Re: need help

2019-10-05 Thread Andrew Swartz

I've been lurking on this list for a long time but I've never posted.

I've attached a perl program I threw together a couple years ago which 
does recursive SPF resolution.  This might help your debugging.


For this type of testing, pass it a domain on STDIN:
echo 'gmail.com' | spf2ip.pl

I use it to create a daily whitelist of frequent domain IP's.  I use it 
by calling it with a filename argument. It reads the file which has a 
domain on each line, iterates through all the domains, recursively 
resolving each, and creating a long list of all the SPF IP's of all the 
domains in the file.


In default mode, it adds enough comments to explain how it generates the 
results.  For example, here is the output of the above command:


# echo 'gmail.com' | spf2ip.pl

#
# gmail.com
#
#  [REDIRECT=] _spf.google.com (depth=1)
#  [INCLUDE:] _netblocks.google.com (depth=2)
35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
#  [INCLUDE:] _netblocks2.google.com (depth=2)
#  [INCLUDE:] _netblocks3.google.com (depth=2)
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22




SPF resolution of "microsoft.com" returns 76 IP's.

Adding a "-d" argument will output a lot more debug info, whereas "-q' 
suppresses any debug info and only outputs IP's.  The header of the perl 
file does some explanation, but it was only intended for me to read, so 
it is not a super thorough explanation.


And yes, it looks like a stereotypical perl program (ugly, quick, and 
functional).


Hope this helps,
-Andy







On 9/30/2019 7:21 AM, gil...@poolp.org wrote:

September 30, 2019 4:25 PM, "Denis Fondras"  wrote:


On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:


Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md

If you could test and report issues, it would be nice,


It seems IPv6 check is broken :

$ dig ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



will fix that, thanks



#!/usr/bin/perl

# PURPOSE/FUNCTION
# This program performs recursive DNS lookups of spf records (which are in TXT 
records)
# and keeps recursing until numeric addresses are reached.  Tested with IP4, 
but the regex's
# ~should~ function with IP6 addresses.

# INPUT
# filename: text file, one domain per line, # and blank lines ignored.
# STDIN: list of one or more domans to lookup

#OUTPUT
# single numeric address per line
# recursive comments will be included if ($DomainNameComments == 1)

# DEPENDENCIES:
# 1. PERL installed at the above target.
# 2. 'dig' command.

# ASSUMPTIONS:
# 1. This program DOES do recursive spf resolution (i.e. a reverse lookup of 
ALL spf-authorized sending IP's.)
# 2. This program does NOT do forward MX resolutions (i.e. lookup of where to 
send mail).

use Switch;

# Global variable which is the final product.
my @IPlist;
my $DomainNameComments = 1;
my @DomainNames;

my $ARGERROR=0;
# The HASH for the command line settings (i.e. arguments).
my %settings =  (   -q  =>  0,  # "quiet" which 
suppresses comments in output.
-d  =>  0   # 
"debug" which adds debug info to the output.
);
# Iterate through the args, confirming accuracy and making settings.
foreach my $arg (@ARGV) {
if (exists $settings{$arg}) { 
$settings{$arg} =  1;
}
else {
print "\'$arg\' is invalid argument!\n";
$ARGERROR++;
}
}
# Exit if any invalid arguments.
if ($ARGERROR) { exit; }


# Read domain names from STDIN.
foreach my $line (  ) {
chomp( $line );
foreach my $arg (split(' ',$line)) {
push(@DomainNames,$arg);
}

Re: need help

2019-09-30 Thread gilles
September 30, 2019 4:25 PM, "Denis Fondras"  wrote:

> On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> It seems IPv6 check is broken :
> 
> $ dig ledeuns.net TXT +short
> "v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 
> -all"
> 
> $ ./spf ledeuns.net 185.22.129.1
> checking if 185.22.129.1 can send for ledeuns.net: fail
> $ ./spf ledeuns.net 185.22.129.11
> checking if 185.22.129.11 can send for ledeuns.net: pass
> $ ./spf ledeuns.net 2a00:6060:1::1
> checking if 2a00:6060:1::1 can send for ledeuns.net: fail


will fix that, thanks



Re: need help

2019-09-30 Thread gilles
September 30, 2019 4:51 PM, "Joel Carnat"  wrote:

