Powered by Invision Power Board


  Reply to this topicStart new topicStart Poll

> SPF Question
UPSA
  Posted: Apr 20 2006, 10:27 AM
Quote Post





Group: Members
Posts: 27
Member No.: 406
Joined: 6-July 04



Hi

I went to openspf and have been playing with the SPF records. I've been working on this problem I'm now having for 2 months. sad.gif

I'm hoping someone can help.

When I send an email out, I generate the following log (below). The problem is in the first 250 line. ... it says "may be forged".

Even though my spf record has my IP address in it (and even an entire range of IPs in it now), I still get that it "may be forged"

this is causing emails to not go through on some ISPs (I think it's what's causing it).

Anyway, when I run SPF wizards, it says it "passes" but is this "may be forged" supposed to be there?

Any help would be great!

> EHLO localhost
250-upsa-intl.org Hello upsa-intl.org [66.29.144.103] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
LM: SMTP Pipelining Detected
> NOOP
250 2.0.0 OK
> MAIL FROM: <test@upsa-intl.org>
> RCPT TO: <someone@test.org>
250 2.1.0 <test@upsa-intl.org>... Sender ok
250 2.1.5 <someone@test.org>... Recipient ok
> DATA
354 Enter mail, end with "." on a line by itself
> SENT DATA
250 2.0.0 k3KIHrU8011639 Message accepted for delivery
> QUIT
221 2.0.0 upsa-intl.org closing connection
PMEmail Poster
Top
andy
Posted: Apr 20 2006, 11:00 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,340
Member No.: 9
Joined: 12-July 02



Usually, the "may be forged" tag comes from mismatched forward and reverse DNS. I checked this and at an initial glance, it appears to be fine.

CODE
[root@vds8 ~]# host 66.29.144.103
103.144.29.66.in-addr.arpa domain name pointer upsa-intl.org.
[root@vds8 ~]# host upsa-intl.org
upsa-intl.org has address 66.29.144.103
upsa-intl.org mail is handled by 15 upsa-intl.org.
[root@vds8 ~]#


I did notice that you were using localhost in the EHLO and sometimes that can cause interesting results due to IP addressing and DNS for "localhost". However, I didn't see the same message as you.

CODE
[root@vds8 ~]# telnet upsa-intl.org 25
Trying 66.29.144.103...
Connected to upsa-intl.org (66.29.144.103).
Escape character is '^]'.
220 upsa-intl.org ESMTP Sendmail 8.12.10/8.12.10; Thu, 20 Apr 2006 11:55:35 -0700
EHLO localhost
250-upsa-intl.org Hello [66.29.140.223], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 upsa-intl.org closing connection
Connection closed by foreign host.


I didn't get the "may be forged" tag.

Have you made any recent changes to the DNS records of upsa-intl.org that might explain the different results?


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
UPSA
  Posted: Apr 20 2006, 11:15 AM
Quote Post





Group: Members
Posts: 27
Member No.: 406
Joined: 6-July 04



QUOTE
Have you made any recent changes to the DNS records of upsa-intl.org that might explain the different results?


The only thing I have done to DNS is edit the SPF text record.

also, I have an SPF Record for

upsa-intl.org

and

powermail.upsa-intl.org

Both of them are the same

So, on the subdomains with "*" I have SPF records that are the same:

forum.upsa-intl.org 66.29.144.103
members.upsa-intl.org 66.29.144.103
"*" powermail.upsa-intl.org 66.29.144.103
"*" secure.upsa-intl.org 66.29.144.103
"*" upsa-intl.org 66.29.144.103
work.upsa-intl.org 66.29.144.103


The SPF Record for all looks like this:
v=spf1 ip4:66.29.144.103/24 a mx -all


I have been changing this every week for 2 months though
blush.gif
PMEmail Poster
Top
andy
Posted: Apr 20 2006, 11:35 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,340
Member No.: 9
Joined: 12-July 02



Excuse me while I shake the sand out of my head. blush.gif

The reason I didn't get the same "may be forged" tag is because I was connecting from a system that has identical forward and reverse DNS.

