Re: SPF and domain keys

2016-08-29 Thread Mike Ragusa 
Yes of course as that would be the original sender of the email and their
information would also be in your SPF policy. You can change the Sender and
Reply-to headers to be from your domain and mask it a bit better but the
 received by headers would show the alphazulu.com mail server.

On Mon, Aug 29, 2016 at 10:38 AM project722 <project...@gmail.com> wrote:

> Awesome, Actually one more question. If we allow folks from another domain
> to send as us is there a chance anywhere in any of the email "from" headers
> it would reveal the "true" domian?
>
> eg..
>
> folks at alphazulu send as @foxtrot.com.
>
> Would @alphazulu.com appear anywhere in the headers?
>
> On Mon, Aug 29, 2016 at 9:34 AM, Mike Ragusa <mrag...@gmail.com> wrote:
>
>> Glad to help! If you need a low cost DMARC reporting service, I would
>> recommend www.dmarcian.com
>>
>> On Mon, Aug 29, 2016 at 10:33 AM project722 <project...@gmail.com> wrote:
>>
>>> Thanks guys - very helpful information indeed.
>>>
>>> On Mon, Aug 29, 2016 at 9:08 AM, Mike Ragusa <mrag...@gmail.com> wrote:
>>>
>>>> Ideally it is best to use both technologies and then put DMARC on top
>>>> to ensure reporting and enforcement of the policies. DKIM cryptographically
>>>> signs your messages and SPF informs receiving mail servers of who is
>>>> allowed to send on your behalf.  You should not think of using only one or
>>>> the other as they work best together to accomplish the same goal. When
>>>> utilizing DMARC on top of it all, you get the added benefit of reporting
>>>> from over 200 different ISPs from around the world. In general, DKIM is
>>>> first used as the authentication method and SPF as a backup.
>>>>
>>>> If you have a valid DKIM key, then failed SPF should not matter but if
>>>> you have a failed DKIM key and SPF passes, there still may be
>>>> deliverability issues to account for. If you do enable DMARC, then your
>>>> DKIM and/or SPF headers must align with your domain or you will encounter
>>>> deliverability issues depending on how your policies are setup. DKIM in
>>>> relaxed mode allows for mail to pass the test with the same parent domain
>>>> but canonicalization requires that your domains match up exactly as stated
>>>> ie example.com and mail.example.com are not the same and will fail.
>>>> SPF with DMARC requires two or more FROM headers (
>>>> https://tools.ietf.org/html/rfc2822#section-3.6.2) match up exactly or
>>>> it will fail SPF checks but without DMARC anyone listed in the sender
>>>> policy can send on your behalf. While this may seem strange at first, this
>>>> is to prevent people from signing up to something like google and sending
>>>> on your behalf with the default google DKIM key and a wide open SPF policy.
>>>>
>>>> With DMARC:
>>>> DKIM : headers must match domain or else fail
>>>> SPF:  2 or more headers must match domain or else fail
>>>>
>>>> Without DMARC:
>>>> DKIM: just needs to be signed by sending mail server
>>>> SPF: just needs to be send from a valid sender
>>>>
>>>> Depending on your needs, I would recommend putting SPF in soft fail,
>>>> DKIM in relaxed mode and DMARC in reporting mode only for the first 15-30
>>>> days and see how your traffic looks and who is sending on your behalf. Once
>>>> you have a comfortable baseline, start to tighten up your policies.
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Aug 29, 2016 at 9:51 AM project722 <project...@gmail.com>
>>>> wrote:
>>>>
>>>>> What about DKIM only? Can it be used instead of, or, as a
>>>>> "replacement" for SPF? For example mails are signed with DKIM from the 
>>>>> SMTP
>>>>> servers, and the receiving servers are checking both SPF and DKIM. If the
>>>>> receiving server detected a missing SPF would it allow mail through if 
>>>>> DKIM
>>>>> is present and valid? I suppose a lot of this depends on the SPF policies
>>>>> enforced on the receiving side.
>>>>>
>>>>> On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <da...@hireahit.com>
>>>>> wrote:
>>>>>
>>>>>> The easiest answer is: Whatever you want. Strictly speaking,
>>>>>> alphazulu.com can send mail on behalf of foxtrot.com u

