spf patch
Hi, I am testing this SPF patch, http://www.qmail-ldap.org/wiki/index.php/SPF_and_SRS So far everything working well, and blocking tons of spam, when using spfbehavior set to 3, but now I am have a problem, when the main server is down and the slave servers queue mail. When the main server is up and running again, the slaves (secondary MX) deliver as supposed the mail to the main host but the main host block the email since the SPF does not match. so wondering if you guys have found a way of dealing with this, with out adding on the main server the file spfrules with the IP's of the secondaries MX servers. regards. -- > nbari
Re: qmail-ldap spf patch
Once the rfc is finalized, I'd love to see this become a part of the qmail-ldap patch. Brian! Thomas Mangin wrote: This a a port of the spf patch at http://www.saout.de/misc/spf/ for qmail-ldap. This patch comes with no guaranties (and may even not work as it was not well tested), however I see no reason why it should not work (ie: feedback welcome). Thomas PS: I am aware that spf breaks the return path of the mail.
Re: qmail-ldap spf patch
* Brian Clark <[EMAIL PROTECTED]> [2004-06-18 07:26]: > Once the rfc is finalized, I'd love to see this become a part of the > qmail-ldap patch. and I strongly suggest to keep half baked crap liek SPF out of qmail-ldap. -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: qmail-ldap spf patch
On 18 Jun 2004, [EMAIL PROTECTED] wrote: > and I strongly suggest to keep half baked crap liek SPF out of > qmail-ldap. While I won't comment on SPF itself, in general it could be useful to provide a mechanism to verify a sender at the SMTP level. How about: SENDERVERIFY="/usr/bin/spfchecker" and then pass the user name and connecting IP to the program/script? That seems useful, extensible, and harmless (in the sense that neither SPF nor any other sender verification mechanism is specifically endorsed) to me. Ted
Re: qmail-ldap spf patch
* Ted Zlatanov <[EMAIL PROTECTED]> [2004-06-21 08:54]: > On 18 Jun 2004, [EMAIL PROTECTED] wrote: > > > and I strongly suggest to keep half baked crap liek SPF out of > > qmail-ldap. > > While I won't comment on SPF itself, in general it could be useful to > provide a mechanism to verify a sender at the SMTP level. no, it's complete crap, and should either be ignored or fought. the only remotely sane idea about the forgery problem I saw is domainkeys. -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: qmail-ldap spf patch
Henning Brauer wrote: * Ted Zlatanov <[EMAIL PROTECTED]> [2004-06-21 08:54]: On 18 Jun 2004, [EMAIL PROTECTED] wrote: and I strongly suggest to keep half baked crap liek SPF out of qmail-ldap. While I won't comment on SPF itself, in general it could be useful to provide a mechanism to verify a sender at the SMTP level. no, it's complete crap, and should either be ignored or fought. the only remotely sane idea about the forgery problem I saw is domainkeys. If it is complete crap, why are companies like AOL and Microsoft behind it? Why do they think it is worth pursuing? They must see some benefit, at least incremental benefits, or else they wouldn't do it. http://postmaster.aol.com/info/spf.html http://nwc.securitypipeline.com/showArticle.jhtml?articleID=21100468
Re: qmail-ldap spf patch
* Brian Clark <[EMAIL PROTECTED]> [2004-06-21 16:12]: > If [SPF] is complete crap, why are companies like AOL and Microsoft > behind it? yeah right, M$ windoze is the best OS in the world. do your homework and read the SPF thread on the regular qmail list. -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: qmail-ldap spf patch
I hate to contribute to this absurd thread, but I can't stand it. First, let's stop with the name calling. Jumping from the mention (with documentation, I might add) that MS is looking into SPF, to the fact that you don't like their OS hardly makes your point seem more credible. It also doesn't help to call SPF "crap" without even a word of explanation -- if you'd like to convince us you might, I don't know, offer evidence or citations or anything other than a loaded, unsupported, single-word opinion. Second, MS and AOL are large players in the email world. Maybe you don't mind not being able to communicate with anyone at Hotmail, MSN, or AOL, but for most of us, that's not an option. Hence it's probably not a good idea for us to simply ignore their decision to try SPF. Whether SPF is a valuable spam-fighting tool or not is irrelevant -- we may someday need to support SPF in order to play with MS and AOL. While the merits of SPF are debatable, I think the idea of an interface hook for some sort of sender verification (and rejection/marking) is a good one. It doesn't have