DMARC & SFP

rolo2912 · July 23, 2014

Just wondering, is anyone using DMARC or SFP settings on the Nameservers to protect against spoofing. Never noticed it before but on gmail they seem to check against sfp settings.

Before:

Received-SPF: none (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) client-ip=xx.xxx.xxx.xxx;

Authentication-Results: mx.google.com;       spf=neutral (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) smtp.mail=info@xxxxxxxxxxxx.ie

Received: from www.xxxxxxxxxxxx.ie (xxxxxxx.xxxxxxserver.net [xx.xxx.xxx.xxx])

After adding a TXT record to the Nameserver:

TXT "v=spf1 mx -all"

Authentication-Results: mx.google.com;       spf=pass (google.com: domain of info@xxxxxxxxxxxxx.ie designates xx.xxx.xxx.xxx as permitted sender) smtp.mail=info@xxxxxxxxxxxx.ieReceived: from www.xxxxxxxxxxxx.ie (xxxxxxxxxx.xxxxxxxxserver.net [xx.xxx.xxx.xxx])	by xxxxxxxxxx.xxxxxxxxserver.net  (Postfix) with ESMTPA id fsdasdsdafsfdxxsdfadsf

My Questions:

1. Did anyone implement this on all the domains running on a froxlor server?

2. If Yes, what record did they use?

3. Is there anything to watch out for? IE. The sender domain is not the one specified in the Postfix-Configuration. Does this cause problems?

Thank you for any feedback.

Regards,

rolo2912

d00p · July 23, 2014

SPF *is* implemented in Froxlor if you use the Nameserver

rolo2912 · July 23, 2014

Thanks for your quick response. I am using external nameservers, so can you tell me, please, what the standard TXT Record is that is used in froxlor?

d00p · July 23, 2014

Froxlor's default would be

@ IN TXT "v=spf1 a mx -all"

rolo2912 · July 24, 2014

Is the setting causing problems when using the Email forwarding to an external email address?

IE: email address abcdef@adomainonfroxlorserver.com forward to abcdef@gmail.com

d00p · July 24, 2014

SPF is DNS-based...it just concerns the MX-Server / A-Record entry when sending from that address

Sephiroth · July 24, 2014

And YES - SPF is a problem when you are forwarding e-mails because YOUR mailserver tries so send mails with a domain as sender not hosted on your server. Example:

You recieve an e-mail from example@gmail.com for froxlor@yourdomain.tld

You configured an e-mail forwarding for froxlor@yourdomain.tld to example@outlook.com

What happens is that if gmail.com has SPF records set then outlook.com may check this setting and YOUR server is NOT configured to be allowed to send or relay mails for "@gmail.com"

If you are the forwarding party this has nothing to do with YOUR SPF records. But if someone tries to forward e-mails from your system to theirs to another provider - THEN your SPF records might cause problems.

Exploit · February 11, 2019

It's an old thread, but still in the same state so far I can see. Since the last months I see that the number of rejected emails from customers who are using the forwarding functionality in Froxlor increases dramatically.

The solution for this is implementing is 'Sender Rewriting Scheme' (SRS), which I need to implement, I've been reading quite a lot and enough stuff about this to make SRS with Postfix working, but before I start to do so, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

Some articles that I found to be useful, but need to be adjusted to work with Froxlor together:
https://thomas-leister.de/mailserver-debian-stretch/
https://jichu4n.com/posts/setting-up-dkim-and-srs-in-postfix/
https://christophfischer.com/linux/15-mailserver/56-sender-rewriting-scheme-srs-fuer-postfix-unter-debian

Is there already anything in development for the Froxlor project?

d00p · February 11, 2019

7 minutes ago, Exploit said:

, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

No one's working on that. As I've never heard of that until now (don't have any issues) I cannot tell you the best way to implement that. Is it just a config thing in main.cf? Or does it require dynamic values from the froxlor data?

d00p · February 11, 2019

Seems like a very manual thing and cloning git repositories etc...no packages for Debian? Seems not very common

Exploit · February 11, 2019

The problem starts when a customer forwards his mail from Facebook, Twitter, etc.. to his (e.g.) Gmail. That mail will be rejected, because the IP-Address of the forwarding server isn't allowed to send it by the SPF-records of the origin senders.

I'm not sure what the $secrets of following row is used for from the example of the last link in my post above:
start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- -p $PID_FILE $OPTIONS $DOMAIN $SECRETS

I guess that it needs some setting on domain-level, which I will try to check further out...

d00p · February 11, 2019

Mail from Facebook? Uughh? Twitter? These are no mail providers...makes no sense what you are saying.

Do you mean when a mail address added in frolxor is used for Facebook? Then what does this have to do with Facebook or Twitter? Can you please nopaste a real rejected mail with all error messages and headers etc.?

Exploit · February 11, 2019

The setup is like this...

A customer who owns "example.com" has created in froxlor "info@example.com", which he forwards to customer@gmail.com

Now he use info@example.com to receive news from (e.g.) twitter.

