Topic: How to publish internal SPF-, DKIM- and DMARC-records ?

[frifri]

Hi,

I want to fight spam accepted on SME with spoofed FROM-header, refering to my locally hosted domains :

Code: [Select]

FROM : vmservice@owndomainB.tld
Authentication-Results: *owndomainA.tld*; auth=none; spf=none smtp.mailfrom=*owndomainB.tld*; [b]dkim=none[/b]
Received: from Unknown (HELO [27.62.22.198]) (27.62.22.198)
 by *owndomainA.tld* (qpsmtpd/0.96) with ESMTP ; Fri, 01 Sep 2017 21:13:05 +0200
Received-SPF: none (*owndomainB.tld*: [b]No applicable sender policy available)[/b] receiver=sme.owndomainA.tld; identity=mailfrom; envelope-from="vmservice@owndomainB.tld"; helo="[27.62.22.198]"; client-ip=27.62.22.198

DNS is resolved locally for both domains owndomainA.tld and owndomainB.tld.

So, is it possible to publish internal SPF-, DKIM- and DMARC-records ?

Thanks,

Frederik.

[Daniel B.]

Yes, it's possible, eg for SPF, create the custom template /etc/e-smith/templates-custom/var/service/tinydns/root/data/85Spf with something like:

Code: [Select]

{
  if (($qpsmtpd{RejectSpoofedLocalDomains} || 'disabled') eq 'enabled'){
    $OUT .= "# SPF entries for local domains\n";
    my $allowed = '';
    foreach my $ip ( split /[;,]/, ($qpsmtpd{AllowedRemoteIP} || '')){
        $allowed .= 'ip4\072'.$ip.' ';
    }
    foreach my $domain (get_domains()){
        $OUT .= "'$domain:v=spf1 mx $allowed-all:3600\n";
        $OUT .= ":$domain:99:\041v=spf1 mx $allowed-all:3600\n";
    }
  }
  else{
    $OUT .= "\n";
  }
}

Now, if you want to reject spoofed From email:

Code: [Select]

db configuration setprop qpsmtpd RejectSpoofedLocalDomains enabled
# If you want to allow some external servers to send emails using your domain as sender, you can:
# db configuration setprop qpsmtpd AllowedRemoteIP 12.13.14.15,19.20.21.22
signal-event dns-update


[frifri]

Merci !

I looked also to this : https://anders.com/projects/sysadmin/djbdnsRecordBuilder/

And made the custom-template :

Code: [Select]

{
  if (($qpsmtpd{RejectSpoofedLocalDomains} || 'disabled') eq 'enabled'){
    $OUT .= "# SPF entries for local domains\n";
    my $allowed = '';
    foreach my $ip ( split /[;,]/, ($qpsmtpd{AllowedRemoteIP} || '')){
        $allowed .= 'ip4\072'.$ip.' ';
    }
    foreach my $domain (get_domains()){
        $OUT .= "'$domain:v=spf1 a mx $allowed-all:3600\n";
        $OUT .= ":$domain:16:\071v=spf1 a mx $allowed-all:3600\n";
        $OUT .= ":$domain:99:\071v=spf3 a mx $allowed-all:3600\n";
    }
  }
  else{
    $OUT .= "\n";
  }
}

But now, how can i exclude some localdomains from this template that are resolved by internet-DNS-servers ?

Frederik

[Daniel B.]

In the loop, just add a next if ($domain eq 'domain1.org'); for example

[CharlieBrady]

But now, how can i exclude some localdomains from this template that are resolved by internet-DNS-servers ?

You don't need to, since the records you are adding to tinydns won't ever be queried. dnscache will ask the Internet servers rather than the local tinydns server.

[frifri]

Right !, but it's ugly in the templated data-file.

F.

[frifri]

Shoudn't these SPF-records made by default in tinydns for domains that are resolved locally ?
Why accepting mails 'from' localdomains if the ip is external ?
 

[Daniel B.]

There are cases where it's legitimate to have external server sending emails with your domain as sender (eg an external www hoster)

[frifri]

Yes, but thas is the exception we can solve whit the AllowedRemoteIP-key

[Gary Douglas]

I like the idea of RejectSpoofedLocalDomains, and have added this 85Spf template on my SME mailservers. I had to change the IP address of one yesterday, this template causes /var/service/tinydns/root/data file to fail rebuilding during expand-template or signal-event post-upgrade, which causes the server to fail dns resolution to itself both by itself and on the local network. Removing the 85Spf, expand-template /var/service/tinydns/root/data and signal-event post-upgrade; signal-event reboot brings the server back with internal dns host resolving on it's new IP address.

[Stefano]

in that case, some error posted here or, better, a bug in bugzilla, could help everybody to add such a feature