> Le 30/09/2019 15:55, gil...@poolp.org a écrit :
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,
> 
> As much as I can understand it, recursion seem to not work.
> 
> Working example:
> # dig -t TXT carnat.net
> carnat.net. 14314 IN TXT "v=spf1 mx -all"
> # ./spf carnat.net 108.61.176.54
> checking if 108.61.176.54 can send for carnat.net: pass
> # ./spf carnat.net 157.55.9.128
> checking if 157.55.9.128 can send for carnat.net: fail
> 
> Not fully working example:
> # dig -t TXT outlook.com
> outlook.com. 600 IN TXT "v=spf1 include:spf-a.outlook.com 
> include:spf-b.outlook.com
> ip4:157.55.9.128/25 include:spf.protection.outlook.com 
> include:spf-a.hotmail.com
> include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"
> # ./spf outlook.com 157.55.9.128
> checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> pass
> 
> # dig -t TXT spf-a.hotmail.com
> spf-a.hotmail.com. 3600 IN TXT "v=spf1 ip4:157.55.0.192/26 
> ip4:157.55.1.128/26 ip4:157.55.2.0/25
> ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 ip4:65.55.111.0/24 
> ip4:65.55.116.0/25
> ip4:65.55.34.0/24 ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 
> ~all"
> # ./spf outlook.com 65.54.190.5
> checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail

I'll look into that, I thought I had handled this case already but I may have 
missed something



Re: need help

2019-09-30 Thread gilles
I'll investigate that, but spfwalk isn't a real SPF resolver and may
yield incorrect results, it just helps a bit.


September 30, 2019 4:27 PM, "Nick Ryan"  wrote:

> Seems to work fine for some hosts but not gmail.com or outlook.com
> 
> mail3$ smtpctl spf walk < 1 (this is gmail.com)
> 35.190.247.0/24
> 64.233.160.0/19
> 
> mail3$ ./spf gmail.com 35.190.247.3 <- in the output of spfwalk
> checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf gmail.com 185.185.185.185 <- made up address
> checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
> EXISTS: 0
> EXISTS: 0
> soft-fail
> 
> mail3$ ./spf poolp.org 45.76.46.201
> checking if 45.76.46.201 can send for poolp.org: pass
> mail3$ ./spf poolp.org 45.76.46.202
> checking if 45.76.46.202 can send for poolp.org: fail
> 
> Regards - Nick
> 
> On 30/09/2019 14:55, gil...@poolp.org wrote:
> 
>> Hello,
>> I'd like to bring native support for SPF in OpenSMTPD in a future > release,
>> but for this I need a bit of help to make sure my SPF resolver works > fine.
>> I have created a repository with a standalone executable that performs > the
>> SPF lookup and checks if an IP address is allowed to send on behalf of > the
>> sending domain:
>> https://github.com/poolpOrg/spf
>> https://github.com/poolpOrg/spf/blob/master/README.md
>>> If you could test and report issues, it would be nice,



Re: need help

2019-09-30 Thread gilles
yup

September 30, 2019 4:23 PM, "Chris Bennett"  
wrote:

> ./spf no-seas-necio.ninja 162.255.139.10: pass
> ./spf no-seas-necio.ninja 162.255.139.11: soft-fail
> 
> Which matches my spf entry. v=spf1 mx ~all.
> Is that the correct response?
> 
> Chris Bennett



Re: need help

2019-09-30 Thread gilles
yes, this is debug code which i don't  want to spend time making portable ;-)


September 30, 2019 4:10 PM, "Reio Remma"  wrote:

> On 30/09/2019 16:55, gil...@poolp.org wrote:
> 
>> Hello,
>> 
>> I'd like to bring native support for SPF in OpenSMTPD in a future release,
>> but for this I need a bit of help to make sure my SPF resolver works fine.
>> 
>> I have created a repository with a standalone executable that performs the
>> SPF lookup and checks if an IP address is allowed to send on behalf of the
>> sending domain:
>> 
>> https://github.com/poolpOrg/spf
>> 
>> https://github.com/poolpOrg/spf/blob/master/README.md
>> 
>> If you could test and report issues, it would be nice,
> 
> Is it OpenBSD only atm?
> 
> On CentOS 7:
> 
> $ make
> Makefile:26: *** missing separator.  Stop.
> 
> Reio