to be SPF specific, and in fact I'd suggest that it's not, as a standardized interface is almost always more useful. Setting up a SPF/domainkeys/etc. verification tool however, would be much easier if I could call it with an environmental variable, rather than hacking it into the delivery chain somewhere. Such integration also allows for possible interaction with things like the tarpit system, or other existing pieces of qmail. Moreover, this sort of hook could be used to build custom authorization systems, which might be handy for say, allowing some users to send anywhere, and others to send only locally. I'm sure there are other examples as well; my point is that we shouldn't dismiss the idea of an ENV-driven mail pre-processor somewhere near the SMTP end of the system, as there are many potential uses, including SPF. Zach On Jun 21, 2004, at 5:22 PM, Henning Brauer wrote: * Brian Clark <[EMAIL PROTECTED]> [2004-06-21 16:12]: If [SPF] is complete crap, why are companies like AOL and Microsoft behind it? yeah right, M$ windoze is the best OS in the world. do your homework and read the SPF thread on the regular qmail list. -- As a very witty man once said... "There's a shortage of perfect breasts in this world. 'T'would be a pity to damage yours." smime.p7s Description: S/MIME cryptographic signature
Re: qmail-ldap spf patch
blah blah blah blah thsi has been explained and discussed on teh regular qmail list to death, there is no point in repeating it here. * Zachary Kotlarek <[EMAIL PROTECTED]> [2004-06-21 17:16]: > I hate to contribute to this absurd thread, but I can't stand it. > > First, let's stop with the name calling. Jumping from the mention (with > documentation, I might add) that MS is looking into SPF, to the fact > that you don't like their OS hardly makes your point seem more > credible. It also doesn't help to call SPF "crap" without even a word > of explanation -- if you'd like to convince us you might, I don't know, > offer evidence or citations or anything other than a loaded, > unsupported, single-word opinion. > > Second, MS and AOL are large players in the email world. Maybe you > don't mind not being able to communicate with anyone at Hotmail, MSN, > or AOL, but for most of us, that's not an option. Hence it's probably > not a good idea for us to simply ignore their decision to try SPF. > Whether SPF is a valuable spam-fighting tool or not is irrelevant -- we > may someday need to support SPF in order to play with MS and AOL. > > While the merits of SPF are debatable, I think the idea of an interface > hook for some sort of sender verification (and rejection/marking) is a > good one. It doesn't have to be SPF specific, and in fact I'd suggest > that it's not, as a standardized interface is almost always more > useful. Setting up a SPF/domainkeys/etc. verification tool however, > would be much easier if I could call it with an environmental variable, > rather than hacking it into the delivery chain somewhere. > > Such integration also allows for possible interaction with things like > the tarpit system, or other existing pieces of qmail. Moreover, this > sort of hook could be used to build custom authorization systems, which > might be handy for say, allowing some users to send anywhere, and > others to send only locally. I'm sure there are other examples as well; > my point is that we shouldn't dismiss the idea of an ENV-driven mail > pre-processor somewhere near the SMTP end of the system, as there are > many potential uses, including SPF. > > Zach > > On Jun 21, 2004, at 5:22 PM, Henning Brauer wrote: > > >* Brian Clark <[EMAIL PROTECTED]> [2004-06-21 16:12]: > >>If [SPF] is complete crap, why are companies like AOL and Microsoft > >>behind it? > > > >yeah right, M$ windoze is the best OS in the world. > > > >do your homework and read the SPF thread on the regular qmail list. > > -- > > As a very witty man once said... > > "There's a shortage of perfect breasts in this world. 'T'would be a > pity to damage yours." -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: qmail-ldap spf patch