Re: SPF and domain keys

2016-08-29 Thread Mike Ragusa 
Glad to help! If you need a low cost DMARC reporting service, I would
recommend www.dmarcian.com

On Mon, Aug 29, 2016 at 10:33 AM project722 <project...@gmail.com> wrote:

> Thanks guys - very helpful information indeed.
>
> On Mon, Aug 29, 2016 at 9:08 AM, Mike Ragusa <mrag...@gmail.com> wrote:
>
>> Ideally it is best to use both technologies and then put DMARC on top to
>> ensure reporting and enforcement of the policies. DKIM cryptographically
>> signs your messages and SPF informs receiving mail servers of who is
>> allowed to send on your behalf.  You should not think of using only one or
>> the other as they work best together to accomplish the same goal. When
>> utilizing DMARC on top of it all, you get the added benefit of reporting
>> from over 200 different ISPs from around the world. In general, DKIM is
>> first used as the authentication method and SPF as a backup.
>>
>> If you have a valid DKIM key, then failed SPF should not matter but if
>> you have a failed DKIM key and SPF passes, there still may be
>> deliverability issues to account for. If you do enable DMARC, then your
>> DKIM and/or SPF headers must align with your domain or you will encounter
>> deliverability issues depending on how your policies are setup. DKIM in
>> relaxed mode allows for mail to pass the test with the same parent domain
>> but canonicalization requires that your domains match up exactly as stated
>> ie example.com and mail.example.com are not the same and will fail. SPF
>> with DMARC requires two or more FROM headers (
>> https://tools.ietf.org/html/rfc2822#section-3.6.2) match up exactly or
>> it will fail SPF checks but without DMARC anyone listed in the sender
>> policy can send on your behalf. While this may seem strange at first, this
>> is to prevent people from signing up to something like google and sending
>> on your behalf with the default google DKIM key and a wide open SPF policy.
>>
>> With DMARC:
>> DKIM : headers must match domain or else fail
>> SPF:  2 or more headers must match domain or else fail
>>
>> Without DMARC:
>> DKIM: just needs to be signed by sending mail server
>> SPF: just needs to be send from a valid sender
>>
>> Depending on your needs, I would recommend putting SPF in soft fail, DKIM
>> in relaxed mode and DMARC in reporting mode only for the first 15-30 days
>> and see how your traffic looks and who is sending on your behalf. Once you
>> have a comfortable baseline, start to tighten up your policies.
>>
>>
>>
>>
>> On Mon, Aug 29, 2016 at 9:51 AM project722 <project...@gmail.com> wrote:
>>
>>> What about DKIM only? Can it be used instead of, or, as a "replacement"
>>> for SPF? For example mails are signed with DKIM from the SMTP servers, and
>>> the receiving servers are checking both SPF and DKIM. If the receiving
>>> server detected a missing SPF would it allow mail through if DKIM is
>>> present and valid? I suppose a lot of this depends on the SPF policies
>>> enforced on the receiving side.
>>>
>>> On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <da...@hireahit.com> wrote:
>>>
>>>> The easiest answer is: Whatever you want. Strictly speaking,
>>>> alphazulu.com can send mail on behalf of foxtrot.com using a
>>>> alphazulu.com DKIM selector, and that's perfectly valid under DKIM.
>>>> However, it won't have DMARC alignment, which is becoming more and more
>>>> important, so if alignment is relevant, you'll need to use a
>>>> foxtrot.com selector.
>>>>
>>>> tl;dr: Use a foxtrot.com selector unless you simply can't.
>>>>
>>>> As for who generates it, it's irrelevant. The sending server will need
>>>> the private key, your DNS records will contain the public key, but it makes
>>>> no difference if foxtrot.com creates the keys and delivers them to the
>>>> appropriate parties, or if alphazulu.com generates generates a private
>>>> key and provides the alphazulu._domainkey.foxtrot.com record to
>>>> foxtrot.com.
>>>>
>>>> Remember that you can have as many selectors as you want, don't reuse
>>>> them across trust boundaries (in other words, consider that in the future,
>>>> foxtrot.com and alphazulu.com may part ways, when that happens, it's
>>>> ideal if you can remove the selector from your DNS (after a period of time,
>>>> at least a week), such that alphazulu.com cannot continue to sign
>>>> mail. It's also ideal if you don't have to update DKI