From within your VPS, I was able to reproduce the problem:

CODE
bash-2.05b# telnet upsa-intl.org 25
Trying 127.0.0.1...
Connected to upsa-intl.org.
Escape character is '^]'.
220 upsa-intl.org ESMTP Sendmail 8.12.10/8.12.10; Thu, 20 Apr 2006 12:22:02 -0700
EHLO localhost
250-upsa-intl.org Hello upsa-intl.org [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 upsa-intl.org closing connection
Connection closed by foreign host.
bash-2.05b# telnet upsa-intl.org 25
Trying 127.0.0.1...
Connected to upsa-intl.org.
Escape character is '^]'.
220 upsa-intl.org ESMTP Sendmail 8.12.10/8.12.10; Thu, 20 Apr 2006 12:22:24 -0700
EHLO upsa-intl.org
250-upsa-intl.org Hello upsa-intl.org [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 upsa-intl.org closing connection
Connection closed by foreign host.
bash-2.05b# telnet powermail.upsa-intl.org 25
Trying 66.29.144.103...
Connected to powermail.upsa-intl.org.
Escape character is '^]'.
220 upsa-intl.org ESMTP Sendmail 8.12.10/8.12.10; Thu, 20 Apr 2006 12:22:53 -0700
EHLO localhost
250-upsa-intl.org Hello upsa-intl.org [66.29.144.103] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 upsa-intl.org closing connection
Connection closed by foreign host.
bash-2.05b# telnet 66.29.144.103 25
Trying 66.29.144.103...
Connected to 66.29.144.103.
Escape character is '^]'.
220 upsa-intl.org ESMTP Sendmail 8.12.10/8.12.10; Thu, 20 Apr 2006 12:24:17 -0700
EHLO localhost
250-upsa-intl.org Hello upsa-intl.org [66.29.144.103] (may be forged), pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 upsa-intl.org closing connection
Connection closed by foreign host.
bash-2.05b#


Notice that the "may be forged" tag only shows up when you connect to something other than the default hostname. So, when you connect to powermail.upsa-intl.org or when you connect to just the IP address, the problem can be reproduced. This is because sendmail is configured to believe that it is upsa-intl.org and nothing else.

Simple solution: in the MX record for each domain pointing to the sendmail server on upsa-intl.org, be sure it points to upsa-intl.org.

Now, that is only for incoming mail, but you claim to be having trouble with outbound mail. I think the "may be forged" tag you see when connecting to your own mail server is a "red herring" to the problem you're trying to solve.

To solve the problem with outgoing mail, I need to know the following things:

1. What is the IP address of the system running the mail client. For instance, if it is webmail running on your VPS, it would be the default IP address of your VPS. If it is Outlook Express or equivalent running on your PC, it would be the public IP address your Internet access provider assigned to your network or PC.

2. What machine are you connecting to when sending the outgoing mail? If webmail, it would be your VPS. If a mail client on your PC, this would be the outgoing mail server you have configured in your mail client.

3. What is the "from address" used in the email you're sending?

Depending on the answers to those questions, I may need additional information.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
andy
Posted: Apr 20 2006, 11:51 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,340
Member No.: 9
Joined: 12-July 02



Ok, still just a little sand in there. Sendmail can do that to a person. wink2.gif

I found one other issue:

CODE
bash-2.05b# cat /etc/hosts
127.0.0.1  upsa-intl.org upsa-intl localhost localhost.localdomain
bash-2.05b# cat /etc/host.conf
order hosts,bind


This is the root of why sendmail within your VPS believes upsa-intl.org should be 127.0.0.1 and thus, when you connect to the sendmail server from within the VPS, it doesn't properly match forward and reverse DNS.

That being said, I can't think of a real world scenario in which that causes a problem. Very few people have reason to log into a VPS and connect to sendmail from within the VPS using anything other than the default hostname.

I'll still need the answers to the other questions to solve your outgoing mail issue.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
UPSA
  Posted: Apr 20 2006, 06:18 PM
Quote Post





Group: Members
Posts: 27
Member No.: 406
Joined: 6-July 04



QUOTE
1. What is the IP address of the system running the mail client. For instance, if it is webmail running on your VPS, it would be the default IP address of your VPS. If it is Outlook Express or equivalent running on your PC, it would be the public IP address your Internet access provider assigned to your network or PC.

My "default domain" is upsa-intl.org it's IP address is: 66.29.144.103 this is the same for all sub-domains including powermail.upsa-intl.org (66.29.144.103). I'm not running a local system.

QUOTE
2. What machine are you connecting to when sending the outgoing mail? If webmail, it would be your VPS. If a mail client on your PC, this would be the outgoing mail server you have configured in your mail client.
It's an email script via php. It sends out autoresponses to people that subscribe and opt-in to a list. It sends it at a predetermined time via a cron job (i.e, 30 days after subscribing etc). I talked to their tech support. He said:
QUOTE
that the error seems to be in response to their  greeting "EHLO localhost". This is hard-coded into the script but they wouldn't mind changing it if they knew another value worked better or was more standard-compliant. They are scanning the SMTP RFCs again to find out more. 
Andy do you have any suggestions on what they should use for a value? Do you think this is the problem?


