Jump to content
Froxlor Forum

Question

Just wondering, is anyone using DMARC or SFP settings on the Nameservers to protect against spoofing. Never noticed it before but on gmail they seem to check against sfp settings.

 

Before:

Received-SPF: none (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) client-ip=xx.xxx.xxx.xxx;

Authentication-Results: mx.google.com;       spf=neutral (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) smtp.mail=info@xxxxxxxxxxxx.ie 

Received: from www.xxxxxxxxxxxx.ie (xxxxxxx.xxxxxxserver.net [xx.xxx.xxx.xxx]) 

 

After adding a TXT record to the Nameserver:

 

TXT "v=spf1 mx -all" 

Authentication-Results: mx.google.com;       spf=pass (google.com: domain of info@xxxxxxxxxxxxx.ie designates xx.xxx.xxx.xxx as permitted sender) smtp.mail=info@xxxxxxxxxxxx.ieReceived: from www.xxxxxxxxxxxx.ie (xxxxxxxxxx.xxxxxxxxserver.net [xx.xxx.xxx.xxx])	by xxxxxxxxxx.xxxxxxxxserver.net  (Postfix) with ESMTPA id fsdasdsdafsfdxxsdfadsf

My Questions:

 

1. Did anyone implement this on all the domains running on a froxlor server?

2. If Yes, what record did they use?

3. Is there anything to watch out for? IE. The sender domain is not the one specified in the Postfix-Configuration. Does this cause problems?

 

Thank you for any feedback.

 

Regards,

 

rolo2912

 

Share this post


Link to post
Share on other sites

23 answers to this question

Recommended Posts

  • 0

Thanks for your quick response. I am using external nameservers, so can you tell me, please, what the standard TXT Record is that is used in froxlor?

Share this post


Link to post
Share on other sites
  • 0

Is the setting causing problems when using the Email forwarding to an external email address?

 

IE: email address abcdef@adomainonfroxlorserver.com forward to abcdef@gmail.com

Share this post


Link to post
Share on other sites
  • 0

SPF is DNS-based...it just concerns the MX-Server / A-Record entry when sending from that address

Share this post


Link to post
Share on other sites
  • 0

And YES - SPF is a problem when you are forwarding e-mails because YOUR mailserver tries so send mails with a domain as sender not hosted on your server. Example:

 

 

You recieve an e-mail from example@gmail.com for froxlor@yourdomain.tld

You configured an e-mail forwarding for froxlor@yourdomain.tld to example@outlook.com

 

What happens is that if gmail.com has SPF records set then outlook.com may check this setting and YOUR server is NOT configured to be allowed to send or relay mails for "@gmail.com"

 

If you are the forwarding party this has nothing to do with YOUR SPF records. But if someone tries to forward e-mails from your system to theirs to another provider - THEN your SPF records might cause problems.

Share this post


Link to post
Share on other sites
  • 0

It's an old thread, but still in the same state so far I can see. Since the last months I see that the number of rejected emails from customers who are using the forwarding functionality in Froxlor increases dramatically.

The solution for this is implementing is 'Sender Rewriting Scheme' (SRS), which I need to implement, I've been reading quite a lot and enough stuff about this to make SRS with Postfix working, but before I start to do so, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

Some articles that I found to be useful, but need to be adjusted to work with Froxlor together:
https://thomas-leister.de/mailserver-debian-stretch/
https://jichu4n.com/posts/setting-up-dkim-and-srs-in-postfix/
https://christophfischer.com/linux/15-mailserver/56-sender-rewriting-scheme-srs-fuer-postfix-unter-debian

Is there already anything in development for the Froxlor project?

Share this post


Link to post
Share on other sites
  • 0
7 minutes ago, Exploit said:

, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

No one's working on that. As I've never heard of that until now (don't have any issues) I cannot tell you the best way to implement that. Is it just a config thing in main.cf? Or does it require dynamic values from the froxlor data?

Share this post


Link to post
Share on other sites
  • 0

Seems like a very manual thing and cloning git repositories etc...no packages for Debian? Seems not very common

Share this post


Link to post
Share on other sites
  • 0

The problem starts when a customer forwards his mail from Facebook, Twitter, etc.. to his (e.g.) Gmail. That mail will be rejected, because the IP-Address of the forwarding server isn't allowed to send it by the SPF-records of the origin senders.

I'm not sure what the $secrets of following row is used for from the example of the last link in my post above:
start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- -p $PID_FILE $OPTIONS $DOMAIN $SECRETS

I guess that it needs some setting on domain-level, which I will try to check further out...

Share this post


Link to post
Share on other sites
  • 0

Mail from Facebook? Uughh? Twitter? These are no mail providers...makes no sense what you are saying.

