a fix for every situation.

I'm also thinking about those forwarding services out there - does the
two SMTPd approach not break this in the same way SPF would break if
the forwarder was not permitted to send?
> 

Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Mariusz Kruk <Ma...@epsilon.eu.org>]

On Wednesday, 24 of February 2010, Christian Brel wrote:
> > IP yes.  I assume your external and internal network are on different
> > IP-ranges.
> > What about my home workers? I don't have a VPN, they hook in by DSL
> from any number of different providers from outside using SASL/TLS.

They should be using submission service on port 587 and authenticate 
themselves, for example with smtp-auth. (of course you can still authenticate 
them and let them send on port 25 - it's perfectly possible from technical 
point of view; because you authenticate your clients, right?).

> I'm also thinking about those forwarding services out there - does the
> two SMTPd approach not break this in the same way SPF would break if
> the forwarder was not permitted to send?

In case of forwarding the envelope address is that of the original sender, not 
that of the receiver.
You have email from address1@domain1.com to address2@domain2.com. MX for 
domain2.com tries to forward the mail to address3@domain3.com, so it sends 
mail from address1@domain1.com to address3@domain3.com. Domain3.com checks SPF 
records and sees that domain2.com is not permitted to send mails for 
domain1.com, so it refuses to accept such mail.
We were talking about (let's assume we're domain3.com) not letting people from 
outside world send mail "from" domain3.com.

-- 
  Kruk@ -\                   | 
          }-> epsilon.eu.org | 
http:// -/                   | 
                             | 

Re: [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster

[Kai Schaetzl <ma...@conactive.com>]

Christian Brel wrote on Wed, 24 Feb 2010 12:39:47 +0000:

> What about my home workers?

they use SMTP AUTH. It works, believe us. With a standard postfix.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Mariusz Kruk <Ma...@epsilon.eu.org>]

On Wednesday, 24 of February 2010, Christian Brel wrote:
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.

Well, you _should_ use submission anyway.
(BTW, in my experience it's easier to filter one kind of traffic on 25, and 
another on 587 than filtering both on one port. YMMV)

> > > It's like you say, you were thinking out loud and I can see where
> > > you are coming from, but it's not a fix for every situation.
> > I think it actually is.  Allow mynetworks, allow authenticated users,
> > reject everything else.
> But that would reject *everything* that was not authenticated or in 'my
> networks'. For a single IP/Port listening to the world this does not
> work. It requires multiple SMTP instances with different IP's or Ports
> which may not suit the needs of the admin and the users concerned.

It doesn't.

permit mynetworks/sasl_authenticated/whatever,
reject my_domains, 
permit my_destination,
reject_everything_else.
Of course you may add other restrictions in this chain.


-- 
\.\.\.\.\.\.\.\.\.\.\.\.\.\ 
.\.Kruk@epsilon.eu.org.\.\. 
\.http://epsilon.eu.org/\.\ 
.\.\.\.\.\.\.\.\.\.\.\.\.\. 

Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster

[Ned Slider <ne...@unixmail.co.uk>]

Christian Brel wrote:
> On Wed, 24 Feb 2010 17:31:19 +0100
> Kai Schaetzl <ma...@conactive.com> wrote:
> 
>> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
>>
>>> But that would reject *everything* that was not authenticated or in
>>> 'my networks'.
>> Indeed, that's the purpose. And it doesn't matter if you get the mail
>> via 25 or 587. 587 is just a convenience. Any other access to use
>> your server for relaying should not be allowed at all. I really
>> suggest you sit back and read the postfix documentation instead of
>> questioning and questioning in the blue air. It's an absolute
>> standard postfix configuration that you just seem to have not been
>> made aware for years.
>>
>> Kai
>>
> 
> 
> I'm confused. The mail you have just sent to the list has;
> 'From: Kai Schaetzl <ma...@conactive.com>'
> 

Envelope sender, not the "from" address.

Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 24 Feb 2010 17:31:19 +0100
Kai Schaetzl <ma...@conactive.com> wrote:

> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
> 
> > But that would reject *everything* that was not authenticated or in
> > 'my networks'.
> 
> Indeed, that's the purpose. And it doesn't matter if you get the mail
> via 25 or 587. 587 is just a convenience. Any other access to use
> your server for relaying should not be allowed at all. I really
> suggest you sit back and read the postfix documentation instead of
> questioning and questioning in the blue air. It's an absolute
> standard postfix configuration that you just seem to have not been
> made aware for years.
> 
> Kai
> 


I'm confused. The mail you have just sent to the list has;
'From: Kai Schaetzl <ma...@conactive.com>'

Yet the server is:
mail.apache.org (hermes.apache.org [140.211.11.3])
#aka a forwarder in this context#

Now, if we do as you say and you have somebody else at conactive.com
who is subscribed to the list, what happens to this mail when it comes
across: 'reject my_domains,'

Granted SPF won't help anyone here (I don't think anyone would add
an entry for 140.211.11.3 in their SPF unless they were really keen)

Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster

[Kai Schaetzl <ma...@conactive.com>]

Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:

> But that would reject *everything* that was not authenticated or in 'my
> networks'.

