Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-22 Thread Alexey Loukianov 

Trung Pham wrote:

SPF records alone cut way down on the backspam I was getting.  I was up
to about 80 bounce messages a day that had my domain as a return, but
were not sent by anyone here.


Isn't that the work of SRS and not SPF?



Not at all. This bounces are produced mostly by open-relays (often these 
are cracked or misconfigured SMTP servers), which have no knowledge 
about SPF. Spammer relays from a SMTP of such king a message with "MAIL 
FROM:" set to an address in your domain. Open relay then tries to 
deliver a message to a server that is well-configured and knows about 
SPF. That server "sees" that the origin address was forged and refuses 
to accept a message. As a result, open-relay sends a bounce to you 
informing that it was unable to deliver a message, just because it 
"thinks" that it was you (not spammer) who sent original message.


--
Best regards,
Alexey Loukianov  mailto:[EMAIL PROTECTED]
System Engineer,
IT Department,
Lavtech Corp.

-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-22 Thread Alexey Loukianov 

Erik Espinoza wrote:

Most (all?) isps should be adding received headers, which should break
the signature. This is because the DK implementation written for Qmail
ignores an optional part of the spec that can be used to sign only
certain headers and the message.


One correction: TTBOMK, even if "h=" tag wasn't specified in mail, the 
only headers used when checking the signature are the ones located below 
"DomainKey-Signature:" line. Here is part from DK-draft-02:


h = A colon separated list of header field names that identify the
headers presented to the signing algorithm. If present, the
value MUST contain the complete list of headers in the order
presented to the signing algorithm.

If present, this tag MUST include the header that was used to
identify the sending domain, ie, the "From:" or "Sender:"
header, thus this tag can never contain an empty value.

If this tag is not present, all headers subsequent to the
signature header are included in the order found in the email.

A verifier MUST support this tag. A signer MAY support this
tag. If a signer generates this tag it MUST include all email
headers in the original email as a verifier MAY remove or
render suspicious, lines that are not included in the
signature.

In the presence of duplicate headers, a signer may include
duplicate entries in the list of headers in this tag. If a
header is included in this list, a verifier must include all
occurrences of that header, subsequent to the
"DomainKey-Signature:" header in the verification.

If a header identified in this list is not found after the
"DomainKey-Signature:" header in the verification process, a
verifier may "look" for a matching header prior to the
"DomainKey-Signature:" header, however signers should not
rely on this as early experience suggests that most verifiers
do not try to "look" back before the "DomainKey-Signature:"
header.

Whitespace is ignored in this value.

== cut 

Because of this, even if ISP add it's header lines to a message, if they 
get added prior to "DomainKey-Signature:" header, the signature will 
survive. Unfortunately, this is the rare case, and currently I'm in 
process of implementing the "h=" tag usage for qmail-dk.


--
Best regards,
Alexey Loukianov  mailto:[EMAIL PROTECTED]
System Engineer,
IT Department,
Lavtech Corp.

-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-18 Thread Trung Pham 
> Trung,
> Is your toaster on a dynamic or static IP address?

I have static IP since my company has the Business DSL line.


> Trung Pham wrote:
>> So in my case, I am forwarding my mail through Yahoo. I should not
>> bother
>> setting up SPF, SRS, and Domainkeys since I won't see any benefit at
>> all.
>>
>> Supposed if I handle my own outbound email and setup all those features
>> properly. Do you think Yahoo will still put my mails in the Bulk folder?
>
> TTBOMK, yahoo will not put your mail in bulk folders if you have DK
> configured properly.


I will give this a shot.


>> Another question, is it necessary for us to setup reverse IP DNS?
>> Because
>> I think SBC will not help me do it.
>>
>>> SRS and SPF can be used if your upstream isp publishes spf records.
>>> You can use the include statement (more info at openspf.org) to
>>> include their spf entries into your spf records. SBC, however, doesn't
>>> publish SPF records as Yahoo handles their infrastructure.
>>>
>>> The Qmail DomainKey implementation is to spec, but doesn't implement
>>> the optional "h=" header that limits the scope of the DomainKey
>>> signature to certain parts. Because of this, DomainKeys will fail if
>>> it is forwarded through a third party server.
>>>
>>> Erik
>>>
>>> On 1/16/07, Trung Pham <[EMAIL PROTECTED]> wrote:
 I currently have all my outgoing emails forwarded to my ISP server
 using
 smtproutes. So I am curious if I can still use domainkeys, spf, or srs
 features since my ISP will definitely modify the email header.

 FYI, I am using SBC Business DSL. I had to resolve to smtproutes
 otherwise
 Yahoo will put emails coming from me into the bulk folder.