Re: need help

2019-09-30 Thread Denis Fondras
On Mon, Sep 30, 2019 at 01:55:28PM +, gil...@poolp.org wrote:
> Hello,
> 
> I'd like to bring native support for SPF in OpenSMTPD in a future release,
> but for this I need a bit of help to make sure my SPF resolver works fine.
> 
> I have created a repository with a standalone executable that performs the
> SPF lookup and checks if an IP address is allowed to send on behalf of the
> sending domain:
> 
> https://github.com/poolpOrg/spf
> 
> https://github.com/poolpOrg/spf/blob/master/README.md
> 
> 
> If you could test and report issues, it would be nice,
> 

It seems IPv6 check is broken :

$ dig  ledeuns.net TXT +short
"v=spf1 ip4:185.22.129.11 ip6:2a00:6060:1::1 ip6:2a00:6060:::1005:ff02 -all"

$ ./spf ledeuns.net 185.22.129.1
checking if 185.22.129.1 can send for ledeuns.net: fail
$ ./spf ledeuns.net 185.22.129.11
checking if 185.22.129.11 can send for ledeuns.net: pass
$ ./spf ledeuns.net 2a00:6060:1::1
checking if 2a00:6060:1::1 can send for ledeuns.net: fail



Re: need help

2019-09-30 Thread Joel Carnat

Le 30/09/2019 15:55, gil...@poolp.org a écrit :

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,


As much as I can understand it, recursion seem to not work.

Working example:
# dig -t TXT carnat.net
carnat.net. 14314   IN  TXT "v=spf1 mx -all"
# ./spf carnat.net 108.61.176.54
checking if 108.61.176.54 can send for carnat.net: pass
# ./spf carnat.net 157.55.9.128
checking if 157.55.9.128 can send for carnat.net: fail

Not fully working example:
# dig -t TXT outlook.com
outlook.com.600 IN  TXT "v=spf1 
include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 
include:spf.protection.outlook.com include:spf-a.hotmail.com 
include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"

# ./spf outlook.com 157.55.9.128
checking if 157.55.9.128 can send for outlook.com: EXISTS: 0
EXISTS: 0
pass

# dig -t TXT spf-a.hotmail.com
spf-a.hotmail.com.  3600IN  TXT "v=spf1 
ip4:157.55.0.192/26 ip4:157.55.1.128/26 ip4:157.55.2.0/25 
ip4:65.54.190.0/24 ip4:65.54.51.64/26 ip4:65.54.61.64/26 
ip4:65.55.111.0/24 ip4:65.55.116.0/25 ip4:65.55.34.0/24 
ip4:65.55.90.0/24 ip4:65.54.241.0/24 ip4:207.46.117.0/24 ~all"

# ./spf outlook.com 65.54.190.5
checking if 65.54.190.5 can send for outlook.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail



Re: need help

2019-09-30 Thread Nick Ryan

Seems to work fine for some hosts but not gmail.com or outlook.com

mail3$ smtpctl spf walk < 1   (this is gmail.com)
35.190.247.0/24
64.233.160.0/19

mail3$ ./spf gmail.com 35.190.247.3   <- in the output of spfwalk
checking if 35.190.247.3 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf gmail.com 185.185.185.185 <- made up address
checking if 185.185.185.185 can send for gmail.com: EXISTS: 0
EXISTS: 0
EXISTS: 0
soft-fail

mail3$ ./spf poolp.org 45.76.46.201
checking if 45.76.46.201 can send for poolp.org: pass
mail3$ ./spf poolp.org 45.76.46.202
checking if 45.76.46.202 can send for poolp.org: fail

Regards - Nick

On 30/09/2019 14:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future 
release,
but for this I need a bit of help to make sure my SPF resolver works 
fine.


I have created a repository with a standalone executable that performs 
the
SPF lookup and checks if an IP address is allowed to send on behalf of 
the

sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,




Re: need help

2019-09-30 Thread Chris Bennett
./spf no-seas-necio.ninja 162.255.139.10: pass
./spf no-seas-necio.ninja 162.255.139.11: soft-fail

Which matches my spf entry. v=spf1 mx ~all.
Is that the correct response?

