?

Log in

No account? Create an account
SPF and why some people are having trouble sending me email. - AdrianG — LiveJournal [APOD]
January 8th, 2005
09:24 pm

[Link]

Previous Entry Share Next Entry
SPF and why some people are having trouble sending me email.

(21 comments | Leave a comment)

Comments
 
From:technoshaman
Date:January 9th, 2005 04:32 pm (UTC)
(Link)
So you're blocking anyone who doesn't have the requisite TXT records, done right? or are you taking the default interim, i.e. as long as the DNS is scrupulously correct on the connecting host, it's OK?

I killed off my SPF records and shut down my policy daemon after Microsoft got their fingers in the cookie jar. I expect I'll put something back once everybody gets their finger out and decides on something that's OSSG-compatible. (I'm NOT doing a proprietary solution; then again, I doubt AOL will let Microsoft do that.)

Meanwhile, I'm simply using almost but not quite the full range of sanity checking Postifx allows: I'm using two RBL's, making sure the connecting client is saying HELO with a real FQDN that is not my own, bouncing known quantity addresses no longer in use, and some of my own blacklists (and whitelists). I'm bouncing anywhere from 5 to 25 a day (it used to be a lot more, occasionally upwards of 100, but I think AOL and Comcast's little partnership have done a lot for that), and maybe two a week slip thru to be ground by bogofilter. Pretty darn fine, for me.
[User Picture]
From:adriang
Date:January 9th, 2005 04:57 pm (UTC)
(Link)
If I understand what my ISP is doing, correctly, they are blocking email from domains that don't have an acceptable SPF configuration, and they are rejecting SPF configurations that say all IP addresses on the internet are okay. I'm drawing this conclusion based on very little data, so it could be a little off.

I thought MicroSoft tried to do the embrace and extend thing but got rejected by the IETF. As far as I know MS has not been allowed to take control of SPF.

Just as an experiment, and you see if you can send me email?

Adrian
From:technoshaman
Date:January 9th, 2005 05:22 pm (UTC)
(Link)
Seems to have gone thru, at least stage one:

Jan 9 09:20:11 localhost postfix/smtp[28128]: 7DEDF4ADB1: to=
[Error: Irreparable invalid markup ('<adrian [...] nerds.org>') in entry. Owner must fix manually. Raw contents below.]

Seems to have gone thru, at least stage one:

Jan 9 09:20:11 localhost postfix/smtp[28128]: 7DEDF4ADB1: to=<adrian at-sign nerds.org>
, relay=ob.fu.sca.tion[192.168.0.0], delay=3, status=sent (250 message sen
t ok)
[User Picture]
From:adriang
Date:January 9th, 2005 05:27 pm (UTC)
(Link)
I get a message from you, but it looks like my reply won't make it.

Adrian
[User Picture]
From:adriang
Date:January 9th, 2005 05:28 pm (UTC)
(Link)
That should be "got". 8-)

Adrian
From:technoshaman
Date:January 9th, 2005 05:31 pm (UTC)
(Link)
Weird. Log from your end? I'll look at mine...
[User Picture]
From:adriang
Date:January 9th, 2005 05:40 pm (UTC)
(Link)
Jan 9 11:14:18 cyclone sendmail[21060]: j09HEGhM021058: to=<xxxxxxxxxxxx@xxxxxx.org>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=120550, relay=mail.xxxxxx.org. [1xx.136.111.31], dsn=5.0.0, stat=Service unavailable

One of the consequences of my non-SPF compliant configuration at home is that I won't receive the bounce message.

Adrian
From:technoshaman
Date:January 9th, 2005 05:40 pm (UTC)
(Link)
Oh. You're doing direct-to-MX off a RoadRunner host. Does nerds.org not allow you to send via them?

In the old days I would've been all for everybody running their own mailserver wherever, but these days with the spam viruses running around the cable networks like fleas in a pound...

Actually, with my current volume of mail, and the way the stats have been looking lately, I could probably get away with removing that restriction... but still.

I really like the idea of having all my critical services hosted offsite, on a real T1, with backup power...
[User Picture]
From:adriang
Date:January 9th, 2005 05:53 pm (UTC)
(Link)
Actually, I'm sending directly from a sendmail instance here at home. That means I'm not in anyone's SPF records.

What I need to do is configure my local sendmail instance to relay through nerds.org's MX, and to use a password. The trouble is, if I configure it to do that, directly, then the next time I use YAST2, it will rewrite at least part of my sendmail configuration to what it thinks is correct. I've got to either figure out how to tell YAST2 what I want, or I have to modify the configuration build process for YAST2 so that it builds what I want. That's really what's kept me from fixing my SPF configuration so far. I'll get around to it, eventually.

Adrian
From:technoshaman
Date:January 9th, 2005 05:59 pm (UTC)
(Link)
*nods* Actually, if you don't have too complex a setup or something that depends on it, I highly recommending scrapping Sendmail altogether and using postfix. I never had a problem with YAST2 fiddling with the config on that (although once I got the basics set up I abandoned YAST2 for config purposes in favor of emacs)...
[User Picture]
From:adriang
Date:January 9th, 2005 06:05 pm (UTC)
(Link)
I'm one of those people who has actually learned how to change sendmail configuration files, so while I wouldn't recommend sendmail to everyone, I am at least very comfortable with sendmail, myself.

Adrian
From:technoshaman
Date:January 9th, 2005 06:08 pm (UTC)
(Link)
If you can actually grok a sendmail.cf, then postfix will be a walk in the park... albeit quite a different paradigm. It's actually designed to be *easy* to configure. :)
[User Picture]
From:adriang
Date:January 9th, 2005 06:19 pm (UTC)
(Link)
I'm sure you're right. To give you an idea of what you're up against in trying to convince me to chance, I still prefer using 'vi'. I even know how to use 'ed'. 8-)

Adrian
From:technoshaman
Date:January 9th, 2005 06:22 pm (UTC)
(Link)
That's ok, my old boss, who's been doing this since I was in short pants, still prefers a tarted-up version of vi.... but he's learned to love Postfix. I stole my ruleset from him. :)
My Resume Powered by LiveJournal.com