 Please let me know if those features still work if I use my ISP to
 relay
 my mails.

 My goal is to stop incoming spams that forge my own address.



>
>
> --
> -Eric 'shubes'
>
> -
>  QmailToaster hosted by: VR Hosted 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Erik Espinoza 

SPF will not work in this case. Reread my earlier email. Yahoo doesn't
publish records for one to include. In addition DK usually fails when
you use a smarthost.

On 1/17/07, Eric Shubes <[EMAIL PROTECTED]> wrote:

Trung,
Is your toaster on a dynamic or static IP address?

Trung Pham wrote:
> So in my case, I am forwarding my mail through Yahoo. I should not bother
> setting up SPF, SRS, and Domainkeys since I won't see any benefit at all.
>
> Supposed if I handle my own outbound email and setup all those features
> properly. Do you think Yahoo will still put my mails in the Bulk folder?

TTBOMK, yahoo will not put your mail in bulk folders if you have DK
configured properly.

> Another question, is it necessary for us to setup reverse IP DNS? Because
> I think SBC will not help me do it.
>
>> SRS and SPF can be used if your upstream isp publishes spf records.
>> You can use the include statement (more info at openspf.org) to
>> include their spf entries into your spf records. SBC, however, doesn't
>> publish SPF records as Yahoo handles their infrastructure.
>>
>> The Qmail DomainKey implementation is to spec, but doesn't implement
>> the optional "h=" header that limits the scope of the DomainKey
>> signature to certain parts. Because of this, DomainKeys will fail if
>> it is forwarded through a third party server.
>>
>> Erik
>>
>> On 1/16/07, Trung Pham <[EMAIL PROTECTED]> wrote:
>>> I currently have all my outgoing emails forwarded to my ISP server using
>>> smtproutes. So I am curious if I can still use domainkeys, spf, or srs
>>> features since my ISP will definitely modify the email header.
>>>
>>> FYI, I am using SBC Business DSL. I had to resolve to smtproutes
>>> otherwise
>>> Yahoo will put emails coming from me into the bulk folder.
>>>
>>> Please let me know if those features still work if I use my ISP to relay
>>> my mails.
>>>
>>> My goal is to stop incoming spams that forge my own address.
>>>
>>>
>>>


--
-Eric 'shubes'

-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Eric \"Shubes\" 
Trung,
Is your toaster on a dynamic or static IP address?

Trung Pham wrote:
> So in my case, I am forwarding my mail through Yahoo. I should not bother
> setting up SPF, SRS, and Domainkeys since I won't see any benefit at all.
>
> Supposed if I handle my own outbound email and setup all those features
> properly. Do you think Yahoo will still put my mails in the Bulk folder?

TTBOMK, yahoo will not put your mail in bulk folders if you have DK
configured properly.

> Another question, is it necessary for us to setup reverse IP DNS? Because
> I think SBC will not help me do it.
> 
>> SRS and SPF can be used if your upstream isp publishes spf records.
>> You can use the include statement (more info at openspf.org) to
>> include their spf entries into your spf records. SBC, however, doesn't
>> publish SPF records as Yahoo handles their infrastructure.
>>
>> The Qmail DomainKey implementation is to spec, but doesn't implement
>> the optional "h=" header that limits the scope of the DomainKey
>> signature to certain parts. Because of this, DomainKeys will fail if
>> it is forwarded through a third party server.
>>
>> Erik
>>
>> On 1/16/07, Trung Pham <[EMAIL PROTECTED]> wrote:
>>> I currently have all my outgoing emails forwarded to my ISP server using
>>> smtproutes. So I am curious if I can still use domainkeys, spf, or srs
>>> features since my ISP will definitely modify the email header.
>>>
>>> FYI, I am using SBC Business DSL. I had to resolve to smtproutes
>>> otherwise
>>> Yahoo will put emails coming from me into the bulk folder.
>>>
>>> Please let me know if those features still work if I use my ISP to relay
>>> my mails.
>>>
>>> My goal is to stop incoming spams that forge my own address.
>>>
>>>
>>>


-- 
-Eric 'shubes'

-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Eric \"Shubes\" 
Vince Callaway wrote:
> On Wed, 2007-01-17 at 14:30 -0800, Trung Pham wrote:
>> So in my case, I am forwarding my mail through Yahoo. I should not bother
>> setting up SPF, SRS, and Domainkeys since I won't see any benefit at all.
> 
> EVERYONE should use SPF.
> 
> Forwarding mail through yahoo does not negate the benefits.  My own
> email forwards through centurytel (my isp).
> 
> My SPF record is "v=spf1 a include:centurytel.net ~all".  Pretty simple
> and effective.  My /var/qmail/control/spfbehavior value is set to 4.
> Keeps the fraud down.
> 

Thanks for clearing this up, Vince. That was my understanding too.

