.
SPiFfy! - Grin with cat attached
Previous Entry Next Entry
SPiFfy! Dec. 14th, 2003 04:32 pm
[...]
Opposition to SPF appears to be based on the laziness or irresponsibility of users and service providers. Previously, these could go unpunished by the greater community of users, as there was no way of detecting this sort of abuse of the SMTP system. SPF, however, allows detection of this behaviour, at which point appropriate action can be taken.

If it really is the case that SPF requires a tightening-up of email policies and server configurations, so much the better - this is long overdue. If that's the only thing SPF acheives (and I don't believe that for a second), it will still be worth the effort put in.

Consider this is the light of SMTP. As one of the early internet protocols, it was written with hard-coded naievity; every server was expected to be an open relay, because everyone online could be trusted. We've since found this to be a flawed assumption, and so the first generation of SMTP-hardening has occured; open relays were closed. And there was no massive backlash against people closing their servers (except for a few desperate spammers); instead the backlash is against those who have *not* adapted, who have *not* made an effort for what I can only call "the greater good".

There were some issues for that; some people weren't "near" their own relays and so suffered from the global lockdown. And of course there were solutions; Poll-Then-Post behaviour (eg Geocities) and SMTP authentication. There were a few growing pains, but the vast majority of 'net users accepted these as neccessary. Nowadays, anyone who protested against the lockdown looks rather silly in hindsight.

It will happen just the same for SPF. There will growing pains, and complaints, and there will be solutions (eg SRS, more use of SMTP-AUTH, and VPNs) but the net result will be the one globally desired.




If you're wondering what all this SPF gubbins I keep talking about *is*, see my new FAQ at:
http://www.infinitepenguins.net/SPF/

If you're hoping I'll just shut up about it- that ain't gonna happen ;)

From: dennyd
Date: December 14th, 2003 - 09:19 am (Link)
I'd like to implement this, but... while hopefully not being a complete moron, I can't figure out what half the things your wizard wants actually are. I take it this means I shouldn't be loose in charge of a domain name in your opinion?

Thoughts as I work through the thing (for ukfetish.info) are below, in case they're of any use:

I don't understand the slightly tortuous phrase "If the mail exhangers for another domain can send mail from this domain, enter that domain here". I'm hoping that's because I'm not doing it :)

I don't know what CIDR is.

I don't understand why the first page of your wizard gives me the hostname of my colo box and the second page gives me its IP - in what way does the purpose of these two pages differ? My website hosted on that box sends out emails, so I'm guessing I need to say yes to one or both of these (I've opted for both for now).

I'm guessing that the named hosts bit on the second page is where I put in my ISP's SMTP server - although presumably this then means all Pipex ADSL customers can forge email from my domain? I suppose that at least reduces the scope of the problem considerably. What do I do about when I want to send email from my laptop at someone else's house, when they use a different ISP?

The third page seems redundant given the bits at the bottom of the first and second pages, so I assume there's something else I don't understand there.

Fourth page, I don't understand. Is this not what I just did? Or does this only apply to multi-server setups? Left it at 'no', guessing the latter.

Fifth page, also don't understand - isn't this what the bits at the bottom of pages 1 and 2 are for? Left empty.

Sixth page, looks like the answer to my question about sending from friends' houses. I can do it, if I select ?, but it'll look fairly dodgy compared to sending from my own house.

I don't know how I'd go about setting up authenticated SMTP, which seems to be your suggested solution for 'roaming'. I'd rather not use my colo box as a general SMTP server anyway, it's underpowered for coping with the websites as it is.

Finally, I didn't set up BIND on my server and I don't understand it :) Rather than one config file, it appears to have a config file for each domain - can I dump this line anywhere in (the appropriate one of) those files? As I understand it, BIND configuration syntax has changed a lot between recent versions - what version of output are you producing, and might it be an idea to label it? Or is the output from your wizard okay for any versions of BIND likely to be in current use?

*puts on dunce cap, sits in corner*
From: wechsler
Date: December 14th, 2003 - 09:37 am (Link)
> I'd like to implement this, but... while hopefully not being a complete
> moron, I can't figure out what half the things your wizard wants
> actually are. I take it this means I shouldn't be loose in charge of a
> domain name in your opinion?

Right - if you can't understand it, I probably need to tidy things up a
bit. You've read the FAQ, of course? ;)

Do you (think that you) understand DNS record types?

> Thoughts as I work through the thing (for ukfetish.info) are below, in
> case they're of any use:
>
> I don't understand the slightly tortuous phrase "If the mail exhangers
> for another domain can send mail from this domain, enter that domain
> here". I'm hoping that's because I'm not doing it :)

Probably not. *Most* people won't need more than a few parts of this
tool.

> I don't know what CIDR is.

IMHO, you should (although I can be persuaded otherwise). It's the /24 notation used to designate network segments.

