-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Over the past weekend, I added SPF screening on the MTA at shorewall.net. SPF is a mechanism for a domain to use DNS to publish a list of those IP addresses that are used to send legitimate email from that domain. A receiving MTA can use that published information to determine if email from a domain is being sent through an MTA belonging to that domain. I am seeing some email that appears to be from list subscribers being rejected. I suspect that this is because people are running their owm MTAs and outbound email bypasses their ISP''s MTA even though the sender address is in the ISP''s domain. Example: Your ISP is foo.com and you are sending email from me@foo.com directly through your own mail server. Your IP address is not one of the one''s published by foo.com as being a legitimate email source for foo.com. If this is the case with you, please configure your MTA to route mail to shorewall.net through your ISP. Do not ask me to make an exception for you at this end. - -Tom PS -- All outgoing email from shorewall.net is routed through my ISP; it''s too much of a hassle for me to try to run the mailing lists otherwise. - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWtM5O/MAbZfjDLIRAqPSAKC3T63iD8WFSElj+SVUb/vf8zNiBwCfWOQV srohhTpIJXCiFzZFRi1+wbk=smTO -----END PGP SIGNATURE-----
Tom Eastep wrote on 29/09/2004 12:22:33:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Over the past weekend, I added SPF screening on the MTA at > shorewall.net. SPF is a mechanism for a domain to use DNS to publish a > list of those IP addresses that are used to send legitimate email from > that domain. A receiving MTA can use that published information to > determine if email from a domain is being sent through an MTA belonging > to that domain. >more information on SPF at http://spf.pobox.com/ there is a utility there that helps creating the SPF DNS Record. hope it helps, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Ferreira wrote:> Tom Eastep wrote on 29/09/2004 12:22:33: > > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >>Over the past weekend, I added SPF screening on the MTA at >>shorewall.net. SPF is a mechanism for a domain to use DNS to publish a >>list of those IP addresses that are used to send legitimate email from >>that domain. A receiving MTA can use that published information to >>determine if email from a domain is being sent through an MTA belonging >>to that domain. >> > > more information on SPF at http://spf.pobox.com/ > there is a utility there that helps creating the SPF DNS Record. >In fact, I used that utility to generate the shorewall.net SPF DNS record. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWumaO/MAbZfjDLIRAgy3AKCcIAr+FP//OWL2FXW5ofp2zugw/gCguc6s 1xifI89Jg2R5FasY3Z6/exo=+iOE -----END PGP SIGNATURE-----
> In fact, I used that utility to generate the shorewall.net SPF DNS record.This gives me a chance to see if my SPF record is working.... -- Stephen Carville Unix and Network Adminstrator DPSI 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602
Alan wrote on 29/09/2004 14:30:35:> Tom Eastep said: > >> there is a utility there that helps creating the SPF DNS Record. > >> > > > > In fact, I used that utility to generate the shorewall.net SPF DNSrecord.> > > > - -Tom > > Guess it hasn''t made it out yet, no TXT record resolves yet for > shorewall.net or lists.shorewall.net...yep. dnsreport.com didn''t find any SPF records there. --Eduardo
Tom Eastep said:>> there is a utility there that helps creating the SPF DNS Record. >> > > In fact, I used that utility to generate the shorewall.net SPF DNS record. > > - -TomGuess it hasn''t made it out yet, no TXT record resolves yet for shorewall.net or lists.shorewall.net... -Alan ==========Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>
I use my own server (here at home, on ADSL) to send all of my email. However, I also use a hosting company, which offers the facility to specify and modify my DNS records. Hopefully, this should be working :)> -----Original Message----- > From: > shorewall-users-bounces+mailinglists=ionstream.co.uk@lists.sho > rewall.net > [mailto:shorewall-users-bounces+mailinglists=ionstream.co.uk@l > ists.shorewall.net] On Behalf Of Stephen Carville > Sent: 29 September 2004 18:04 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] SPF screening implemented at > shorewall.net > > > > In fact, I used that utility to generate the shorewall.net SPF DNS > > record. > > This gives me a chance to see if my SPF record is working.... > > -- > Stephen