發表者

討論內容

冷日
(冷日)

發表時間：2012/11/28 9:03

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15771

[轉貼]如何在 DNS Server 設定 SPF

如何在 DNS Server 設定 SPF

SPF 說明:
SPF 的全寫是 Sender Policy Framework，它是一個可以保障域名持有人，免被 spammers 冒充發信的一種機制。做法是在域名
的 DNS 內加入 SPF record，說明這個域名只會透過那些主機發送郵件，而 SPF record 的格式如下為:

v=spf1 [[pre] type [ext] ] … [mod]

如果不熟悉 SPF record 也沒關係，我覺得反正不是經常要用到，在 SPF 的官方網站提供了一個很方便的 SPF WIZARD，它會根
據你的設定給出一個 SPF record 的字串，直接加入 DNS 及重新啟動即可。
http://old.openspf.org/wizard.html?mydomain=&x=35&y=6 (The SPF Setup Wizard)

補充說明:
SPF 是 Sender Policy Framework 的簡寫, 它是用識別寄件者的來源 IP 位址是否偽造的技術, 這是放在 DNS Server 上的一種技術, 向人說
明 cpc.com.tw 寄出的郵件, 其來源 IP 位址都會 203.69.155.3。假設, xxx@cpc.com.tw 寄給 yahoo 時, 他會去看 cpc.com.tw 的 DNS Server
所宣稱的來源 IP 位址與目前的來源 IP 位址是否一致, 是的話, 這應該就是可信的寄件者。

如果在 DNS Server 中加入一筆 SPF record:
1. Linux Bind
假設我們的域名為 hgiga.com, 其出去的 IP 位址有210.241.239.221, 203.69.97.156, 210.241.239.253
設在 /var/named/hgiga.com.hosts 中, 加入內容如下:

hgiga.com.                500     IN      TXT     "v=spf1 ip4:210.241.239.221 ip4:203.69.97.156 ip4:210.241.239.253 ?all"

誠如您所看到的, 它是一筆 TXT 記錄。 500 是設定 TTL (Time To Live) 的秒數。500秒意指這個設定 500 秒內都不需重讀。
2. Solaris
假設我的域名為 cpc.com.tw, 出去的 IP 位址有 203.69.155.3
設在 /var/named/named.data 中, 加入內容如下:

cpc.com.tw.     500     IN      TXT     "v=spf1 ip4:203.69.155.3 mx a:ap1.cpc.com.tw a:ap2.cpc.com.tw a:ap3.cpc.com.tw ?all"

然後再 kill -1 named.pid 使設定生效

測試 SPF 記錄是否有成功:
1. http://www.seoconsultants.com/tools/spf/
輸入 Domain, 如 hgiga.com; 然後再輸入來源 IP 位址, 如 210.241.239.221, 得到 Result 為 Pass, 表示為可信任的來源
2. http://www.dnsreport.com/
輸入 Domain, 如 hgiga.com, 在 Mail 那塊的檢測的最後一部份, 會說您有 SPF record.
3. 利用 dig 指令

        # dig txt hgiga.com
        ;; ANSWER SECTION:
        hgiga.com.              500     IN      TXT     "v=spf1 ip4:210.241.239.221 ip4:203.69.97.156 ip4:210.241.239.253 ?all"

附註:
1. Perl CPAN Library: Mail::SPF:uery (此 Library 可用來查詢 SPF record, 藉此驗來寄件者的來源 IP 是否可信)
2. SPF 官方網站: http://www.openspf.org/

原文出處： - 其它 - 如何在 DNS Server 設定 SPF HGIGA Service Docs

回覆

冷日
(冷日)

發表時間：2012/11/28 9:07

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15771

[轉貼]Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

by nixCraft on February 9, 2008 · 1 comment· last updated at October 28, 2008

Q.
How do I configure Sender Policy Framework (SPF) anti spam forgery system under Redhat Linux BIND server? I was advised to configure SPF for our corporate domain to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

A. Spammer always tries to spoof e-mail. Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it's easy for spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge sender addresses (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of source routes.

Steps to configure Sender Policy Framework

First, you need to access to DNS server zone files. Some domain registers / ISPs provides front end (control panel) to define SPF records. You need to set a TXT record by editing zone file. It allows you define real IP address of your mail server and other hosts such as webserver.

Set SPF for a domain called theos.in

Open your dns zone file such as /var/named/data/zone.theos.in and append something as follows:

@                      86400    IN TXT   "v=spf1 a mx ~all"

theos.in.             IN TXT "v=spf1 a mx ~all"

Save and close the zone file. Restart bind:
# service named restart
Where,

v=spf1 : Define an SPF recored.
a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in.

mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in.
~all : SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
For example, following recored the "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

cyberciti.biz.             IN TXT "v=spf1 a mx -all"

Large network setup

Let us say you have a corporate domain called nixcraft.com with static IP network 74.86.49.128/28. All IPs in this range can send an email. Your email server is called smtp.nixcraftmail.com. You need to SPF as follows for nixcraft.com domain:

nixcraft.com. IN TXT "v=spf1 ip4:74.86.49.128/28 a mx ~all"
Also you need to set SPF for nixcraftmail.com as follows:
smtp.nixcraftmail.com. IN TXT "v=spf1 a -all"

tinydns (djbdns) DNS Setup

If you run tinydns / djbdns, enter following:

'nixcraft.com:v=spf1 ip4\07274.86.49.128/28 a mx ~all:3600
'smtp.nixcraftmail.com:v=spf1 a -all:3600

