Jump to content
Froxlor Forum
  • 0

rolo2912

Question

Just wondering, is anyone using DMARC or SFP settings on the Nameservers to protect against spoofing. Never noticed it before but on gmail they seem to check against sfp settings.

 

Before:

Received-SPF: none (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) client-ip=xx.xxx.xxx.xxx;

Authentication-Results: mx.google.com;       spf=neutral (google.com: info@xxxxxxxxxxxxx.ie does not designate permitted sender hosts) smtp.mail=info@xxxxxxxxxxxx.ie 

Received: from www.xxxxxxxxxxxx.ie (xxxxxxx.xxxxxxserver.net [xx.xxx.xxx.xxx]) 

 

After adding a TXT record to the Nameserver:

 

TXT "v=spf1 mx -all" 

Authentication-Results: mx.google.com;       spf=pass (google.com: domain of info@xxxxxxxxxxxxx.ie designates xx.xxx.xxx.xxx as permitted sender) smtp.mail=info@xxxxxxxxxxxx.ieReceived: from www.xxxxxxxxxxxx.ie (xxxxxxxxxx.xxxxxxxxserver.net [xx.xxx.xxx.xxx])	by xxxxxxxxxx.xxxxxxxxserver.net  (Postfix) with ESMTPA id fsdasdsdafsfdxxsdfadsf

My Questions:

 

1. Did anyone implement this on all the domains running on a froxlor server?

2. If Yes, what record did they use?

3. Is there anything to watch out for? IE. The sender domain is not the one specified in the Postfix-Configuration. Does this cause problems?

 

Thank you for any feedback.

 

Regards,

 

rolo2912

 

Link to comment
Share on other sites

22 answers to this question

Recommended Posts

And YES - SPF is a problem when you are forwarding e-mails because YOUR mailserver tries so send mails with a domain as sender not hosted on your server. Example:

 

 

You recieve an e-mail from example@gmail.com for froxlor@yourdomain.tld

You configured an e-mail forwarding for froxlor@yourdomain.tld to example@outlook.com

 

What happens is that if gmail.com has SPF records set then outlook.com may check this setting and YOUR server is NOT configured to be allowed to send or relay mails for "@gmail.com"

 

If you are the forwarding party this has nothing to do with YOUR SPF records. But if someone tries to forward e-mails from your system to theirs to another provider - THEN your SPF records might cause problems.

Link to comment
Share on other sites

It's an old thread, but still in the same state so far I can see. Since the last months I see that the number of rejected emails from customers who are using the forwarding functionality in Froxlor increases dramatically.

The solution for this is implementing is 'Sender Rewriting Scheme' (SRS), which I need to implement, I've been reading quite a lot and enough stuff about this to make SRS with Postfix working, but before I start to do so, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

Some articles that I found to be useful, but need to be adjusted to work with Froxlor together:
https://thomas-leister.de/mailserver-debian-stretch/
https://jichu4n.com/posts/setting-up-dkim-and-srs-in-postfix/
https://christophfischer.com/linux/15-mailserver/56-sender-rewriting-scheme-srs-fuer-postfix-unter-debian

Is there already anything in development for the Froxlor project?

Link to comment
Share on other sites

7 minutes ago, Exploit said:

, I would like to know if there is already work going on to implement SRS in Froxlor and what would be the best Froxlor-way to do it. ???

No one's working on that. As I've never heard of that until now (don't have any issues) I cannot tell you the best way to implement that. Is it just a config thing in main.cf? Or does it require dynamic values from the froxlor data?

Link to comment
Share on other sites

The problem starts when a customer forwards his mail from Facebook, Twitter, etc.. to his (e.g.) Gmail. That mail will be rejected, because the IP-Address of the forwarding server isn't allowed to send it by the SPF-records of the origin senders.

I'm not sure what the $secrets of following row is used for from the example of the last link in my post above:
start-stop-daemon -S -q -b -p $PID_FILE -x $DAEMON -- -p $PID_FILE $OPTIONS $DOMAIN $SECRETS

I guess that it needs some setting on domain-level, which I will try to check further out...

Link to comment
Share on other sites

Mail from Facebook? Uughh? Twitter? These are no mail providers...makes no sense what you are saying.