Carville > Unix and Network Adminstrator > DPSI > 6033 W.Century Blvd. > Los Angeles, CA 90045 > 310-342-3602 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eduardo Ferreira wrote:> Alan wrote on 29/09/2004 14:30:35: > > >>Tom Eastep said: >> >>>>there is a utility there that helps creating the SPF DNS Record. >>>> >>> >>>In fact, I used that utility to generate the shorewall.net SPF DNS > > record. > >>>- -Tom >> >>Guess it hasn''t made it out yet, no TXT record resolves yet for >>shorewall.net or lists.shorewall.net... > > > yep. dnsreport.com didn''t find any SPF records there. >Should be there now (once TTL for norecord expires) -- forgot the ending "." on the domain/server names ( blush ). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWvbeO/MAbZfjDLIRApTaAJ9B3nw3A54tk45vp9d9sP62Q776NACgk4fg PdhqqqdtHLyVQzRQ05CU/UM=3vbQ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Kirkland wrote:> I use my own server (here at home, on ADSL) to send all of my email. > However, I also use a hosting company, which offers the facility tospecify> and modify my DNS records. Hopefully, this should be working :) >Check the Received-SPF: header in your copy of your post.... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWwNQO/MAbZfjDLIRAlqQAKCQEk8V3HSCY33pvmjnVbdZ5HEM0QCglTUr RA0easn4RtdbJSDtCEGTJYs=KKt6 -----END PGP SIGNATURE-----
Tom Eastep said:> > Should be there now (once TTL for norecord expires) -- forgot the ending > "." on the domain/server names ( blush ). > > - -TomI hate when that happens. :-) You should check that lists.shorewall.net (the envelope-sender of the mailing list traffic) has a TXT record too. SPF, as I recall, checks the exact domain on the RHS of the envelope sender address. -Alan ==========Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alan Sparks wrote:> Tom Eastep said: > >>Should be there now (once TTL for norecord expires) -- forgot the ending >>"." on the domain/server names ( blush ). >> >>- -Tom > > > I hate when that happens. :-) > You should check that lists.shorewall.net (the envelope-sender of the > mailing list traffic) has a TXT record too. SPF, as I recall, checks the > exact domain on the RHS of the envelope sender address.ursa:~ # dig @ns1.infohiiway.com +short lists.shorewall.net TXT "v=spf1 a include:blarg.net -all" ursa:~ # - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWwjkO/MAbZfjDLIRAnSaAKCS980wWnFv956kZ1+SzDGqTxYnoQCfT+2H eO8oLP46mnRrKPHdH4vJjj8=hTEQ -----END PGP SIGNATURE-----
On Thu, 2004-09-30 at 05:11, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alan Sparks wrote: > > Tom Eastep said: > > > >>Should be there now (once TTL for norecord expires) -- forgot the ending > >>"." on the domain/server names ( blush ). > >> > >>- -Tom > > > > > > I hate when that happens. :-) > > You should check that lists.shorewall.net (the envelope-sender of the > > mailing list traffic) has a TXT record too. SPF, as I recall, checks the > > exact domain on the RHS of the envelope sender address. > > ursa:~ # dig @ns1.infohiiway.com +short lists.shorewall.net TXT > "v=spf1 a include:blarg.net -all" > ursa:~ # >I presume you are aware that SPF breaks forwarding? Regards, T> - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBWwjkO/MAbZfjDLIRAnSaAKCS980wWnFv956kZ1+SzDGqTxYnoQCfT+2H > eO8oLP46mnRrKPHdH4vJjj8> =hTEQ > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terry Gilsenan wrote:> On Thu, 2004-09-30 at 05:11, Tom Eastep wrote: > > Alan Sparks wrote: > >>Tom Eastep said: > > >>>Should be there now (once TTL for norecord expires) -- forgot the ending >>>"." on the domain/server names ( blush ). > >>>- -Tom > > >>I hate when that happens. :-) >>You should check that lists.shorewall.net (the envelope-sender of the >>mailing list traffic) has a TXT record too. SPF, as I recall, checks the >>exact domain on the RHS of the envelope sender address. > > ursa:~ # dig @ns1.infohiiway.com +short lists.shorewall.net TXT > "v=spf1 a include:blarg.net -all" > ursa:~ # > > > >> I presume you are aware that SPF breaks forwarding? >Well, depending what you mean by "break". For example, I forward all outgoing mail through my ISP''s servers and my SPF TXT records reflect that fact. Additionally, if a domain has a backup MX then the backup should do SPF screening and incoming mail forwarded by the backup to the primary should bypass SPF screening. I currently have no backup MX so that isn''t an issue for me. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXCHcO/MAbZfjDLIRAoF6AJ90L7QQGax9XeGdnIfvgQ/ZUIK4cACfUhX4 WmuuJ94NkX836mjseCx2wgU=a4Ax -----END PGP SIGNATURE-----