Mailing List Archive: SPF: Help

SPF Records Block All Mail

Index | Next | Previous | View Threaded

kr at macoby

Aug 2, 2008, 10:05 AM

Post #1 of 3 (367 views)
Permalink

SPF Records Block All Mail

Request your assistance please. We added the following SPF records for
the domain ibn2.com to our DNS servers and all mail to the is being
blocked -- not our intent. We are unable to find the error that is
causing this problem. We have RTFM's but can't locate the cause of the
problem.

-----------------------------------------------------------------------------------------------------------------------------------------------------
;
; SENDER POLICY FRAMEWORK (SPF) RECORDS
;
;
ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
ip4:67.116.20.66 ip4:69.3.29.34 -all"
ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
ip4:67.116.20.66 ip4:69.3.29.34 -all"
;
mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
ip4:67.116.20.66 ip4:69.3.29.34 -all"
mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
ip4:67.116.20.66 ip4:69.3.29.34 -all"
;
mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.210
ip4:67.116.20.70 ip4:69.3.27.37 -all"
mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.210
ip4:67.116.20.70 ip4:69.3.27.37 -all"
;
;
;
-----------------------------------------------------------------------------------------------------------------------------------------------------

All mail from ibn2.com is sent from one mailserver mail-1.theibn.com.
The mailserver is on a private network 192.168.20.4 which NAT's to a
multi-honed public network addresses 67.116.23.194 67.116.20.66 and
69.3.29.34.

The domain has the following A records;
;
mail.ibn2.com. IN A 69.3.27.37
mail.ibn2.com. IN A 67.116.20.70
mail.ibn2.com. IN A 67.116.23.210
;

mail.ibn2.com has two sets of IP addresses. One for outbound mail which
are the same as the mailserver, the other set are listed in the DNS A
record for connecting to the server via other ports, such as for Webmail
etc.

The MX records point to a spam appliance cuda-1.theibn.com
67.116.23.204, 67.116.20.76 and 69.3.29.41and cuda-2.ibnto.com
67.116.23.205, 67.116.20.77 and 69.3.29.42. These addresses NAT to
cuda-1 192.168.20.8 and cuda-2 192.168.20.16 and they forward traffic
that clears the spam filters to the mailserver 192.168.20.4.

We have obviously missed something in our setup. We would appreciate you
pointing out the problem to us.

Thank you,

Kenn

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

csweeney at osubucks

Aug 2, 2008, 10:56 AM

Post #2 of 3 (330 views)
Permalink

Re: SPF Records Block All Mail [In reply to]

So basic question first is all your email being sent from
something[at]ibn2.com ? Or is the email being blocked coming from a
different domain because I see your message sent to the list came from
67.116.23.194 but not from a @ibn2.com email address. If thats the case
then your SPF is working as it should because you haven't advertised those
other domains as sending from your server.

> Request your assistance please. We added the following SPF records for
> the domain ibn2.com to our DNS servers and all mail to the is being
> blocked -- not our intent. We are unable to find the error that is
> causing this problem. We have RTFM's but can't locate the cause of the
> problem.
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------
> ;
> ; SENDER POLICY FRAMEWORK (SPF) RECORDS
> ;
> ;
> ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"
> ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"
> ;
> mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"
> mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"
> ;
> mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.210
> ip4:67.116.20.70 ip4:69.3.27.37 -all"
> mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.210
> ip4:67.116.20.70 ip4:69.3.27.37 -all"
> ;
> ;
> ;
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> All mail from ibn2.com is sent from one mailserver mail-1.theibn.com.
> The mailserver is on a private network 192.168.20.4 which NAT's to a
> multi-honed public network addresses 67.116.23.194 67.116.20.66 and
> 69.3.29.34.
>
> The domain has the following A records;
> ;
> mail.ibn2.com. IN A 69.3.27.37
> mail.ibn2.com. IN A 67.116.20.70
> mail.ibn2.com. IN A 67.116.23.210
> ;
>
> mail.ibn2.com has two sets of IP addresses. One for outbound mail which
> are the same as the mailserver, the other set are listed in the DNS A
> record for connecting to the server via other ports, such as for Webmail
> etc.
>
> The MX records point to a spam appliance cuda-1.theibn.com
> 67.116.23.204, 67.116.20.76 and 69.3.29.41and cuda-2.ibnto.com
> 67.116.23.205, 67.116.20.77 and 69.3.29.42. These addresses NAT to
> cuda-1 192.168.20.8 and cuda-2 192.168.20.16 and they forward traffic
> that clears the spam filters to the mailserver 192.168.20.4.
>
>
> We have obviously missed something in our setup. We would appreciate you
> pointing out the problem to us.
>
>
> Thank you,
>
> Kenn
>
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