Do you mean when a mail address added in frolxor is used for Facebook? Then what does this have to do with Facebook or Twitter? Can you please nopaste a real rejected mail with all error messages and headers etc.?

Share this post


Link to post
Share on other sites
  • 0

The setup is like this...

A customer who owns "example.com" has created in froxlor "info@example.com", which he forwards to customer@gmail.com

Now he use info@example.com to receive news from (e.g.) twitter.

Now twitter sends a newsletter to info@example.com which will hang for a while in the mail-queue and fail, because gMail refuse my server to send e-mail originating from twitter.

Share this post


Link to post
Share on other sites
  • 0

No wait, SPF has nothing to do with that ..couldn't you rewrite anything using sieve??? I mean, what these tutorials do is not just install and configure some service...looks very hacky

Share this post


Link to post
Share on other sites
  • 0

No, I can't fix the SPF records for Twitter, Facebook and all others who don't allow everyone to send mail from their address. Being able to do that, I would be the God of all spammers 🙂

SPF and Forwarding is a well known problem and SRS is good documented, standardized an quite simple. The implementations are more complicated, and for most mail-servers still in an experimental state. I think this is because of security, you don't want to create a open-relay.

SPF is good explained here:
http://www.openspf.org/SRS

Share this post


Link to post
Share on other sites
  • 0
7 hours ago, Exploit said:

The implementations are more complicated, and for most mail-servers still in an experimental state.

And that's the problem

Share this post


Link to post
Share on other sites
  • 0

Yes, it looks like sending email has become in the last years such a complicated thing, that almost nobody is able to set up a flawless mailserver.

SPF, DKIM, DMARC, SRS, each of them needs several components to be installed, if you want to let your customers setup their own email addresses.

However Froxlor seems to miss only:

  1. DMARC which is technically similar to creating and checking SPF (but does also reports)
  2. SRS which implementation is quite similar as adding a DKIM signature for outgoing mail and a spam-filter for incoming messages (proper handling of bounces is a bit challenging, but this should be solved by the SRS software)

With all these working, Spoofing eMail is definitely not possible anymore, so I think that we will not see more coming up for the next years.

SPF may disappear after a while, because it overlaps with DKIM, which would make SRS obsolete too. For the next years I don't see it happen that everyone uses DKIM, so we will have to deal with SPF and SRS.

Share this post


Link to post
Share on other sites
  • 0

But sounds like SRS is only needed in case of this mail forwarding thing isn't it?

Share this post


Link to post
Share on other sites
  • 0
2 hours ago, d00p said:

But sounds like SRS is only needed in case of this mail forwarding thing isn't it?

Exactly, that's where it's made for. Thinking about this further, I consider SRS is only necessary due to lack of DKIM support or bad practices of DMARC implementation. It makes no sense to refuse any e-mail having a valid DKIM signature.

Having DKIM-signed e-mail manipulated or spoofed, would mean a leaked out private key. So companies having a DMARC record that requires a valid SPF and also a valid DKIM-signature, are assuming having very serious security issues.

So far i noticed only refused mails which are forwarded for Facebook and for Twitter, which are both using DKIM.

So far I'm hoping and assuming that already DKIM signed e-mail not will be signed again by the forwarding sever. (anyone who can confirm this?).

Share this post


Link to post
Share on other sites
  • 0

So froxlor should focus on its DKIM implementation and additionally to SPF add a DMARC entry

Share this post


Link to post
Share on other sites
  • 0
3 hours ago, d00p said:

So froxlor should focus on its DKIM implementation and additionally to SPF add a DMARC entry

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

The configuration files for postfix are looking quite hacky for me, but so far I understand them, I can't find that SPF and DKIM are included in the configuration templates, coming from /lib/configfiles.

So far I can try to fix those and commit updates with git.

SRS I consider as a part of SPF, since it has no other function as patching delivery-problems that SPF causes on email forwarding.

I've also opened a discussion on Gmail, about SRS which can't be implemented without undesired side effects, like breaking the DKIM signature of the original message, which can't be the intention of DMARC. I relly don't like SRS, but for now I see no another working solution, to get rid of forwarding messages being refused.

Share this post


Link to post
Share on other sites
  • 0
9 hours ago, Exploit said:

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

I have DMARC enabled in my domain zone and no additional postfix configuration. There are only a few (big companies) that actually filter and send reports. Important is the DNS entry 

10 hours ago, Exploit said:

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

1) 0.10.0 not 1.0

2) there has been no work on dkim for a long time, there is an issue on GitHub for this already

10 hours ago, Exploit said:

So far I can try to fix those and commit updates with git.

