Re: SPF rules and my domain

Wed, 09 Dec 2015 06:55:12 -0800 


Am 09.12.2015 um 15:44 schrieb Alex:

T_SPF_PERMERROR says pretty clear that you made something wrong
why do people not *verify* DNS changes? seen the same from a
lot of large companies

http://www.kitterman.com/spf/validate.html


+1 for the Kitterman checking tool - still my first stop for SPF
checking.

I recently found out about another: https://dmarcian.com/spf-survey/
which is also worth using.


Yes, I'm aware of this site. Perhaps I shouldn't have introduced the
T_SPF_PERMERROR issue because it's not really my main problem, and
doesn't even occur on my own domain. I wish I could post my domain,
but I can't.

My main problem is understanding how to build a rule to block spoofing
attempts against my own domain? Do I need to build a meta that
combines envelope FROM with SPF_FAIL?



first: spoofing protection is *only* about envelope and not about the 
visible From-header (spoofing protection based on the header kills 
mailing-lists and even big players like Barracuda networks where dumb 
enugh because customers complained 'but i still get spoofed mails, look 
at my client' insteda explain them it's not possible)


second:
spoofing protection belongs in the MTA long before spamassassin

why?

* you have already on the MTA a list of domains for accept mails
* spoofing protection has *nothing* to do with SPF

smtpd_recipient_restrictions =
 reject_unlisted_recipient
 reject_unauth_destination
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_non_fqdn_helo_hostname
 reject_invalid_helo_hostname
 check_sender_access hash:/etc/postfix/spoofing_protection.cf

/etc/postfix/spoofing_protection.cf:
domain1 REJECT Sender Spoofed
domain2 REJECT Sender Spoofed
domain3 REJECT Sender Spoofed
___________________________________________________________


in short: you take the script which generates "mydestination.cf" and let 
it spit out the other file while write instead "OK" "REJECT"


mydestination = hash:/etc/postfix/mydestination.cf
/etc/postfix/mydestination.cf:
domain1 OK
domain2 OK
domain3 OK
___________________________________________________________


before some dumbass now says "the world is not postfix alone": the 
principle is the same for every MTA and some things belong to the mTA 
layer and not in the contentfilter





Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to