Chris Bennett





Re: need help

2019-09-30 Thread Edgar Pettijohn

On Sep 30, 2019 9:10 AM, Reio Remma  wrote:
>
> On 30/09/2019 16:55, gil...@poolp.org wrote:
> > Hello,
> >
> > I'd like to bring native support for SPF in OpenSMTPD in a future release,
> > but for this I need a bit of help to make sure my SPF resolver works fine.
> >
> > I have created a repository with a standalone executable that performs the
> > SPF lookup and checks if an IP address is allowed to send on behalf of the
> > sending domain:
> >
> > https://github.com/poolpOrg/spf
> >
> > https://github.com/poolpOrg/spf/blob/master/README.md
> >
> >
> > If you could test and report issues, it would be nice,
> >
>
> Is it OpenBSD only atm?
>
> On CentOS 7:
>
> $ make
> Makefile:26: *** missing separator.  Stop.
>
> Reio
>
>

Looking at the makefile. My guess is yes, but you could try bmake and see if it 
gets further.

Edgar

Re: need help

2019-09-30 Thread Reio Remma

On 30/09/2019 16:55, gil...@poolp.org wrote:

Hello,

I'd like to bring native support for SPF in OpenSMTPD in a future release,
but for this I need a bit of help to make sure my SPF resolver works fine.

I have created a repository with a standalone executable that performs the
SPF lookup and checks if an IP address is allowed to send on behalf of the
sending domain:

https://github.com/poolpOrg/spf

https://github.com/poolpOrg/spf/blob/master/README.md


If you could test and report issues, it would be nice,



Is it OpenBSD only atm?

On CentOS 7:

$ make
Makefile:26: *** missing separator.  Stop.

Reio




Re: need help to understand the logic of new grammar

2018-10-31 Thread Илья Коскин
I'll try to answer myself.
As i see, the options "from local" and "for local" is the defaults, and can
be omitted?
So, the first match can be cut to
match action "mbox" ??
the my first question i have understood, if "from local" is the default,
than it will not work without "from any"
the second question was about "from any" in the 4th match. I see, if i try
to send email, i connect to egress, so this is not local, and will not
work. also i cant use "from "
and in trird match, mails from dkim proxy come to lo0, so they are
processed as local and the rule can be extended to:
match from local tag DKIM for any action "relay" am i right?

so the last question, can i limit mta to inet4 only?

ср, 31 окт. 2018 г. в 15:04, Илья Коскин :

> Hello list! Please look at my match-action definitions:
>
> action "mbox" mbox alias 
> action "mda" mda "/usr/local/bin/procmail" alias 
> action "relay" relay
> action "relay_dkim" relay host smtp://127.0.0.1:10027
>
> match for local action "mbox"
> match from any for domain  action "mda"#2nd match
> match tag DKIM for any action "relay"   #3rd match
> match auth from any for any action "relay_dkim"  #4th match
>
> I have some questions about matches.
> 1) If I remove "from any" in the second match, smtpd will not accept any
> mail from internet. Why?
> 2) In the 4th match, again, without "from any" I can't send mail to
> anywhere. How can I know, where i need to use "from any" and where i don't?
> For example 3rd match work without "from any"
> 3) is this config comosed secure and correctly?
> maybe it is option to use
> match auth from  for any action "relay_dkim" ?
> if this work, it can partially help to prevent spamming from compromised
> users.
>
> Also, is there any way to limit mta sending only from ipv4?
>
> Thank's!
>
>


Re: Need help with configuration using DNS aliases

2016-02-12 Thread Edgar Pettijohn
Yes it can. However, 

By default, when connecting to a remote server, smtpd(8) advertises its default 
server name. A hostname parameter may be specified to advertise the alternate 
hostname name. If the source parameter is used, the hostnames parameter may be 
specified to advertise a hostname based on the source address. Table names 
contains a mapping of IP addresses to hostnames and smtpd(8) will automatically 
select the name that matches its source address when connected to the remote 
server. The hostname and hostnames parameters are mutually exclusive.

You need separate ip's for hostname selection in relay context.