QUOTE
3. What is the "from address" used in the email you're sending?

from is "do_not_reply@powermail.upsa-intl.org" currently. But I have had it as several others before and it it didn't have an impact.

Also,

Below is the RCPT response I get in the logs when one gets rejected...

QUOTE
LM: Undeliverable. [BOLD]RCPT response: 550 5.7.1 [/BOLD]<someone@emailaddress.org>... Relaying denied. IP name possibly forged [66.29.144.103]
. Skipping.


I will let you know what the coder comes back with. I hope we can resolve it -- thanks for looking into this for me

Do you see anything that it might be -- I'm kind of clueless huh.gif
PMEmail Poster
Top
andy
Posted: Apr 21 2006, 08:06 AM
Quote Post





Group: Advantagecom Staff
Posts: 4,340
Member No.: 9
Joined: 12-July 02



QUOTE
Andy do you have any suggestions on what they should use for a value? Do you think this is the problem?


EHLO localhost isn't the problem. The problem comes before that.

You can see in my tests that I telnet'ed to port 25 at various hostnames and only got the "may be forged" tag when *connecting to* certain host names.

From your description, this script appears to connect to sendmail through the tcp/ip stack rather than calling it as a program like most scripts. Sendmail can be accessed as a mail sending system two ways: 1) through port 25 using tcp/ip or 2) by calling the sendmail program locally using its binary executable (/usr/sbin/sendmail, for instance).

Accessing sendmail through port 25 is best reserved for server to server communications. The binary executable is the best method when using a script within the same machine as sendmail.

That being said, the script is connecting to the wrong hostname, which is why it gets the "may be forged" tag. Change the hostname that the script connects to to upsa-intl.org rather than whatever it is configured to use right now.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
UPSA
Posted: Apr 21 2006, 10:07 AM
Quote Post





Group: Members
Posts: 27
Member No.: 406
Joined: 6-July 04



thanks Andy!!!


tongue.gif tongue.gif tongue.gif tongue.gif
PMEmail Poster
Top
UPSA
Posted: Apr 21 2006, 11:47 AM
Quote Post





Group: Members
Posts: 27
Member No.: 406
Joined: 6-July 04



Last question! I hope,

What happens if I add

127.0.0.1

to my SPF Record?

So, on the powermail.upsa-intl.org domain, put this:

v=spf1 a mx ip4:66.29.144.103/24 ip4:127.0.0.1 ~all


Is 127.0.0.1 too generic? It's (right now) where all emails are orginating on my server, so this would be temporary until the guy re-writes teh script to send emails out through my own IP (the way you said above).

Brian
PMEmail Poster
Top
andy
Posted: Apr 25 2006, 10:53 PM
Quote Post





Group: Advantagecom Staff
Posts: 4,340
Member No.: 9
Joined: 12-July 02



My apologies for ducking out on this thread. I had some other important matters come up that kept me away.

I know about the basic concepts of an SPF record and how it does what it does, but when it comes to syntax, we have someone on staff that has studied SPF record syntax in depth. He'll be better suited to answer your most recent question on this thread.

Tomorrow, I'll have him take a look at this thread when he comes into the office.

There are some things he may need to know to be able to help you put together an SPF record that does what you need it to do, so be sure to answer his questions as best you can.


--------------------
Sincerely,
Andrew Kinney
CTO, Advantagecom Networks

Please do not private message me. My regular management duties preclude responding to every customer that sends me a support issue. Instead, post on the forum or contact tech support.
PMUsers Website
Top
Jonathan
Posted: Apr 28 2006, 03:23 PM
Quote Post





Group: Members
Posts: 267
Member No.: 5
Joined: 12-July 02



The ~all means soft-fail everything that does not match the rules set before it, and according to the standard, this means the email will never be rejected as a result of the SPF record, it may be passed on or processed in some other way to determine if it is spam or not, but other than that, the SPF record shown above will have no effect. The -all means fail, the email should be rejected if it does not match the rules set before it.

As for the 127.0.0.1, that is not a routable IP address, so no email server will ever say it is coming from that IP address, and so that rule means nothing and will have no effect when the destination mail server checks to make sure the email from the domain is coming from the correct servers (IP addresses) as defined by your SPF record.

If you want to use an SPF record for your domain, you should either commit to using only one outgoing SMTP server to relay your email, or a set group of SMTP servers to relay your email from that domain (where "from that domain" means the sender email address of the email is set to the domain in question). Then take the specific IP addresses of these SMTP servers and define them in your SPF record, and then end the record in a -all. This is the only solution if you want to make sure that email saying it is from your domain is actually from your domain.


--------------------
Jonathan Kinney
Data Systems Specialist
Please note, Private Messages will be ignored.
PMUsers Website
Top
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll