[pfx] Re: SPF questions
On 2023-06-12 at 04:19:12 UTC-0400 (Mon, 12 Jun 2023 20:19:12 +1200) Peter via Postfix-users is rumored to have said: > Technically it's an invalid MX record because MX records must point to a > hostname, not an IP address. > > They are probably trying (but failing) to implement a null MX record: > > https://www.rfc-editor.org/rfc/rfc7505 Also, it may be an artifact of discussions ~2 decades ago about how best to express the mail-nonexistence of a domain. I am certain I saw it proposed at least twice as a way to make misuse of such a domain noisy and painful. > > > Peter > > > On 12/06/23 19:50, wesley--- via Postfix-users wrote: >>> >>> Note there is also RFC 7505 "Null MX" where you simply add "IN MX 0 ." to >>> any DNS name you wish not to send or accept e-mail. (this is designed to >>> work around implicie MX records when A record is present). >>> >> >> I saw some domains have MX pointing to 127.0.0.1. what does this mean? >> >> Thanks. >> ___ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
Technically it's an invalid MX record because MX records must point to a hostname, not an IP address. They are probably trying (but failing) to implement a null MX record: https://www.rfc-editor.org/rfc/rfc7505 Peter On 12/06/23 19:50, wesley--- via Postfix-users wrote: Note there is also RFC 7505 "Null MX" where you simply add "IN MX 0 ." to any DNS name you wish not to send or accept e-mail. (this is designed to work around implicie MX records when A record is present). I saw some domains have MX pointing to 127.0.0.1. what does this mean? Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
I saw some domains have MX pointing to 127.0.0.1. what does this mean? This will tell the sender of the email to connect to 127.0.0.1 which is itself. It will send the mail program chasing its own tail. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
Note there is also RFC 7505 "Null MX" where you simply add "IN MX 0 ." to any DNS name you wish not to send or accept e-mail. (this is designed to work around implicie MX records when A record is present). On 12.06.23 07:50, wesley--- via Postfix-users wrote: I saw some domains have MX pointing to 127.0.0.1. what does this mean? I guess it's an attempt to achieve the same. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
Dnia 10.06.2023 o godz. 17:33:06 Gerd Hoerst via Postfix-users pisze: my entry e.g. 600 IN TXT "v=spf1 a mx -all" that mean all servers listet in MX enrties of my domain are allowed to send emails from my domain So if you receive an email from my domain which are not sent from one of those servers you can (if you want) put them in spam On 10.06.23 23:18, Jaroslaw Rafa via Postfix-users wrote: The original question was about a very specific SPF record, where the only entry is "-all". This SPF should be treated specially, as it indicates clearly that the domain owner does not intend to send any mail from this domain, ever. Note there is also RFC 7505 "Null MX" where you simply add "IN MX 0 ." to any DNS name you wish not to send or accept e-mail. (this is designed to work around implicie MX records when A record is present). So I would say in this case the spam signal is much stronger than with any other SPF record (ie. for domains that DO actually send mail), and regardless of how you treat SPF failures from other domains, you SHOULD reject mail from domains that have this specific type of SPF record (why accept mail from a domain that is not supposed to send any mail at all?). looks like spf-engine's pyspf-milter and policyd-spf-python support option "No_Mail = True" to explicitly reject mail in this case even if SPF is not enforced. However, this is a bit hard to do, as all existing SPF checking tools that I know do not treat this particular type of SPF record specially and don't distinguish SPF failure on this kind of record from SPF failure on any other type of SPF record. I would love to have a SPF tool that would mark SPF failure on a domain that has only "-all" as a special case, something like "absolute failure" while all other failures are just a "failure". Then I could reject messages that fail SPF "absolutely" and just ignore "normal" SPF failures (as I don't intend to check SPF on incoming mail from "normal" domains and don't actually do it now). However, I don't know any tool that makes this distinction and I'm not desperate enough to write my own ;). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
Dnia 10.06.2023 o godz. 17:33:06 Gerd Hoerst via Postfix-users pisze: > my entry e.g. > > 600 IN TXT "v=spf1 a mx -all" > > that mean all servers listet in MX enrties of my domain are allowed > to send emails from my domain > > So if you receive an email from my domain which are not sent from > one of those servers you can (if you want) put them in spam The original question was about a very specific SPF record, where the only entry is "-all". This SPF should be treated specially, as it indicates clearly that the domain owner does not intend to send any mail from this domain, ever. So I would say in this case the spam signal is much stronger than with any other SPF record (ie. for domains that DO actually send mail), and regardless of how you treat SPF failures from other domains, you SHOULD reject mail from domains that have this specific type of SPF record (why accept mail from a domain that is not supposed to send any mail at all?). However, this is a bit hard to do, as all existing SPF checking tools that I know do not treat this particular type of SPF record specially and don't distinguish SPF failure on this kind of record from SPF failure on any other type of SPF record. I would love to have a SPF tool that would mark SPF failure on a domain that has only "-all" as a special case, something like "absolute failure" while all other failures are just a "failure". Then I could reject messages that fail SPF "absolutely" and just ignore "normal" SPF failures (as I don't intend to check SPF on incoming mail from "normal" domains and don't actually do it now). However, I don't know any tool that makes this distinction and I'm not desperate enough to write my own ;). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
Hi ! The dns entry provides info from which mailservers the receiptient should only accpet email from entire domain... whta the receiptiten is doing with that information is up to your settings in postfix my entry e.g. 600 IN TXT "v=spf1 a mx -all" that mean all servers listet in MX enrties of my domain are allowed to send emails from my domain So if you receive an email from my domain which are not sent from one of those servers you can (if you want) put them in spam Ciao Gerd Am 09.06.2023 um 02:17 schrieb wesley--- via Postfix-users: Hello, for this spf setting, bar.org.3600IN TXT "v=spf1 -all" no ip addresses were provided. does it mean all IP are passed, or no IP can pass? Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF questions
wesley--- via Postfix-users skrev den 2023-06-09 02:17: Hello, for this spf setting, bar.org. 3600 IN TXT "v=spf1 -all" no ip addresses were provided. does it mean all IP are passed, or no IP can pass? no ip will pass essentially all mails is rejected from that domain if recipient enforce spf policy test ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Re: SPF questions
On November 18, 2022 3:04:44 AM UTC, linux...@gmx.net wrote: >Dear List, > >I have enabled policyd-spf in postfix: > >smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, >reject_unauth_destination, check_policy_service unix:private/policyd-spf > > >but can you help that, when a SPF check fails, where should I setup the reject >action? > >Thanks In the config file for the policy server. Scott K
SPF questions
Dear List, I have enabled policyd-spf in postfix: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf but can you help that, when a SPF check fails, where should I setup the reject action? Thanks