I was suggesting the same thing -- that you leave your comments about the merits of sender verification systems off this list. Doubly so with such profound statements of sender-verification wisdom as "yeah right, M$ windoze is the best OS in the world*." If you bothered to actually read my post, you'd see that I merely seconded the notion that a hook for a sender-verification system might be a good idea. In fact, I agreed with your idea that we should exclude SPF, and all other sender-verification systems, as there are much broader uses for such a hook. qmail-ldap exists *only* because we decided that regular qmail does not meet our needs. It is possible that qmail-ldap might want to implement this idea, even if regular qmail does not. We can certainly save some time by considering the existing posts to the qmail list. Those post however, do not preclude us from having our own discussion. More importantly, they don't give you the prerogative to police that discussion. So if you could, even just for a day or two, avoid bashing every post that's even tangentially related to SPF, I'd really appreciate it. Who knows, we might even make it easier for you to implement whatever "half-baked" sender-verification system you prefer. Zach *Which is true, by the way, if you use the McDonald's method for determining "best." Micro~1 sells more copies of Windows than anyone else sells of any other desktop operating system, making it best by number of copies sold. On Jun 21, 2004, at 9:37 PM, Henning Brauer wrote: blah blah blah blah thsi has been explained and discussed on teh regular qmail list to death, there is no point in repeating it here. * Zachary Kotlarek <[EMAIL PROTECTED]> [2004-06-21 17:16]: -- Zachary P. Kotlarek President, Cynic by Trade [EMAIL PROTECTED] (888) 309-5653 http://www.cynicbytrade.com/ Cynic by Trade Information Technology Services "The IT Department You Can Afford." smime.p7s Description: S/MIME cryptographic signature
Re: qmail-ldap spf patch
if you're too lazy to search the qmail list archives, well, might as well stop bothering us. * Zachary Kotlarek <[EMAIL PROTECTED]> [2004-06-21 21:26]: > I was suggesting the same thing -- that you leave your comments about > the merits of sender verification systems off this list. Doubly so with > such profound statements of sender-verification wisdom as "yeah right, > M$ windoze is the best OS in the world*." > > If you bothered to actually read my post, you'd see that I merely > seconded the notion that a hook for a sender-verification system might > be a good idea. In fact, I agreed with your idea that we should exclude > SPF, and all other sender-verification systems, as there are much > broader uses for such a hook. > > qmail-ldap exists *only* because we decided that regular qmail does not > meet our needs. It is possible that qmail-ldap might want to implement > this idea, even if regular qmail does not. We can certainly save some > time by considering the existing posts to the qmail list. Those post > however, do not preclude us from having our own discussion. More > importantly, they don't give you the prerogative to police that > discussion. > > So if you could, even just for a day or two, avoid bashing every post > that's even tangentially related to SPF, I'd really appreciate it. Who > knows, we might even make it easier for you to implement whatever > "half-baked" sender-verification system you prefer. > > Zach > > *Which is true, by the way, if you use the McDonald's method for > determining "best." Micro~1 sells more copies of Windows than anyone > else sells of any other desktop operating system, making it best by > number of copies sold. > > On Jun 21, 2004, at 9:37 PM, Henning Brauer wrote: > > >blah blah blah blah > > > >thsi has been explained and discussed on teh regular qmail list to > >death, there is no point in repeating it here. > > > >* Zachary Kotlarek <[EMAIL PROTECTED]> [2004-06-21 17:16]: > > -- > > Zachary P. Kotlarek > President, Cynic by Trade > [EMAIL PROTECTED] > > (888) 309-5653 > http://www.cynicbytrade.com/ > > Cynic by Trade > Information Technology Services > "The IT Department You Can Afford." -- http://2suck.net/hhwl.html - http://www.bsws.de/ Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: qmail-ldap spf patch
Hello, My initial email had a small PS attached to it to try to avoid fruitless discussion about the patch on the list and being told that "the work of porting the patch was not worth the effort" Thank you no one told me that (yet) ;-) IMHO, yes, spf is not perfect and yes, it can cause problem. Still I can see case where it can help. Before taking your pen to tell me that I did not do my homework, I will let you know that I agree with most of the idea presented on http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html I do believe that like qmail which will never be used by some people due to its licence, some of you will never apply a spf patch to their mail server (for x or y reason). Qmail-ldap is not for everyone who need a mail server. SPF is not for everyone neither. I would recommend people who want to use it, to _carefully_ read about it and understand what their are doing before doing it. However, it happen that spf is "the best solution available" to what some of my customers are asking me to provide. In the meanwhile, I am not aware of a better solution. And /my opinion/ is that in /my situation/ ,which I did not explained so please refrain to tell me that I am wrong, spf have a use. Using SPF on my mail server do not mean that I will publish spf record for my customers DNS entries, or my own domains. But if someone is willing me to tell me via DNS block _their_ email, I have no issue with that as long as they leave mine pass. Should you now want to tell me that I am wrong, feel free but unless you find a better solution to my customer problem, your comment are likely to find an deaf ear. Regards, Thomas Mangin signature.asc Description: OpenPGP digital signature