That would be helpful

 

Share this post


Link to post
Share on other sites
  • 0

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Kieron Boswell
      Hi guys, have just got froxlor set-up and looking around it getting it ready to move all my clients into, one or two things I haven't been able to see yet.
      Mail settings, I'm used to being spoon-fed mail settings when I create an account, generally are these fixed so I can make a note? And is there a way to use mail.domain.tld rather than using the primary server domain for example? I'd really like something like that to be the default when I create a new website/email etc if possible. Ftp, is it possible to set ftp.domain.tld as a record that works for FTP automatically when an account is made under a customer? Many thanks, enjoying froxlor so far :-)
    • By jonny87
      Guten Morgen liebe Community,
      ich hab schon gesucht hier, aber nicht wirklich was passendes gefunden, darum mach ich jetzt hier nochmal nen Thread auf. Ich nutz Froxlor nun erfolgreich seit über einem Jahr auf zwei Servern, es funktioniert soweit auch alles mit LetsEncrypt und den Zertifikaten.
      Jetzt hab ich nur folgendes Problem, bzw. ist dies möglich, da ich mehrere Kunden über Froxlor auf zwei Servern verwalte, muss ich natürlich auch E-Mails verwalten, und zwar verschlüsselt. Kann man das über Froxlor machen? Sprich, dass die Kunden ihre Emails über
      imap.kunde1.de & smtp.kunde1.de sowie imap.kunde2.de & smtp.kunde2.de usw. abrufen können. 
      Momentan muss man ja bzw. so hat es mein Admin gemacht, ein Zertifikat für alle hinterlegen, welches auch nicht automatisch per Script geupdatet wird?! -> Ist das so richtig?
      Oder müssen alle Kunden ihre E-Mails per imap.hauptdomain.de abrufen? 
       
       
       
       
       
    • By Pierre
      Ich nutze eine kleine PHP-Datei als kontakt.php - sprich als kontaktformular.
      Dieses lief bis vor ca. 3 Wochen tadellos. Jedoch seit ca. 3 Wochen gibt es folgende Fehlermeldung aus, dass es die E-Mailadresse (Admin des Portals) an den die Nachrichten des Kontaktformulars gehen nicht findet, bzw. das diese nicht existieren würde, obwohl sie existiert und erreichbar ist und auf dem selben Server für die gleiche Domain liegt:
      SMTP Error: The following recipients failed: meine-emailadresse@meinedomain.de
      Innerhalb des Portals werden z.B. alle Newsletter, Paidmails etc. ohne Probleme über SMTP versendet.
      Wurde mit dem letzten Froxlor Update irgend etwas geändert was dies auslöst (from oder reply-to)?
    • By Patrick Walters
      Hallo,
      ich kenne seit einige Jahren Froxlor und verwende es auch sehr gern. 
       
      Ich habe 2 Probleme und 1 Fragen und hoffe mir kann geholfen werden.
       
      Zur Hintergrund-Information, ich verwende Debian 8 (64bit) und Postfix mit Dovecot.
       
      1. Der Mailversand via Webmailer (Auf gleichen Server) funktioniert, aber in den Mail-Header steht:
      Received: from pexmedia.de (unknown [185.101.92.201]) by pexmedia.de (Postfix) with ESMTPA id 0D8C43C0ECE Der Mailserver sollte eigentlich mail.pexmedia.de sein, der SMTP-Server smtp.pexmedia.de und der IMAP-Server imap.pexmedia.de mit den jeweiliegn Standartports.
      Warum steht vor der Server-IPAdresse unknown? Und wie behebt man es?
       
      2. Die Zugangsdaten für SMTP/IMAP stimmen, jedoch kann kein externes E-Mail Programm die Verbindung erfolgreich herstellen. Kurz gesagt seine Mailkonten kann man nicht mit Mailprogrammen wie Outlook etc. verwenden.
      In /var/log/mail.warn steht:
      Jan 31 04:44:24 mail postfix/smtpd[13385]: warning: unknown[46.44.171.19]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 31 04:44:25 mail postfix/smtpd[13412]: warning: hostname rt171bb44-46-19.routit.net does not resolve to address 46.44.171.19: Name or service not known Jan 31 04:44:25 mail dovecot: auth: Warning: auth client 0 disconnected with 1 pending requests: Connection reset by peer Beim Versuch mit ein E-Mail Programm die Verbindung aufzubauen. Woran lliegt es?
      Im weiteren steht:
      Jan 31 06:46:17 mail postfix/smtpd[16068]: warning: hostname 201.92.101.185.in-addr.arpa does not resolve to address 185.101.92.201: Name or service not known Mein rDNS Eintrag ist: 201.92.101.185.in-addr.arpa 
      Wie sollte mein rDNS Eintrag denn lauten?
       