Do you mean when a mail address added in frolxor is used for Facebook? Then what does this have to do with Facebook or Twitter? Can you please nopaste a real rejected mail with all error messages and headers etc.?

Link to comment
Share on other sites

The setup is like this...

A customer who owns "example.com" has created in froxlor "info@example.com", which he forwards to customer@gmail.com

Now he use info@example.com to receive news from (e.g.) twitter.

Now twitter sends a newsletter to info@example.com which will hang for a while in the mail-queue and fail, because gMail refuse my server to send e-mail originating from twitter.

Link to comment
Share on other sites

No, I can't fix the SPF records for Twitter, Facebook and all others who don't allow everyone to send mail from their address. Being able to do that, I would be the God of all spammers ?

SPF and Forwarding is a well known problem and SRS is good documented, standardized an quite simple. The implementations are more complicated, and for most mail-servers still in an experimental state. I think this is because of security, you don't want to create a open-relay.

SPF is good explained here:
http://www.openspf.org/SRS

Link to comment
Share on other sites

Yes, it looks like sending email has become in the last years such a complicated thing, that almost nobody is able to set up a flawless mailserver.

SPF, DKIM, DMARC, SRS, each of them needs several components to be installed, if you want to let your customers setup their own email addresses.

However Froxlor seems to miss only:

  1. DMARC which is technically similar to creating and checking SPF (but does also reports)
  2. SRS which implementation is quite similar as adding a DKIM signature for outgoing mail and a spam-filter for incoming messages (proper handling of bounces is a bit challenging, but this should be solved by the SRS software)

With all these working, Spoofing eMail is definitely not possible anymore, so I think that we will not see more coming up for the next years.

SPF may disappear after a while, because it overlaps with DKIM, which would make SRS obsolete too. For the next years I don't see it happen that everyone uses DKIM, so we will have to deal with SPF and SRS.

Link to comment
Share on other sites

2 hours ago, d00p said:

But sounds like SRS is only needed in case of this mail forwarding thing isn't it?

Exactly, that's where it's made for. Thinking about this further, I consider SRS is only necessary due to lack of DKIM support or bad practices of DMARC implementation. It makes no sense to refuse any e-mail having a valid DKIM signature.

Having DKIM-signed e-mail manipulated or spoofed, would mean a leaked out private key. So companies having a DMARC record that requires a valid SPF and also a valid DKIM-signature, are assuming having very serious security issues.

So far i noticed only refused mails which are forwarded for Facebook and for Twitter, which are both using DKIM.

So far I'm hoping and assuming that already DKIM signed e-mail not will be signed again by the forwarding sever. (anyone who can confirm this?).

Link to comment
Share on other sites

3 hours ago, d00p said:

So froxlor should focus on its DKIM implementation and additionally to SPF add a DMARC entry

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

The configuration files for postfix are looking quite hacky for me, but so far I understand them, I can't find that SPF and DKIM are included in the configuration templates, coming from /lib/configfiles.

So far I can try to fix those and commit updates with git.

SRS I consider as a part of SPF, since it has no other function as patching delivery-problems that SPF causes on email forwarding.

I've also opened a discussion on Gmail, about SRS which can't be implemented without undesired side effects, like breaking the DKIM signature of the original message, which can't be the intention of DMARC. I relly don't like SRS, but for now I see no another working solution, to get rid of forwarding messages being refused.

Link to comment
Share on other sites

9 hours ago, Exploit said:

This would help to make email delivery working better, but note that SPF and DMARC are not only DNS-entries, but also doing some filtering and reporting work on incoming email. Which are only to include in the Postfix Configuration.

I have DMARC enabled in my domain zone and no additional postfix configuration. There are only a few (big companies) that actually filter and send reports. Important is the DNS entry 

10 hours ago, Exploit said:

On this moment I'm just checking out how Froxlor handles this (storing the keys, etc..), seeing that the source code (version 1.0) still contais commands like "/etc/init.d/dkim-filter restart" which needs to be updated, since dkim-milter is replaced by OpenDKIM.

1) 0.10.0 not 1.0

2) there has been no work on dkim for a long time, there is an issue on GitHub for this already

10 hours ago, Exploit said:

So far I can try to fix those and commit updates with git.

That would be helpful

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...