Re: qmail-ldap spf patch
> "Thomas" == Thomas Mangin <[EMAIL PROTECTED]> writes: Do you know of any patches for SRS for any kind of qmail? I only saw someone implementing it by calling a perl script from a .qmail file I think SPF is a lot less broken using it with SRS (Sender Rewriting Scheme) /Hasse
Re: qmail-ldap spf patch
On 21 Jun 2004, [EMAIL PROTECTED] wrote: > * Ted Zlatanov <[EMAIL PROTECTED]> [2004-06-21 08:54]: >> On 18 Jun 2004, [EMAIL PROTECTED] wrote: >> >> > and I strongly suggest to keep half baked crap liek SPF out of >> > qmail-ldap. >> >> While I won't comment on SPF itself, in general it could be useful to >> provide a mechanism to verify a sender at the SMTP level. > > no, it's complete crap, and should either be ignored or fought. > > the only remotely sane idea about the forgery problem I saw is > domainkeys. I follow the regular qmail list as well. Note I said I won't comment on SPF. I have no opinion on it, unlike you, and it plays no part in my feature proposal. I've seen the s***storm SPF has generated on the qmail mailing list, and I'm very bored by that discussion. I think you are dismissing the general idea of a hook that passes a username and an IP to a program for external sender verification at the SMTP level. That has nothing to do with SPF, and can be used to do domainkeys or whatever else is appropriate. Let's concentrate on that, OK? Can you explain how my suggestion of a SENDERVERIFY hook is wrong, without mentioning SPF or the qmail mailing list? If you are not against the SENDERVERIFY hook, can you please say so instead of digressing about the evils of SPF and Windows? Thank you Ted
Re: qmail-ldap spf patch
On 22 Jun 2004, [EMAIL PROTECTED] wrote: > My initial email had a small PS attached to it to try to avoid > fruitless discussion about the patch on the list and being told that > "the work of porting the patch was not worth the effort" > Thank you no one told me that (yet) ;-) Thomas, would you consider splitting your patch into a "spfchecker" program and a SENDERVERIFY environment variable as I suggested earlier? I think that would make your patch immensely useful and modular. Thanks Ted
Re: qmail-ldap spf patch
<>> would you consider splitting your patch into a "spfchecker" program <>> and a SENDERVERIFY environment variable as I suggested earlier? I <>> think that would make your patch immensely useful and modular. <> Ted, I will have to correct you. I am not the author of the patch. I just ported the patch available at http://www.saout.de/misc/spf/ to qmail-ldap. As well, I already have to write a wrapper to allow my qmail installation to use a checkpassword program with the auth_smtp interface to allow auth_smtp check on more than ldap (I use both vmailmrg and qmail-ldap). It will keep me busy for some time (it is not hard but it take the time to do it). I will try to squeeze the time for this patch. No promise here whats so ever, do not hold your breath, I may simply not have the time/energy to write it. In the meanwhile, you can apply the patch, compile and extract the spfquery program which is stand alone. Thomas signature.asc Description: OpenPGP digital signature
Re: qmail-ldap spf patch
On 22 Jun 2004, [EMAIL PROTECTED] wrote: > I will try to squeeze the time for this patch. No promise here whats > so ever, do not hold your breath, I may simply not have the > time/energy to write it. No problem, maybe someone else will find the task interesting before you or I get around to it. Ted
spf patch to qmail-ldap?
Dear qmail-ldap companions, I'm trying to add SPF functionallity to my qmail-ldap installation. I only found a patch to "vanilla" qmail-1.03 and tryied to apply it to qmail-ldap but it doesn't work. I started porting the qmail-1.03 spf patch but it wasn't as simple as I expected and I don't feel it's production stable. Does anyone have a reliable SPF patch for qmail-ldap to share with me? Thanks, tazfera
spf patch with qmail-ldap
Hi all, Any one have the spf patch to use with qmail-ldap ? Thanks Diego
