Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Jon, On Sat, 26 Jul 2014, Jon Rowlan wrote: That is helpful That was the intention. :) although for some odd reason I feel very much told off :-) Er, sorry about that. I spend too much time dealing with issues caused by mail systems which have been badly configured by others. Sometimes I get a little tetchy. I should have added that I checked the sender domains and they all had SPF in place which is why I was tempted to try using the SPF mechanism. SPF is a sort of Good Samaritan thing. By and large the Internet protocols were developed for technical reasons by technical people. It never occurred to them that one day criminals would be by far the most numerous users. SMTP permits very simple forgery of mail sender addresses because at the time we (mea culpa) didn't think about the problems which we'd be facing forty years down the line. SPF lets others check, in a fairly secure way, mail claiming to be from your domain is coming from a server entitled to send it. Simple as that. But not much use to you unless other people use it too. Most of the time they don't, and in the unlikely event that they do, more often than not they get it wrong. I have tried using hosts.deny but that doesn't seem to work for me, You're doing it wrong. :) To use hosts.deny (and hosts.allow) you have to be running what's known as a 'super-server'. The super-server is started instead of the service that would normally have been run, it checks the files hosts.allow and hosts.deny, and then it either runs the service or it doesn't, depending on what it finds in those files. There are other ways of doing the same thing. Check out the man pages for inetd, tcpd, hosts_access, services and xinetd. If you don't have the man pages you might need to install the relevant packages, what they're called depends on what distribution you're using but they should be easy to find. You would either use inetd or xinetd, not both at the same time. I tend to use the more venerable inetd but xinetd has its followers (and its advantages). There are pages on Wikipedia which give brief descriptions in less, er, manpage style. iptables may well be something to look at as you say. There's great documentation, if rather a lot of it to digest at one sitting, on the Netfilter Website. It will very much be worth your while spending some quality time with it: http://www.netfilter.org/documentation/index.html At our sites iptables does most of the heavy lifting. We block about 25% of the IPV4 address space where 95% of the malicious connections come from. The mail filtering system can do the rest with one hand tied behind its back. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Thanks Ged. That is helpful although for some odd reason I feel very much told off :-) I should have added that I checked the sender domains and they all had SPF in place which is why I was tempted to try using the SPF mechanism. I have tried using hosts.deny but that doesn't seem to work for me, iptables may well be something to look at as you say. jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hello again, On Fri, 25 Jul 2014, Jon Rowlan wrote: The problem is that some domains that I host on my mail server I want a harsher protection than others. That's not a problem, it's a requirement. Almost everybody does it. In this particular case, a certain set of recipients have received bombardments of email from a set of IP's and they complain about two or three hundred emails in a day coming into their mail box. Two or three hundred spam mails in a day isn't really a bombardment. Several hundred thousand might be called a bombardment. At my own business, the most we've seen in one day is about seventy thousand. All rejected of course. Once you see the rejection rates rising in the logs (you keep a weather eye on your logs, don't you?) then for example something like /sbin/iptables -A FORWARD -j LOG_DROP -s spammy.IP.addr.ess in the firewall stops them even connecting, with very little fuss and no complicated Perl scripts. I don't see what SPF has to do with it. They would suffer the consequences of an SPF protected mail server What consequences? (innocent senders are blocked because they don't use SPF That's nonsense. Go read the RFCs, understand what SPF is about. If a sender doesn't use SPF then the receiving mail server takes no action as a result. At least that's what's supposed to happen in a properly configured server. and mail bounces) You do know the difference between a mail rejection and a bounce? because they would see less spam, SPF is about forgery of mail, not about spam. Granted, forged mail is often spam, but there's a clear distinction. whereas other clients want to see all email # Tryhing to stay vaguely on-topic, as this is the MIMEDefang list :) sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; if ($recipient =~ /^?$/i) { return ('ACCEPT_AND_NO_MORE_FILTERING', "ok"); } return ('CONTINUE', "ok"); } ... but I probably wouldn't do it that way. and will not tolerate too many bounces from their clients. I didn't follow that part. I want to selectively use SPF for some domains and not others for the purposes of the functionality that SPF offers. I want to tune this depending on the client domain. Assuming that it's implemented properly, SPF tells you if a mail is forged. For some meaning of the word 'forged'. Nobody wants forged mail, so there's no reason to implement SPF for only some of your clients. But to be perfectly honest, at present (after all SPF has only been with us for about a decade) so few people publish sane SPF records that you might as well simply not bother with it at all. Really. Put your efffort into something that will yield some return. The vast majority of SPF records that I see have been cobbled together using some bug-riddled WebWizard by incompetents who have no idea of what SPF is for, nor how it works. Once they've set up the faulty SPF record they seem to be either terrified or incapable of doing anything to it - such as fixing it so it doesn't cause more trouble than it's intended to prevent. Customers of these incompetents then start going round in small circles and yelling that we've rejected their mail when it's their provider's policy that said we should do so. Go figure. The best thing you can do is forget you ever heard of SPF and do some reading on mail protocols so that you understand what you're doing, which clearly you do not at the moment. Stop digging. Digging for what? Answers, I thought that was the point of asking? I meant stop digging that hole. Clarify the issues before you go off solving problems of your own making. You might want to run the SPF record for sads.com past the people on the spf-help mailing list: spf-h...