Now twitter sends a newsletter to info@example.com which will hang for a while in the mail-queue and fail, because gMail refuse my server to send e-mail originating from twitter.

d00p · February 11, 2019

adjust SPF entry then?

d00p · February 11, 2019

No wait, SPF has nothing to do with that ..couldn't you rewrite anything using sieve??? I mean, what these tutorials do is not just install and configure some service...looks very hacky

Exploit · February 11, 2019

No, I can't fix the SPF records for Twitter, Facebook and all others who don't allow everyone to send mail from their address. Being able to do that, I would be the God of all spammers ?

SPF and Forwarding is a well known problem and SRS is good documented, standardized an quite simple. The implementations are more complicated, and for most mail-servers still in an experimental state. I think this is because of security, you don't want to create a open-relay.

SPF is good explained here:
http://www.openspf.org/SRS

d00p · February 12, 2019

7 hours ago, Exploit said:

The implementations are more complicated, and for most mail-servers still in an experimental state.

And that's the problem

Exploit · February 12, 2019

Yes, it looks like sending email has become in the last years such a complicated thing, that almost nobody is able to set up a flawless mailserver.

SPF, DKIM, DMARC, SRS, each of them needs several components to be installed, if you want to let your customers setup their own email addresses.

However Froxlor seems to miss only:

DMARC which is technically similar to creating and checking SPF (but does also reports)
SRS which implementation is quite similar as adding a DKIM signature for outgoing mail and a spam-filter for incoming messages (proper handling of bounces is a bit challenging, but this should be solved by the SRS software)

With all these working, Spoofing eMail is definitely not possible anymore, so I think that we will not see more coming up for the next years.

SPF may disappear after a while, because it overlaps with DKIM, which would make SRS obsolete too. For the next years I don't see it happen that everyone uses DKIM, so we will have to deal with SPF and SRS.

d00p · February 12, 2019

But sounds like SRS is only needed in case of this mail forwarding thing isn't it?

Exploit · February 12, 2019

2 hours ago, d00p said:

But sounds like SRS is only needed in case of this mail forwarding thing isn't it?

Exactly, that's where it's made for. Thinking about this further, I consider SRS is only necessary due to lack of DKIM support or bad practices of DMARC implementation. It makes no sense to refuse any e-mail having a valid DKIM signature.

Having DKIM-signed e-mail manipulated or spoofed, would mean a leaked out private key. So companies having a DMARC record that requires a valid SPF and also a valid DKIM-signature, are assuming having very serious security issues.

So far i noticed only refused mails which are forwarded for Facebook and for Twitter, which are both using DKIM.

So far I'm hoping and assuming that already DKIM signed e-mail not will be signed again by the forwarding sever. (anyone who can confirm this?).

d00p · February 12, 2019

So froxlor should focus on its DKIM implementation and additionally to SPF add a DMARC entry

Exploit · February 12, 2019

3 hours ago, d00p said:

So froxlor should focus on its DKIM implementation and additionally to SPF add a DMARC entry

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

The configuration files for postfix are looking quite hacky for me, but so far I understand them, I can't find that SPF and DKIM are included in the configuration templates, coming from /lib/configfiles.

So far I can try to fix those and commit updates with git.

SRS I consider as a part of SPF, since it has no other function as patching delivery-problems that SPF causes on email forwarding.

I've also opened a discussion on Gmail, about SRS which can't be implemented without undesired side effects, like breaking the DKIM signature of the original message, which can't be the intention of DMARC. I relly don't like SRS, but for now I see no another working solution, to get rid of forwarding messages being refused.

d00p · February 13, 2019

9 hours ago, Exploit said:

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

I have DMARC enabled in my domain zone and no additional postfix configuration. There are only a few (big companies) that actually filter and send reports. Important is the DNS entry

10 hours ago, Exploit said:

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

1) 0.10.0 not 1.0

2) there has been no work on dkim for a long time, there is an issue on GitHub for this already

10 hours ago, Exploit said:

So far I can try to fix those and commit updates with git.

That would be helpful

Exploit · February 13, 2019

Just to share...
I've found a very good article about SPF, SRS and DKIM here:
https://www.heinlein-support.de/blog/news/gmx-de-und-web-de-haben-mail-rejects-durch-spf/

Not Germans may prefer this:
https://translate.google.com/translate?sl=auto&tl=en&u=https%3A%2F%2Fwww.heinlein-support.de%2Fblog%2Fnews%2Fgmx-de-und-web-de-haben-mail-rejects-durch-spf%2F

Sign In

DMARC & SFP

Question

rolo2912

22 answers to this question

Recommended Posts

d00p

rolo2912

d00p

rolo2912

d00p

Sephiroth

Exploit

d00p

d00p

Exploit

d00p

Exploit

d00p

d00p

Exploit

d00p

Exploit

d00p

Exploit

d00p

Exploit

d00p

Exploit

Archived

Similar Content

Browse

Activity