Does the exim that cpanel installs use SPF?

[kernow]

Ummm....... I added that line and created a new test domain entry but there's no SPF record added. ???
EDIT.
It works if you create a new account but not if you just add a new DNS zone.
Thanks for posting the code though !!

[sneader]

Thanks very much for taking time to detail this.

I have three name servers. Am I safe in changing this line to:

%domain%. IN TXT "v=spf1 a mx ptr ip4:%ftpip% a:%nameserver% a:%nameserver2% a:%nameserver3% -all"



- Scott

[ispro]

Ummm....... I added that line and created a new test domain entry but there's no SPF record added. ???
EDIT.
It works if you create a new account but not if you just add a new DNS zone.
Thanks for posting the code though !!

Yes, it not works with Add DNS. The reason is simple - we are using %ftpip%, not just %ip%.

If you change my code to have %ip% instead of %ftpip% the Add DNS will work.

However there are one No-No - %ip% means the IP for the ACCOUNT. E.g. if you add account with its own IP then SPF become broken. Why? Because domain will NOT have the MAIN server IP listed as allowed.

Our decision was use solely %ftpip% which suits 99.9% of the customers.

At last if someone add DNS Zone he is having the knowledge and may add its own SPF record, isn't it?

[ispro]

Thanks very much for taking time to detail this.

I have three name servers. Am I safe in changing this line to:

%domain%. IN TXT "v=spf1 a mx ptr ip4:%ftpip% a:%nameserver% a:%nameserver2% a:%nameserver3% -all"



- Scott

For your case answer is - Absolutely!

The reason I NOT adviced to add nameserver3 and nameserver4 is simple as well - when cPanel founds variable to be empty (like in previous response regarding Add DNS Zone with %ftpip%) cPanel REMOVE the WHOLE line. Wonder why lines %domain%. %nsttl% IN NS %nameserver3%. not appear in the domain DNS zone when you have just ns1 & ns2? Because of this fact.

You may test it on your own adding nameserver4 (with no ns4 set in the main cPanel config). You will see that SPF line would not be added. The same apply to ns3 for those with no ns3 set.

Enjoy the knowledge!

[kernow]

Yes, it not works with Add DNS. The reason is simple - we are using %ftpip%, not just %ip%.

If you change my code to have %ip% instead of %ftpip% the Add DNS will work.

However there are one No-No - %ip% means the IP for the ACCOUNT. E.g. if you add account with its own IP then SPF become broken. Why? Because domain will NOT have the MAIN server IP listed as allowed.

Our decision was use solely %ftpip% which suits 99.9% of the customers.

At last if someone add DNS Zone he is having the knowledge and may add its own SPF record, isn't it?

I understad now, thanks for your help.

[lloyd_tennison]

If any of your account forward emails - that will break it.

See: http://www.openspf.org/faq.html#forwarding

The short of it:

Does SPF break email forwarding?

Stuart Gathman's opinion is recorded at http://archives.listbox.com/spf-disc...0410/0488.html.

Yes, it does. You'll have to switch from forwarding, where the envelope sender is preserved, to remailing, where the envelope sender is changed. But don't worry, we're working on providing SRS patches for the four major opensource MTAs, so that when you upgrade to an SPF-aware version, this problem will be solved also.

If your forwarding runs through a commercial service like pobox.com, you shouldn't have to do anything. They have to change with the times, and perform the above rewriting automatically for you. SRS is a structured standard that helps them adapt.

SPF is NOT a good idea for web hosts. Also, remailing then makes you the sender - and if you remail SPAM - you then are the sender and blamed!

[damainman]

interesting.

[LiNUxG0d]

Hey all,

I know this thread is rather old but, really, why is everyone saying SPF record filtering is bad? It can't be that terrible. Let me explain a situation I'm facing.

I have a box right now that has 2 domains that are being brute forced BIG time by some bot nets. Now, they are using H="verizon.net" and are obviously not verizon.net customers. Some have IP's from Russia, Argentina, etc. So they're using the @verizon.net suffix to spoof...

I mean, verizon.net have specified SPF's as well as many other major ISP's...

So, basically, I figure, if I use SPF filters, at least these bogus attempts will FAIL instead of accept and RCPT FAIL due to a bad authentication (dictionary attack).

Really, I don't know WHAT to do for this issue. I have RBL/Dictionary attack checks enabled and get 2000+ daily brute force attempts... I thought SPF's would do it but everyone here is so negative towards their implementation/use.

What's the point of knowing someone "doesn't" use SPF or "does" use one if you're not going to do anything with mail that doesn't have SPF implemented?

Is there ANY positive feedback to SPF?

I mean, I've implemented SPF on one of our major domains and have stopped receiving dumb bounce-backs due to people using my address to spam the world. IE, they use me@mydomain.com to spam, but it fails because my SPF doesn't authorize their SMTP to send mail on behalf of mydomain.com.

Anyone, comments? Solutions to stop the massive brute forces?

Thanks in advance,

Jamie

[ispro]

Here is short script to add SPF records to ALL existing DNS zones:

Code:

MAINIP='1.2.3.4'; NS1='ns1.DOMAIN'; NS2='ns2.DOMAIN';
cd /var/named; for DB in `ls -1 *.db`; do DOM=`echo $DB|replace '.db' '' --`; SPF=`grep -c spf1 $DOM.db`; if [ S"$SPF" == 'S0' ]; then echo "----> $DOM has NOT SPF, adding..."; echo -e "\n$DOM. IN TXT \"v=spf1 a mx ptr ip4:$MAINIP a:$NS1 a:$NS2 -all\"\n" >> $DOM.db; else echo "$DOM has SPF already, skipping..."; fi; done; cd;

You need to change MAINIP and NS1 & NS2 to specific for your server and execute code in the shell.

This script go through all DNS zones and add single line to domains with no SPF record. E.g. no double-added SPF records, etc.

We have converted thousands DNS zones with no problems so feel free to use it and save some valuable time.

Enjoy!

[10101]

Here is short script to add SPF records to ALL existing DNS zones:

Code:

MAINIP='1.2.3.4'; NS1='ns1.DOMAIN'; NS2='ns2.DOMAIN';
cd /var/named; for DB in `ls -1 *.db`; do DOM=`echo $DB|replace '.db' '' --`; SPF=`grep -c spf1 $DOM.db`; if [ S"$SPF" == 'S0' ]; then echo "----> $DOM has NOT SPF, adding..."; echo -e "\n$DOM. IN TXT \"v=spf1 a mx ptr ip4:$MAINIP a:$NS1 a:$NS2 -all\"\n" >> $DOM.db; else echo "$DOM has SPF already, skipping..."; fi; done; cd;

You need to change MAINIP and NS1 & NS2 to specific for your server and execute code in the shell.

This script go through all DNS zones and add single line to domains with no SPF record. E.g. no double-added SPF records, etc.

We have converted thousands DNS zones with no problems so feel free to use it and save some valuable time.

Enjoy!

I don't suppose you have a script for correcting SPF records do you?

For example ~

replace:
thedomain.com. IN TXT "v=spf1 ip4:1.2.3.4 ~all"

with:
thedomain.com. IN TXT "v=spf1 ip4:1.2.3.4 a mx a:hostname.serverdomain.com a:mail.thedomain.com -all"


Thanks

[ispro]

I don't suppose you have a script for correcting SPF records do you?

For example ~

replace:
thedomain.com. IN TXT "v=spf1 ip4:1.2.3.4 ~all"

with:
thedomain.com. IN TXT "v=spf1 ip4:1.2.3.4 a mx a:hostname.serverdomain.com a:mail.thedomain.com -all"


Thanks

Just replace "grep -c " with the full replacement string. Then check would fail on partial OR CUSTOM (!) SPF records and they will be re-added. That's why I do feel you need to check such domains deeper for not to broke them!

[10101]

Just replace "grep -c " with the full replacement string. Then check would fail on partial OR CUSTOM (!) SPF records and they will be re-added. That's why I do feel you need to check such domains deeper for not to broke them!

Thanks but I cant get it to work, can you please give an example?

Edit: I;ve got it to add the new SPF line however it left the old one behind so theres two now lol.