Test SPF / spf recored lookup

First make sure SPF TXT recored updated using dns client tool such as host or dig:
$ host -t txt domain.com $ host -t txt nixcraft.com $ host -t txt nixcraft.com ns1.isp.com
If your SPF configured correctly webmail service such as Gmail or Yahoo mail can display spf result by viewing email headers:

(Fig. 01: SPF in action - Gmail confirms email is send by my own server [ mailed-by cyberciti.biz])
To view email headers click on Reply down arrow > Show original:

Received-SPF: pass (google.com: domain of vivek@cyberciti.biz designates 74.86.48.98 as permitted sender) client-ip=74.86.48.98;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of vivek@cyberciti.biz designates 74.86.48.98 as permitted sender) smtp.mail=vivek@cyberciti.biz

Microsoft 2000 / 2003 / 2008 DNS SPF Configurations

If you run Microsoft DNS server, see these instuctions.

Sample BIND zone file for cyberciti.biz domain

$ORIGIN cyberciti.biz
$TTL 86400
@ IN SOA ns1.cyberciti.biz. vivek.cyberciti.biz. (
                       2008020302        ; Serial
                       3600              ; Refresh
                       300               ; Retry
                       604800            ; Expire
                       3600)             ; Minimum
@                      86400    IN NS    ns1.cyberciti.biz.
@                      86400    IN NS    ns2.cyberciti.biz.
@                      3600     IN MX 10 smtp.cyberciti.biz.
@                      86400    IN TXT   "v=spf1 ip4:74.86.49.128/28 a mx ~all"
feeds                  86400    IN CNAME feeds.feedburner.com.
*                      3600     IN A     74.86.49.130
@                      86400    IN A     74.86.49.130
rd                     86400    IN A     74.86.49.130
www                    3600     IN A     74.86.49.130
vpn		       86400    IN A     10.10.2.5

原文出處：Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

回覆

冷日
(冷日)

發表時間：2012/11/28 9:14

Webmaster

註冊日: 2008/2/19
來自:
發表數: 15771

[轉貼]How to set up a proper mail server SPF TXT record in Bind (named) DNS server

How to set up a proper mail server SPF TXT record in Bind (named) DNS server

I’ve recently figured out that some of the SPF records I’m using for some of the administrated by me mail servers, was found to be incorrect by Microsoft’s mail servers for hotmail.com, msn.net and live.com .

Probably the SPF records that I used by so far were found to be incorrect by other mail account service providers also.
As a consequence of this wrongly considered SPFs” Microsoft mail servers were either rejecting my mail server messages or putting the received messages in the Junk folder.

The SPF records which were shown as incorrect according to Microsoft SPF checking Mechanism called SenderID SPF Record Wizard were defined in my bind dns domain zone file as follows:

mydomainname.com.            IN  TXT     "v=spf1 mx ip4:123.124.128.125 ~all"

Using this TXT SPF record dns configuration Microsoft’s Sender ID SPF Record Wizard claimed I had no SPF records at all e.g., checking with the wizard I was returning the error

No SPF Record Found

Microsoft’s Sender ID Framework SPF Record Wizard is available from: The URL address http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/.

Therefore if you’re experiencing some kind of difficulties with sending properly email messages to Microsoft mail domain names or to some other major mail providers like Yahoo, it’s very likely that you might have a misconfigured SPF record just like me.

To deal with the situation I had to check my SPF record with the simple:

"v=spf1 a -all"

The complete TXT record which needs to be placed in the zone file of your domain name looks like so:

mydomainname.com.            IN  TXT		"v=spf1 a -all"

The the meaning of this TXT SPF record is that the IP address in the “A” record for the name is theonly IP address that’s allowed to use that server’s name

After that change hopefully if you’re experiencing mails entering automatically in Junk filter / mail folder with msn.com, hotmail.com, live.com or yahoo.com this problems should be immediately solved.

Checking again with the the Microsoft SenderID online tool I got an output that my SPF record is correct like you read below the output that poped up from Microsoft’s page:

Sender ID Framework SPF Record Wizard

Step 2 of 4: Display Published DNS Records

The wizard has checked DNS for information about prize.bg including: SPF, MX and A records. This information is displayed below.

If an SPF record was found, you can verify its contents here and use the remaining steps of this wizard to modify the record if necessary. If no SPF record was found, you can use information from the domain's MX and A records to create a new SPF record.

Click Next to continue.

SPF Record Found
One or more functional SPF record(s) have been found for the domain mydomain.com
The full text of the domain's SPF record is as follows.

v=spf1 a -all

Another tool which helped me a lot in debugging problems with my SPF records is found on the address http://www.kitterman.com/spf/validate.html so it might be wise to use it as well in order to check that your SPF records are correct.

原文出處：How to set up a proper mail server SPF TXT record in Bind (named) DNS server | Walking in Light with Christ - Faith, Computing, Diary

回覆

小企鵝開談 : [轉貼]如何在 DNS Server 設定 SPF

Linux BIND DNS Configure Sender Policy Framework ( SPF ) an e-mail Anti Forgery System

Steps to configure Sender Policy Framework

Set SPF for a domain called theos.in

Large network setup

tinydns (djbdns) DNS Setup

Test SPF / spf recored lookup

Microsoft 2000 / 2003 / 2008 DNS SPF Configurations

Sample BIND zone file for cyberciti.biz domain

How to set up a proper mail server SPF TXT record in Bind (named) DNS server