@listbox.com -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 24 Jul 2014, Jon Rowlan wrote: In filter_begin() you know sender and all recipients, there you can deploy the different checks. However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. There will not be any cross contamination between domains. So a message will be for someone at one customer domain and a number of their users but not for other domains that I host. In reality I only need to check the first recipient. Well, maybe the possibility is quite low, that one message hits two domains with different "filter sets", but how do you ensure "there will not"? - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9H2yFGgR0+MU/4GAQK2ywf/XsHOHIBbACWVqMdQfkOE56dx5unICISo RUh8ntB1MlH6I8jQ8+p4Ew8XpHjRYR37n3FGeK1TOthPt+SDrknz0ScKKh8tX67s 85uNqR2rE/NNUMCFzE/x9TonRqxp/9A7m5pJ+ErwA93Q9Yvqcmv0kbHusq+zW/Ro dKSHdvmGUqjN6PybQqklrG8TxMigz+wVh2Kij17i7hPWUHilUtIkE9VI6AjNeAiH YXSxamB+yb7GeuHf+25WiuZ0h0JcPNZtPEA5JL2ErOx4uJ99Mb4gHmsjIjwABy7/ 3rWJENhOY2QzFVrVOYaxh533AWTyWr6Azr4xwYEvZk3h/rpgCu5FyA== =NIf6 -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
> From: "Jon Rowlan" > I want to selectively use SPF for some domains and not others for the > purposes of the functionality that SPF offers. I want to tune this > depending on the client domain. Then test for the domain name and if they want SPF test, run them. If not, skip them. You might want to stream by domain in case a message is sent to multiple domains. You might want to look into Roaring Penguin's CanIt Pro, which is based on MIMEDefang. It handles this easily and let's you define SPF (and other rules) rules for each stream. Bill (Just a happy CanIt Pro user) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Ged, I am not sure that I was that imprecise. > If you say so. But if you actually explain the problem rather than your own suggested solution (which > just creates more problems), then there's a good chance we might be able to help you better. The problem is that some domains that I host on my mail server I want a harsher protection than others. In this particular case, a certain set of recipients have received bombardments of email from a set of IP's and they complain about two or three hundred emails in a day coming into their mail box. They would suffer the consequences of an SPF protected mail server (innocent senders are blocked because they don't use SPF and mail bounces) because they would see less spam, whereas other clients want to see all email and will not tolerate too many bounces from their clients. I want to selectively use SPF for some domains and not others for the purposes of the functionality that SPF offers. I want to tune this depending on the client domain. > Does anyone have any thoughts or ideas on this please? > Stop digging. Digging for what? Answers, I thought that was the point of asking? jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi Steffen, thanks for replying .. > In filter_begin() you know sender and all recipients, there you can deploy the different checks. > However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. There will not be any cross contamination between domains. So a message will be for someone at one customer domain and a number of their users but not for other domains that I host. In reality I only need to check the first recipient. jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
Hi there, On Thu, 24 Jul 2014, Jon Rowlan wrote: I would like certain domains that we accept mail for to use SPF but not on others. If you say so. But if you actually explain the problem rather than your own suggested solution (which just creates more problems), then there's a good chance we might be able to help you better. Is the only option to install an SPF sendmail/MD server and a separate non SPF one? There you go again. No, of course not. Does anyone have any thoughts or ideas on this please? Stop digging. -- 73, Ged. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Process SPF checking for certain recipient domains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 23 Jul 2014, Jon Rowlan wrote: I have been looking though k/b articles but can find no real help on whether its possible to SPF check certain recipient domains? I would like certain domains that we accept mail for to use SPF but not on others. In filter_begin() you know sender and all recipients, there you can deploy the different checks. However, what will do if one recipient checks and another one does not and the message is to reject? You either need to silentliy discard the message for some recipients or generate bounce messages. - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBU9Cja1GgR0+MU/4GAQL//Qf/Z3nwV51WIdbIypEM8T1LFNqf1QRbdceA x3eM6Ixo7GHuLzXGMr1s0dwVQltYV6ilRQLIwtRSCKOwlVWa9KhUFJ1CiGrXERaX Cq/PqdN1L0kQGwtSaQqMamtRb9pb915nOOua3RoIcwJiUSIKCBd4IPTsxDIrZjaA J8jcXilT3dJ4DBX6UO9WAyRhdu8uHKEa6ilGFSQCva9zyTHAUw2f3yBnnKByINq6 vmerElFjyx7MLo/KZ6iVTQFVddDAs9j7xrk1uRV1OTU6e7FsGneUQ4D0Yl+RZbGU GNgv0PUxuXDrs5pvoCx4Th1Qx8TS9lxEV8AzzNhOtVrX0dN4zuJHMQ== =2BJH -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Process SPF checking for certain recipient domains
I have been looking though k/b articles but can find no real help on whether its possible to SPF check certain recipient domains? I would like certain domains that we accept mail for to use SPF but not on others. Is the only option to install an SPF sendmail/MD server and a separate non SPF one? Does anyone have any thoughts or ideas on this please? Thanks all jON ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang