The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Does the exim that cpanel installs use SPF?

Discussion in 'General Discussion' started by BianchiDude, Aug 18, 2005.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Does the exim that cpanel installs use SPF?

    If so do I need to enable it somehow?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's compiled in, but it doesn't use it automatically (thank goodness). You'll have to enable it by adding the appropriate commands in exim.conf:
    http://www.exim.org/exim-html-4.50/doc/html/FAQ_7.html#TOC272

    Bear in mind, that if you install it, it will at the very least, deny any email your clients forward from their ISP accounts to their POP3 accounts on their cPanel account, among other things. Remember, it is not RFC compliant and does break the SMTP rules on mail delivery.
     
  3. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    i'm very sure how it works so far... because i sent a mail from my cell phone ( who use a smtp like smtp.wirelessinbox.com instead of my own smtp mail.domain.com ) and the mail get through to the customer... without warning or anything...

    And from what i see in dnsreport.com, the spf are there... Does it means that exim doesn't use it ? but the spf entry is in the dns zone ?
     
  4. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    That should be checked at the receiving end I think , if the recieving mailserver has spf checks enabled it should be accepted. I guess they did not have it enabled.
     
  5. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Can anyone think of anything else? I dont have any one that forwards there ISP mail there pop3 and i think you can just add a server to the SPF record if they do.
     
  6. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    I enabled this on one server and its not blocking anything, even when I try sending from a php script on another server. Any tips?
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    As SPF is not universally used and also still has bugs not to mention RFC issues,
    I DO NOT recommend that you configure your server to actually perform SPF checks
    and certainly do not perform any filtering based on SPF .... that is just asking for trouble.

    Really the best use for SPF at this point is just as an advisor system on the client end.
    In example, I have an SPF checking extension installed in my Mozilla Thunderbird
    email program on my laptop which just simply tells me whether email messages
    have a valid SPF or not but does not do any filtering because of it which is good.

    Just as a side note, I do recommend that you add an SPF record to all your domains
    in your DNS server (BIND records) and update the DNS templates so that new domains
    added will automatically have a valid SPF record. With this, your mail will still get through
    to those few networks who are stupid enough to already have SPF filtering enabled.
     
  8. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Would you be willing to point me in the right direction regarding altering the DNS templates to do a basic SPF config for new customers?
     
  9. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    You have to do the DNS config and then configure exim to run SPF checks, Im not sure how to properly configure exim.
     
  10. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I simply added the following to the DNS zone templates ....

    Where ...

    MYIP1 is the primary IP number on my server
    MYIP2 is the secondary IP number on my server
    MYSERVER is the hostname of my server
    MYSERVERDOM is the base domain name of my server

    Again, I **DO NOT** recommend that you turn on SPF checking in Exim and that you
    DO NOT perform any SPF filtering but I do recommend that you go ahead and add
    the SPF entries to your DNS zone files so you don't have any problems communicating
    with other hosts who were dumb enough to turn on SPF filtering on their end.
     
  11. Gareth

    Gareth Well-Known Member

    Joined:
    Feb 11, 2004
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Isle of Anglesey, UK
    So if I am reading this right (been up for hours :eek: ), these are in this format:

    MYSERVER = server.myserverdomain.com
    MYSERVERDOM = myserverdomain.com
     
  12. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Yes, you got it! :)
     
  13. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    and this is just on the MYSERVERDOM record or all DNS records? Nothing is real clear in SPF's own documentation for web hosting companies..
     
  14. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    The latter - all DNS records.

    It's a fun task if you have many DNS records to update . . .
     
  15. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Recently we finally decided to set the SPF record by default.

    We recommend to use the simpliest way of setting up the DNS zones. Edit both, /var/cpanel/zonetemplates/standard and /var/cpanel/zonetemplates/standardvirtualftp and add the single line at the bottom:

    Code:
    %domain%. IN TXT "v=spf1 a mx ptr ip4:%ftpip% a:%nameserver% a:%nameserver2% -all"
    
    This will work on every cPanel server automatically.

    This will address 99,9% of the possible setups and caused us no issues on several thousands of hosted domains. They may communicate with AOL/Hotmail and so on with no problems.

    Enjoy!
     
  16. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Ummm....... I added that line and created a new test domain entry but there's no SPF record added. ???
    EDIT.
    It works if you create a new account but not if you just add a new DNS zone.
    Thanks for posting the code though !! :)
     
    #16 kernow, Dec 10, 2005
    Last edited: Dec 10, 2005
  17. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks very much for taking time to detail this.

    I have three name servers. Am I safe in changing this line to:

    %domain%. IN TXT "v=spf1 a mx ptr ip4:%ftpip% a:%nameserver% a:%nameserver2% a:%nameserver3% -all"

    :confused:

    - Scott
     
  18. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Yes, it not works with Add DNS. The reason is simple - we are using %ftpip%, not just %ip%.

    If you change my code to have %ip% instead of %ftpip% the Add DNS will work.

    However there are one No-No - %ip% means the IP for the ACCOUNT. E.g. if you add account with its own IP then SPF become broken. Why? Because domain will NOT have the MAIN server IP listed as allowed.

    Our decision was use solely %ftpip% which suits 99.9% of the customers.

    At last if someone add DNS Zone he is having the knowledge and may add its own SPF record, isn't it?
     
  19. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    For your case answer is - Absolutely!

    The reason I NOT adviced to add nameserver3 and nameserver4 is simple as well - when cPanel founds variable to be empty (like in previous response regarding Add DNS Zone with %ftpip%) cPanel REMOVE the WHOLE line. Wonder why lines %domain%. %nsttl% IN NS %nameserver3%. not appear in the domain DNS zone when you have just ns1 & ns2? Because of this fact.

    You may test it on your own adding nameserver4 (with no ns4 set in the main cPanel config). You will see that SPF line would not be added. The same apply to ns3 for those with no ns3 set.

    Enjoy the knowledge!
     
  20. kernow

    kernow Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    865
    Likes Received:
    9
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I understad now, thanks for your help. :)
     
Loading...

Share This Page