> I don't understand why the first page of your wizard gives me the
> hostname of my colo box and the second page gives me its IP - in what
> way does the purpose of these two pages differ? My website hosted on
> that box sends out emails, so I'm guessing I need to say yes to one or
> both of these (I've opted for both for now).

Page 1 is the MX, page 2 the A records. These are generally specified as
hostnames and IP numbers respectively.

> I'm guessing that the named hosts bit on the second page is where I put
> in my ISP's SMTP server - although presumably this then means all Pipex
> ADSL customers can forge email from my domain? I suppose that at least
> reduces the scope of the problem considerably.

Exactly.

> What do I do about when I
> want to send email from my laptop at someone else's house, when they use
> a different ISP?

You answered this below.

> The third page seems redundant given the bits at the bottom of the first
> and second pages, so I assume there's something else I don't understand
> there.

It probably is.

> Fourth page, I don't understand. Is this not what I just did? Or does
> this only apply to multi-server setups? Left it at 'no', guessing the
> latter.

If you don't understand, chances are you don't need it.

> Fifth page, also don't understand - isn't this what the bits at the
> bottom of pages 1 and 2 are for? Left empty.

Redundancy is heavy in the SPF protocol, for ease of adoption.

> Sixth page, looks like the answer to my question about sending from
> friends' houses. I can do it, if I select ?, but it'll look fairly dodgy
> compared to sending from my own house.

As addressed in the "essay", this is an area of some potential pain.

> I don't know how I'd go about setting up authenticated SMTP, which seems
> to be your suggested solution for 'roaming'. I'd rather not use my colo
> box as a general SMTP server anyway, it's underpowered for coping with
> the websites as it is.

Using it as send-only SMTP isn't going to load it much... what distro is
it on, anyway?

> Finally, I didn't set up BIND on my server and I don't understand it :)
> Rather than one config file, it appears to have a config file for each
> domain - can I dump this line anywhere in (the appropriate one of) those
> files?

Anywhere below the SOA record, yes. This is standard for BIND.

> As I understand it, BIND configuration syntax has changed a lot
> between recent versions - what version of output are you producing, and
> might it be an idea to label it? Or is the output from your wizard okay
> for any versions of BIND likely to be in current use?

Should work from 4-9 AFAIK, but I don't know BIND in *quite* that
detail.

> *puts on dunce cap, sits in corner*

Nah, like I said, if you can't understand it, my aim's probably off.
From: dennyd
Date: December 14th, 2003 - 10:06 am (Link)
Do you (think that you) understand DNS record types?

Nope. As mentioned elsewhere in that ramble, BIND was set up by someone else - it configures itself through a custom perl script when a new domain is added to my box, and mildly scares me when I look at the config files :)

> I don't know what CIDR is.

IMHO, you should (although I can be persuaded otherwise). It's the /24 notation used to designate network segments.


Hrm. The only time I've had to deal with that has nothing to do with my colo box, it was when I set up some of the routing through my gateway at home, and that was cut/paste/edit from a HOWTO. What does CIDR stand for, anyway?

Page 1 is the MX, page 2 the A records. These are generally specified as
hostnames and IP numbers respectively.


If that's an explanation, I didn't understand it :) So do I need to say 'yes' to both of those? Why do you need to deal with both, is this more relevant to people with more complex setups?

If you don't understand, chances are you don't need it.

I think a note to that effect at the start of the wizard might be good, if it wouldn't run too much risk of people blithely creating useless/misleading records.

Using it as send-only SMTP isn't going to load it much... what distro is
it on, anyway?


Yeah, I suppose I don't roam that often at present anyway :) It's running an old but security-patched version of Red Hat, with a customised version of Exim as the SMTP server.

Should work from 4-9 AFAIK, but I don't know BIND in *quite* that
detail.


Fair enough. For some reason I had it quite firmly in my mind that there was a major syntaxual break between 8 and 9.
From: wechsler
Date: December 14th, 2003 - 10:10 am (Link)
I think there was a change in the bind.conf, but not the zone file... I may be entirely wrong though ;)
From: djm4
Date: December 15th, 2003 - 03:20 am (Link)
Um.

I am not a BIND expert, but as I understand it, the major (and rther incompatible) changes to bind.conf (aka named.conf or named.boot) happened between 4.9 and 8. I think the 8.x and 9.x syntax is the same.

But that's beside the point. For zonefiles, there were changes to the way TTL is handled between 8.1? and 8.2, and hence to the meaning of the last number in the SOA record, and I think BIND 9 added some more ways of specifying time periods, but other than that, zonefile syntax is broadly the same across all versions of BIND. If you're chucking out an entire zone file, you'll want to watch whether or not you have a $TTL record, but if you're just chucking out parts of one, you'll probably be OK. Which is nice.

Will look at SPF what I get a moment (ha!). I certainly need to be aware of it, as I run two mail servers.

Also

From: wechsler
Date: December 14th, 2003 - 10:03 am (Link)
I've now added some usage notes and made some changes to the wizard- do they help at all?