-- 
-Eric 'shubes'

-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Vince Callaway 
On Wed, 2007-01-17 at 14:30 -0800, Trung Pham wrote:
> So in my case, I am forwarding my mail through Yahoo. I should not bother
> setting up SPF, SRS, and Domainkeys since I won't see any benefit at all.

EVERYONE should use SPF.

Forwarding mail through yahoo does not negate the benefits.  My own
email forwards through centurytel (my isp).

My SPF record is "v=spf1 a include:centurytel.net ~all".  Pretty simple
and effective.  My /var/qmail/control/spfbehavior value is set to 4.
Keeps the fraud down.


-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Trung Pham 
So in my case, I am forwarding my mail through Yahoo. I should not bother
setting up SPF, SRS, and Domainkeys since I won't see any benefit at all.

Supposed if I handle my own outbound email and setup all those features
properly. Do you think Yahoo will still put my mails in the Bulk folder?

Another question, is it necessary for us to setup reverse IP DNS? Because
I think SBC will not help me do it.

> SRS and SPF can be used if your upstream isp publishes spf records.
> You can use the include statement (more info at openspf.org) to
> include their spf entries into your spf records. SBC, however, doesn't
> publish SPF records as Yahoo handles their infrastructure.
>
> The Qmail DomainKey implementation is to spec, but doesn't implement
> the optional "h=" header that limits the scope of the DomainKey
> signature to certain parts. Because of this, DomainKeys will fail if
> it is forwarded through a third party server.
>
> Erik
>
> On 1/16/07, Trung Pham <[EMAIL PROTECTED]> wrote:
>> I currently have all my outgoing emails forwarded to my ISP server using
>> smtproutes. So I am curious if I can still use domainkeys, spf, or srs
>> features since my ISP will definitely modify the email header.
>>
>> FYI, I am using SBC Business DSL. I had to resolve to smtproutes
>> otherwise
>> Yahoo will put emails coming from me into the bulk folder.
>>
>> Please let me know if those features still work if I use my ISP to relay
>> my mails.
>>
>> My goal is to stop incoming spams that forge my own address.
>>
>>
>>
>> -
>>  QmailToaster hosted by: VR Hosted 
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
> -
>  QmailToaster hosted by: VR Hosted 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-17 Thread Erik Espinoza 

SRS and SPF can be used if your upstream isp publishes spf records.
You can use the include statement (more info at openspf.org) to
include their spf entries into your spf records. SBC, however, doesn't
publish SPF records as Yahoo handles their infrastructure.

The Qmail DomainKey implementation is to spec, but doesn't implement
the optional "h=" header that limits the scope of the DomainKey
signature to certain parts. Because of this, DomainKeys will fail if
it is forwarded through a third party server.

Erik

On 1/16/07, Trung Pham <[EMAIL PROTECTED]> wrote:

I currently have all my outgoing emails forwarded to my ISP server using
smtproutes. So I am curious if I can still use domainkeys, spf, or srs
features since my ISP will definitely modify the email header.

FYI, I am using SBC Business DSL. I had to resolve to smtproutes otherwise
Yahoo will put emails coming from me into the bulk folder.

Please let me know if those features still work if I use my ISP to relay
my mails.

My goal is to stop incoming spams that forge my own address.



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Erik Espinoza 

Most (all?) isps should be adding received headers, which should break
the signature. This is because the DK implementation written for Qmail
ignores an optional part of the spec that can be used to sign only
certain headers and the message.

Can you send an e-mail to me offlist? I want to take a quick look at
your headers.

Thanks,
Erik

On 1/16/07, Vince Callaway <[EMAIL PROTECTED]> wrote:

On Tue, 2007-01-16 at 21:10 -0500, slamp slamp wrote:
> How did you get domainkeys working in this setup?? When I set my
> domainkeys awhile ago, gmail or yahoo always said bad keys. and I was
> told here on the list that it wont work because the headers are
> changed/updated by the smtp server in smtproute.

Only if your ISP changes your message.

You can use this link: http://senderid.espcoalition.org/ to test your
domainkeys.  It is an auto-responder that sends back a report on your
message.  Pretty good debugging info.

I also have accounts at gmail and yahoo.  I sent messages to those and
domainkey status was always good.

Mailing lists are what breaks domainkeys.  They like to add little
things to the bottom of the message.  I have an entry in my tcp.smtp
file for each of the mailing list servers I use.  Those entries bypass
domainkey checks.  I found I was bouncing a lot of messages, especially
from this list because of domainkey failures.