Re: SPF and domain keys

2016-08-29 Thread Mike Ragusa 
Ideally it is best to use both technologies and then put DMARC on top to
ensure reporting and enforcement of the policies. DKIM cryptographically
signs your messages and SPF informs receiving mail servers of who is
allowed to send on your behalf.  You should not think of using only one or
the other as they work best together to accomplish the same goal. When
utilizing DMARC on top of it all, you get the added benefit of reporting
from over 200 different ISPs from around the world. In general, DKIM is
first used as the authentication method and SPF as a backup.

If you have a valid DKIM key, then failed SPF should not matter but if you
have a failed DKIM key and SPF passes, there still may be deliverability
issues to account for. If you do enable DMARC, then your DKIM and/or SPF
headers must align with your domain or you will encounter deliverability
issues depending on how your policies are setup. DKIM in relaxed mode
allows for mail to pass the test with the same parent domain but
canonicalization requires that your domains match up exactly as stated ie
example.com and mail.example.com are not the same and will fail. SPF with
DMARC requires two or more FROM headers (
https://tools.ietf.org/html/rfc2822#section-3.6.2) match up exactly or it
will fail SPF checks but without DMARC anyone listed in the sender policy
can send on your behalf. While this may seem strange at first, this is to
prevent people from signing up to something like google and sending on your
behalf with the default google DKIM key and a wide open SPF policy.

With DMARC:
DKIM : headers must match domain or else fail
SPF:  2 or more headers must match domain or else fail

Without DMARC:
DKIM: just needs to be signed by sending mail server
SPF: just needs to be send from a valid sender

Depending on your needs, I would recommend putting SPF in soft fail, DKIM
in relaxed mode and DMARC in reporting mode only for the first 15-30 days
and see how your traffic looks and who is sending on your behalf. Once you
have a comfortable baseline, start to tighten up your policies.




On Mon, Aug 29, 2016 at 9:51 AM project722  wrote:

> What about DKIM only? Can it be used instead of, or, as a "replacement"
> for SPF? For example mails are signed with DKIM from the SMTP servers, and
> the receiving servers are checking both SPF and DKIM. If the receiving
> server detected a missing SPF would it allow mail through if DKIM is
> present and valid? I suppose a lot of this depends on the SPF policies
> enforced on the receiving side.
>
> On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren  wrote:
>
>> The easiest answer is: Whatever you want. Strictly speaking,
>> alphazulu.com can send mail on behalf of foxtrot.com using a
>> alphazulu.com DKIM selector, and that's perfectly valid under DKIM.
>> However, it won't have DMARC alignment, which is becoming more and more
>> important, so if alignment is relevant, you'll need to use a foxtrot.com
>> selector.
>>
>> tl;dr: Use a foxtrot.com selector unless you simply can't.
>>
>> As for who generates it, it's irrelevant. The sending server will need
>> the private key, your DNS records will contain the public key, but it makes
>> no difference if foxtrot.com creates the keys and delivers them to the
>> appropriate parties, or if alphazulu.com generates generates a private
>> key and provides the alphazulu._domainkey.foxtrot.com record to
>> foxtrot.com.
>>
>> Remember that you can have as many selectors as you want, don't reuse
>> them across trust boundaries (in other words, consider that in the future,
>> foxtrot.com and alphazulu.com may part ways, when that happens, it's
>> ideal if you can remove the selector from your DNS (after a period of time,
>> at least a week), such that alphazulu.com cannot continue to sign mail.
>> It's also ideal if you don't have to update DKIM records elsewhere in your
>> infrastructure.
>>
>> I hope at least some of this makes sense, but if not, ask. DKIM and DMARC
>> are fiddly, and a lot of the DKIM advice out there isn't entirely complete
>> now that DMARC is on the scene and DMARC builds on top of DKIM and SPF.
>>
>>
>> On Sun, Aug 28, 2016, at 16:13, project722 wrote:
>>
>> Lets say my domain is foxtrot.com and we have SPF records for the SMTP
>> servers on foxtrot.com. Now lets say I have decided I want to allow
>> alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com to
>> the SPF but If I wanted to also use DomainKeys or DKIM to authenticate
>> alphazulu.com would the keys need to be in foxtrots name or alphazulu?
>> For example,
>> Would I use:
>>
>> _domainkey.foxtrot.com.  IN TXT  "t=y\; o=~\;"
>> xxx._domainkey.foxtrot.com.   IN TXT  "k=rsa\;
>> p=xxx
>>
>> or
>>
>> _domainkey.alphazulu.com.  IN TXT  "t=y\; o=~\;"
>> xxx._domainkey.alphazulu.com.   IN TXT  "k=rsa\;
>> p=xxx
>>
>> Also,
>> 1) Who generates the