--
Chris Sweeney

Home Phone for $10 a month call 937-415-0943

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

hmdmhdfmhdjmzdtjmzdtzktdkztdjz at gmail

Aug 2, 2008, 12:10 PM

Post #3 of 3 (334 views)
Permalink

Re: SPF Records Block All Mail [In reply to]

Kenn Roberts wrote:

> We are unable to find the error that is causing this problem.

There's a test address somewhere, you send mail to it, it tells
you what the receiver sees. Your message to this list contains
the following Received header field:

| Received: from theibn.com (unknown [67.116.23.194]) by
| chiclet.listbox.com (Postfix) with ESMTP id 434A022B79A for
| <spf-help[at]v2.listbox.com>; Sat, 2 Aug 2008 13:07:58 -0400 (EDT)

You'd need a policy permitting IP 67.116.23.194 (among others).

> ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"

This does the trick for mail from user[at]ibn2.com

> mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.194
> ip4:67.116.20.66 ip4:69.3.29.34 -all"

Ditto for mail from user[at]mail.ibn2.com (if that's relevant)

> mail.ibn2.com. IN TXT "v=spf1 ip4:67.116.23.210
> ip4:67.116.20.70 ip4:69.3.27.37 -all"

That would give you a PermError, you cannot have two different
policies for the same domain. Join the two TXT records in one,
join the two SPF records in one. Use Scott's SPF validator to
check the effect.

> The mailserver is on a private network 192.168.20.4

That's irrelevant, as discussed some days ago, only your public
IPs count.

> multi-honed public network addresses 67.116.23.194
> 67.116.20.66 and 69.3.29.34.

Yes, those IPs are permitted to send mail from user[at]ibn2.com,
so this can't be your problem.

Don't forget that changes in your policy won't immediately work
for receivers with an older policy in their DNS cache. I'd use
~all (SOFTFAIL) instead of -all (FAIL) until I'm sure about the
effect, YMMV, it also depends on your ibn2.com use cases.

> The domain has the following A records;
> ;
> mail.ibn2.com. IN A 69.3.27.37
> mail.ibn2.com. IN A 67.116.20.70
> mail.ibn2.com. IN A 67.116.23.210

That simplifies the fix for mail.ibn2.com (see above): Just add
an "a" to the first record to cover these three IPs, and delete
the second record (for both sets, TXT and SPF), example:

- mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
- ip4:67.116.20.66 ip4:69.3.29.34 -all"
- mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.210
- ip4:67.116.20.70 ip4:69.3.27.37 -all"

+ mail.ibn2.com. IN SPF "v=spf1 ip4:67.116.23.194
+ ip4:67.116.20.66 ip4:69.3.29.34 a -all"
...................................^

> The MX records point to a spam appliance cuda-1.theibn.com
> 67.116.23.204, 67.116.20.76 and 69.3.29.41 and cuda-2.ibnto.com
> 67.116.23.205, 67.116.20.77 and 69.3.29.42.

As long as those MXs don't *send* mail from user[at]ibn2.com they
are irrelevant. I wonder why you permit six IPs for mail.ibn2,
but only three IPs for ibn2, and what MAIL FROM adresses we are
talking about, user[at]ibn2, user[at]mail.ibn2, or both ?

If both, why are the sender policies different ? Is it possible
that you forgot the three a:mail.ibn2.com in the ibn2.com policy ?

Frank

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com