Indeed, that's the purpose. And it doesn't matter if you get the mail via 
25 or 587. 587 is just a convenience. Any other access to use your server 
for relaying should not be allowed at all. I really suggest you sit back 
and read the postfix documentation instead of questioning and questioning 
in the blue air. It's an absolute standard postfix configuration that you 
just seem to have not been made aware for years.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Off Topic - SPF - What a Disaster

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 24 Feb 2010 17:09:31 +0100
Per Jessen <pe...@computer.org> wrote:


> > Tell you what, wouldn't it be a great idea to save all the messing
> > around and use something universal and simple for the job? Something
> > lightweight and easy to deploy. I know! What about using SPF!
> 
> Christian, I suspect we don't have quite the same understanding of
> what 'easy' means. 

I guess that is so.

Personally I find the multiple use of Postfixens trivial easy and have
it deployed that way to get over it's inability to whitelist body and
header checks {at all}. In general terms your fix may not suit
common MTA's like Exchange (I feel quite disgusted to have described
Exchange as an MTA and will now go and wash my typing fingers.....)

I did find a bad place to use SPF - and that is
on a well known spam filter made by an American company. Enable it there
and watch the machine grind to a halt..... 'it's a feature - not a bug'
LOL.... could'nt resist it... I'll get my coat......


> 
> 
> /Per Jessen, Zürich
> 

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Per Jessen <pe...@computer.org>]

Christian Brel wrote:

> On Wed, 24 Feb 2010 14:37:49 +0100
> Per Jessen <pe...@computer.org> wrote:
> 
>> Christian Brel wrote:
>> 
>> >> > Humour me. Does this not mean a need to change the outbound to
>> >> > either a different IP or port?
>> >> 
>> >> IP yes.  I assume your external and internal network are on
>> >> different IP-ranges.
>> > 
>> > What about my home workers? I don't have a VPN, they hook in by DSL
>> > from any number of different providers from outside using SASL/TLS.
>> 
>> Then presumably they submit email via port 587 after appropriate
>> authentication.
>
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.

Then keep them on port 25, it's no big deal as long as they are
authenticated. 

>> > It's like you say, you were thinking out loud and I can see where
>> > you are coming from, but it's not a fix for every situation.
>> 
>> I think it actually is.  Allow mynetworks, allow authenticated users,
>> reject everything else.
>
> But that would reject *everything* that was not authenticated or in
> 'my networks'. 

No. See Mariusz' explanation. 

> Tell you what, wouldn't it be a great idea to save all the messing
> around and use something universal and simple for the job? Something
> lightweight and easy to deploy. I know! What about using SPF!

Christian, I suspect we don't have quite the same understanding of
what 'easy' means. 


/Per Jessen, Zürich

Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Christian Brel <br...@copperproductions.co.uk>]

On Wed, 24 Feb 2010 14:37:49 +0100
Per Jessen <pe...@computer.org> wrote:

> Christian Brel wrote:
> 
> >> > Humour me. Does this not mean a need to change the outbound to
> >> > either a different IP or port?
> >> 
> >> IP yes.  I assume your external and internal network are on
> >> different IP-ranges.
> > 
> > What about my home workers? I don't have a VPN, they hook in by DSL
> > from any number of different providers from outside using SASL/TLS.
> 
> Then presumably they submit email via port 587 after appropriate
> authentication. 
No, they submit on 25 using TLS+SASL. Would making
the changes to Firewall, MTA, plus potentially thosands of clients be
easier than SPF? Would all those angry users screaming because they
can't send mail at all be a good thing? I don't think so myself.

> > It's like you say, you were thinking out loud and I can see where
> > you are coming from, but it's not a fix for every situation.
> 
> I think it actually is.  Allow mynetworks, allow authenticated users,
> reject everything else.
But that would reject *everything* that was not authenticated or in 'my
networks'. For a single IP/Port listening to the world this does not
work. It requires multiple SMTP instances with different IP's or Ports
which may not suit the needs of the admin and the users concerned.
> 
Tell you what, wouldn't it be a great idea to save all the messing
around and use something universal and simple for the job? Something
lightweight and easy to deploy. I know! What about using SPF!

> 
> /Per Jessen, Zürich
> 
Of course, all this has very little to do with Spamassassin......

Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster

[Per Jessen <pe...@computer.org>]

Christian Brel wrote:

>> > Humour me. Does this not mean a need to change the outbound to
>> > either a different IP or port?
>> 
>> IP yes.  I assume your external and internal network are on different
>> IP-ranges.
> 
> What about my home workers? I don't have a VPN, they hook in by DSL
> from any number of different providers from outside using SASL/TLS.

Then presumably they submit email via port 587 after appropriate
authentication.  Then you just add that requirement - can't remember
what the exact postfix option is.  I have people working from
home-offices too, that's how they are set up. 

> It's like you say, you were thinking out loud and I can see where you
> are coming from, but it's not a fix for every situation.

I think it actually is.  Allow mynetworks, allow authenticated users,
reject everything else.

> I'm also thinking about those forwarding services out there - does the
> two SMTPd approach not break this in the same way SPF would break if
> the forwarder was not permitted to send?

I can't quite follow you - there's is no forwarding involved AFAICS?  


/Per Jessen, Zürich