Re: Can't transfer two zones using two IP addresses

2010-08-31 Thread Mike Ragusa 
What does your ifconfig -a output look like? Are you sure the External AXFR
queries are coming form 192.168.2.12?

On Wed, Sep 1, 2010 at 12:38 AM, Scott Simpson
scott.simp...@computer.orgwrote:

 I'm trying to transfer my two zones internal and external from master
 to
 slave using two IP addresses and it isn't working.

 On my master I have:

 view internal {
allow-transfer { 192.168.2.1; };
 ...
 view external {
allow-transfer { 192.168.2.12; };
 ...

 My slave has two IP addresses 192.168.2.1 and 192.168.2.12 (I used a
 secondary
 IP address on the card). On the slave I have

 view internal {
transfer-source 192.168.2.1;
 ...
 view external {
transfer-source 192.168.2.12;
 ...

 When I try to transfer the domain external, I get a permission denied on
 the
 master. I know that the slave is using the correct transfer-source IP
 address
 because I did a tcpdump and it shows the correct address for the two
 transfers.

 Interestingly, if I switch the internal and external stanzas on the
 master, I get external only and not internal. What gives? Thanks.
Scott

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation - what needs to be there?

2010-03-26 Thread Mike Ragusa 
That is correct because you are only allowing MX to resolve instead of
allowing the A records that MX points too also resolve.

On Fri, Mar 26, 2010 at 2:30 PM, Peter Laws pl...@ou.edu wrote:

 Delegating a zone to a server that has views.  Internal view will allow any
 query.  External view will only allow resolution of the MX record for that
 zone.  The MX points to hosts in another zone (which is also
 publicly-accessible).

 When I query from an address that matches the ACL for the external view, I
 get the MX records back OK, but no A record.

 Is that right?

 Would a client just go and try to resolve the name on it's own?

 Or do I need to provide glue records in the delegated zone ...  probably
 not, but thought I'd better ask.

 Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 if it matters.

 Peter


 --
 Peter Laws / N5UWY
 National Weather Center / Network Operations Center
 University of Oklahoma Information Technology
 pl...@ou.edu
 ---
 Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I have a *.domain.com A record

2009-10-26 Thread Mike Ragusa 
http://www.rfc-archive.org/getrfc.php?rfc=4592

This link should help you.

On Mon, Oct 26, 2009 at 8:17 AM, ram r...@netcore.co.in wrote:


 On Mon, 2009-10-26 at 11:39 +0100, Stephane Bortzmeyer wrote:
  On Mon, Oct 26, 2009 at 04:01:31PM +0530,
   ram r...@netcore.co.in wrote
   a message of 10 lines which said:
 
   Is it possible to have a A record for *.domain.com
 
  Technically, yes. It is a very bad idea, but it works.
 



 Can you elobarate on that please. If  wildcard DNS is a bad idea, then I
 need to tell my clients why ?


 Thanks
 Ram


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users