Sent from my iPhone

> On Feb 12, 2016, at 5:08 PM, Michael Burk  wrote:
> 
> After some experimentation I think I can compress this problem down to one 
> question:
> 
> Is it possible for an OpenSMTPD host to process email addressed to two 
> different host names, both of which resolve to the same address?
> 
> When I set "mailname," any mail sent to that name works fine. Mail addressed 
> to the alternate host name loops.
> 
> I thought the "virtual" keyword would be for this purpose, but I've had no 
> luck with it.
> 
> Thanks,
> 
>> On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:
>> Thanks Craig for the reply.
>> 
>> I changed the CNAME to an A record as you suggested. Sadly, it still loops 
>> when I send the email to the "alternate" name. It seems that OpenSMTPD 
>> doesn't realize that the two names are the same server.
>> 
>> I should mention that the whole reason we have an alias is that I have two 
>> servers setup as mail servers, and the alias gives us an easy way to switch 
>> hosts if one goes down (all mail is addressed to the alias). Also, I have no 
>> MX records. I don't know if I should, but Sendmail has always worked without 
>> it.
>> 
>>> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner  
>>> wrote:
>>> Hi Michael,
>>> 
>>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>>> >
>>> > If I send a message to the server's CNAME, it goes into a loop which is
>>> > eventually detected and shut down:
>>> >
>>> 
>>> Try switching from DNS CNAMES to DNS A records:
>>> 
>>> RFC2181 has:
>>> 
>>> "10.3. MX and NS records
>>> 
>>> The domain name used as the value of a NS resource record, or part of
>>> the value of a MX resource record must not be an alias.  Not only is the
>>> specification clear on this point, but using an alias in either of these
>>> positions neither works as well as might be hoped, nor well fulfills the
>>> ambition that may have led to this approach.  This domain name must have
>>> as its value one or more address records.  Currently those will be A
>>> records, however in the future other record types giving addressing
>>> information may be acceptable.  It can also have other RRs,
>>> but never a CNAME RR. "
>>> 
>>> http://tools.ietf.org/html/rfc2181#section-10.3
>>> 
>>> --
>>> You received this mail because you are subscribed to misc@opensmtpd.org
>>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
> 


Re: Need help with configuration using DNS aliases

2016-02-12 Thread Michael Burk
After some experimentation I think I can compress this problem down to one
question:

Is it possible for an OpenSMTPD host to process email addressed to two
different host names, both of which resolve to the same address?

When I set "mailname," any mail sent to that name works fine. Mail
addressed to the alternate host name loops.

I thought the "virtual" keyword would be for this purpose, but I've had no
luck with it.

Thanks,

On Tue, Feb 9, 2016 at 10:44 AM, Michael Burk  wrote:

> Thanks Craig for the reply.
>
> I changed the CNAME to an A record as you suggested. Sadly, it still loops
> when I send the email to the "alternate" name. It seems that OpenSMTPD
> doesn't realize that the two names are the same server.
>
> I should mention that the whole reason we have an alias is that I have two
> servers setup as mail servers, and the alias gives us an easy way to switch
> hosts if one goes down (all mail is addressed to the alias). Also, I have
> no MX records. I don't know if I should, but Sendmail has always worked
> without it.
>
> On Tue, Feb 9, 2016 at 4:42 AM, Craig Skinner 
> wrote:
>
>> Hi Michael,
>>
>> On 2016-02-08 Mon 16:49 PM |, Michael Burk wrote:
>> >
>> > If I send a message to the server's CNAME, it goes into a loop which is
>> > eventually detected and shut down:
>> >
>>
>> Try switching from DNS CNAMES to DNS A records:
>>
>> RFC2181 has:
>>
>> "10.3. MX and NS records
>>
>> The domain name used as the value of a NS resource record, or part of
>> the value of a MX resource record must not be an alias.  Not only is the
>> specification clear on this point, but using an alias in either of these
>> positions neither works as well as might be hoped, nor well fulfills the
>> ambition that may have led to this approach.  This domain name must have
>> as its value one or more address records.  Currently those will be A
>> records, however in the future other record types giving addressing
>> information may be acceptable.  It can also have other RRs,
>> but never a CNAME RR. "
>>
>> http://tools.ietf.org/html/rfc2181#section-10.3
>>
>> --
>> You received this mail because you are subscribed to misc@opensmtpd.org
>> To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
>>
>>
>