      In einer Version von Froxlor die ich mal hatte lief alles reibungslos.
       
      3. Mails von meinem Mailserver kommen bei Google in den Spam-Ordner. Liegt vilt. daran das Google die Mail als nicht verifiziert eingestuft hat. Wie mache ich das am dümmsten? 
       
      Die Configs sind die Standartkonfrigurationen von Froxlor.
       
      Hoffe mir wird geholfen. 
       
    • By LukasH
      Ich hab mal wieder ein Problem bzw. einen Fehler mit unguten Auswirkungen begangen und bekomme es nicht mehr gerade gebügelt.
      Und zwar habe ich nach anfänglichem Testen mittlerweile auch mein privates Mailkonto auf einen neuen Server mit Froxlor gezogen.
      Ich hatte wie erwähnt bereits vorher einen Umzug mit Website, daher auch Datenbanken so wie Mailadressen erfolgreich durchgeführt. Der Umzug lief auch relativ glatt und auch meine privaten Mails liegen auf dem neuen Server, senden funktioniert, alle Websites sind via https erreichbar (Letsencrypt Zertifikate erfolgreich gezogen) und alles könnte eigentlich besser nicht sein. 
      Nun kann ich mich allerdings von Extern nicht mehr am smtp Server anmelden mit meiner privaten Mail-Adresse. Und zwar wollte ich in meiner noch Unwissenheit (das ist mein erstes "eigenes" Serverprojekt, meine ersten Server wurden durch andere eingerichtet und ich habe nur zugekuckt/mitgeschrieben) SSL Zertifikate für den Mailserver bekommen, Outlook hat nämlich die überaus nervige Angewohnheit bei jedem Start Zertifikatsfehlermeldungen auszugeben (bei Selbstsignierten) und auch das Speichern in den vertrauenswürdigen Zertifikatsspeicher von Windows bringt hier scheinbar keine Lösung.
      Nun dachte ich, ist ja einfach, einfach in Froxlor für jede Domain welche auch Mailadressen hat noch die Subdomain "mail.*" und "smtp.*" anlegen, LetsEncrypt anschmeißen und fertig, den Verweis stelle ich einfach auf den Ordner in welchem der Webmailer liegt. Soweit so gut, nun hat er hier allerdings keine Zertifikate gezogen sondern nur am laufenden meter PHP Errors ausgegeben. Diese hatte ich vorher immer wenn der PHP Flag für eine Domain nicht richtig gesetzt war, also mit dem admin in Froxlor eingelogt, Domain aufgerufen und gespeichert und... nichts. Gleicher Fehler. PHP Funktioniert (Webmailer wird korrekt aufgerufen) nur werden keine Zertifikate gezogen. 
      Also wollte ich erst einmal alles rückgängig machen und habe alle Subdomains (mail.* & smtp.*) wieder gelöscht. So und nun habe ich den Salat, seltsamerweise kann noch sämtliche Mailkonten von extern ansteuern, auch den jeweiligen smtp nur bei meiner privaten Mailadresse mit eigener Domain geht es nicht, auch nicht mehr bei der meiner Frau mit gleicher Domain. Outlook fragt nach den SMTP Zugangsdaten und nimmt Mailadresse + Passwort nicht, Thunderbird sagt er findet das Passwort nicht, iPhone & Android bringen ebenfalls diese Fehler. 
      ALLE anderen Domains bzw. verbundenen Mailkonten funktionieren (bis auf den Punkt mit dem Zertifikatsfehler) problemlos. Nur die meiner Hauptdomain nicht. 
      Das ganz komische ist aber, dass mein Webmailer noch ganz normal Empfangen und vor allem auch Senden kann, dieser erreicht den SMTP Server ohne Probleme und hat auch keine Login Probleme. 
      Ports sind Frei in der Windows eigenen Firewall, Ping an smtp.* geht problemlos durch, ich habe auch keinen Speedport mit vertrauenswürdiger E-Mail Liste sondern eine Fritz!Box. Bis vor 2 Stunden lief auch noch alles. Und ganz kurios ist auch, dass Outlook den smtp Server bei einer anderen Domain auf "smtpauth.*" geändert hat, Thunderbird geht allerdings via "smtp.*" ran. 
      Nun noch Screenshots von meinem Webmailer (Rainloop) und der dort voll funktionalen Konfiguration welche aber von Extern (egal ob mein Heimnetz (Unitymedia) oder Handynetz (Telekom & O2)) nicht laufen will:






×