-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Vince Callaway 
On Tue, 2007-01-16 at 21:10 -0500, slamp slamp wrote:
> How did you get domainkeys working in this setup?? When I set my
> domainkeys awhile ago, gmail or yahoo always said bad keys. and I was
> told here on the list that it wont work because the headers are
> changed/updated by the smtp server in smtproute. 

Only if your ISP changes your message.

You can use this link: http://senderid.espcoalition.org/ to test your
domainkeys.  It is an auto-responder that sends back a report on your
message.  Pretty good debugging info.

I also have accounts at gmail and yahoo.  I sent messages to those and
domainkey status was always good.

Mailing lists are what breaks domainkeys.  They like to add little
things to the bottom of the message.  I have an entry in my tcp.smtp
file for each of the mailing list servers I use.  Those entries bypass
domainkey checks.  I found I was bouncing a lot of messages, especially
from this list because of domainkey failures.




-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Vince Callaway 
On Tue, 2007-01-16 at 18:11 -0800, Trung Pham wrote:
> > SPF records alone cut way down on the backspam I was getting.  I was up
> > to about 80 bounce messages a day that had my domain as a return, but
> > were not sent by anyone here.
> 
> Isn't that the work of SRS and not SPF?

No.  SPF tells the receiving computer that the mail is forged.  If it is
configured properly it will throw it away and not bounce it.

SRS is for computers that are forwarding mail.  The from is rewritten so
the it does not break SPF.

Too many 3-letter words.


-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Trung Pham 
> SPF records alone cut way down on the backspam I was getting.  I was up
> to about 80 bounce messages a day that had my domain as a return, but
> were not sent by anyone here.

Isn't that the work of SRS and not SPF?



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread slamp slamp 

How did you get domainkeys working in this setup?? When I set my domainkeys
awhile ago, gmail or yahoo always said bad keys. and I was told here on the
list that it wont work because the headers are changed/updated by the smtp
server in smtproute.

On 1/16/07, Vince Callaway <[EMAIL PROTECTED]> wrote:


On Tue, 2007-01-16 at 16:43 -0800, Trung Pham wrote:
> Any idea guys?
>
> Is it worth it setup SPF, SRS, and domainkeys if I am gonna use my ISP
> SMTP server for outgoing emails?

This is exactly how I'm setup.  I have a dynamic IP and host my mail at
home.  I use xpertdns.com to host my dns.

My opinions on:
SPF, most certainly.
SRS, Don't know if it is needed.
Domainkeys, Certainly for outgoing.  There are some issues with
incoming.

SPF records alone cut way down on the backspam I was getting.  I was up
to about 80 bounce messages a day that had my domain as a return, but
were not sent by anyone here.


-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Vince Callaway 
On Tue, 2007-01-16 at 16:43 -0800, Trung Pham wrote:
> Any idea guys?
> 
> Is it worth it setup SPF, SRS, and domainkeys if I am gonna use my ISP
> SMTP server for outgoing emails?

This is exactly how I'm setup.  I have a dynamic IP and host my mail at
home.  I use xpertdns.com to host my dns.

My opinions on:
SPF, most certainly.
SRS, Don't know if it is needed.
Domainkeys, Certainly for outgoing.  There are some issues with
incoming.

SPF records alone cut way down on the backspam I was getting.  I was up
to about 80 bounce messages a day that had my domain as a return, but
were not sent by anyone here.


-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Trung Pham 
Any idea guys?

Is it worth it setup SPF, SRS, and domainkeys if I am gonna use my ISP
SMTP server for outgoing emails?

> I currently have all my outgoing emails forwarded to my ISP server using
> smtproutes. So I am curious if I can still use domainkeys, spf, or srs
> features since my ISP will definitely modify the email header.
>
> FYI, I am using SBC Business DSL. I had to resolve to smtproutes otherwise
> Yahoo will put emails coming from me into the bulk folder.
>
> Please let me know if those features still work if I use my ISP to relay
> my mails.
>
> My goal is to stop incoming spams that forge my own address.
>
>
>
> -
>  QmailToaster hosted by: VR Hosted 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[qmailtoaster] smtproutes and domainkeys, spf, srs

2007-01-16 Thread Trung Pham 
I currently have all my outgoing emails forwarded to my ISP server using
smtproutes. So I am curious if I can still use domainkeys, spf, or srs
features since my ISP will definitely modify the email header.

FYI, I am using SBC Business DSL. I had to resolve to smtproutes otherwise
Yahoo will put emails coming from me into the bulk folder.

Please let me know if those features still work if I use my ISP to relay
my mails.

My goal is to stop incoming spams that forge my own address.



-
 QmailToaster hosted by: VR Hosted 
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]