Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Someone is sending spam emails and is making it look like it was sent from my domain. How can i stop this email spoofing via cpanel. I read about SPF somehwhere.
Here is what my SPF in cpanel says
Your current raw SPF record is : v=spf1 +a +mx +ip4:ipaddress -all
What can i do to prevent this?
There is nothing you can do to stop them from sending email that is spoofed. You can send an email and have it look like it's coming from anywhere, and your outgoing email server (if configured to accept it, which spammers obviously would) and it will accept it. Adding an SPF record might reduce the number of those emails received by people.
You need to add (or append) to a TXT record in DNS.
v=spf1 include:your.email.domain.here -all
You can include more domains by adding another include: like:
v=spf1 include:blah1.blach1.com include:blah.blah.com -all
Hope that helps! Email is basically the most insecure protocol in existence.
You absolutely CAN stop spoofing. Have been doing it for 30+ years (before cpanel, etc.).
Regarding spoofing-- require all your users to authenticate before sending, this is the easiest way to stop spoofing on sendmail (see below for difference between spoofing and forgeries). If you are trying to block forgeries there are tools in the CPANEL (WHM) interface for require FQDN, EHLO, DKIM, etc. and other settings that will help you with this.
Also, check this thread out: https://www.webhostingtalk.com/showthread.php?t=669800
For more info on how to stop it on non-cpanel systems, continue reading. The concepts will help you understand what to change on cpanel systems as well.
The key rule to fight spoofing is that no email going through your MTA that is not on a "trusted" (e.g., internal) network should be allowed to have the sending and receiving domains be the same. Alone this will stop all spoofing. Once this rule is in placed, you add 2 more rules. The first says that internal "trusted" networks are exempted from this rule (thereby making external networks affected). The second rule is that any external connection that authenticates (username/password, etc.) is exempted from this rule. That allows your traveling sales team to send/receive email through your corporate server.
With sendmail you must require all connections to send a FQDN and that all FROM/TO address be fully qualified (so you can check the domain part).
In sendmmail.cf:
PrivacyOptions=needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings
By default in Sendmail 8.9 and later relaying from any network that is not considered "localIp" is denied via the checkrcpt() routine. So external email should only be "inbound" (unless being authenticated) and it should not have a sending domain matching your domain (unless authenticated).
Forging vs. Spoofing
There is a lot of confusion about "forging" and "spoofing". Forging is when someone sends an email claiming to be from one domain but they actually are not (such as someone pretending to be paypal). Spoofing is when an email outside of a network (e.g., outside of a business firewall) is sent to someone inside the network and both the sender and recipient have the same domain. This should never happen without the outsider being required to use authentication to bypass rejection. The reason is, that if you control an email network nobody outside your network should be originating email on your behalf without you knowing about it. If you know about it then there are various ways to adjust settings to allow it. But adjusting MX, SPF records etc. to stop spoofing is wrong. That is for identifying and stopping forgery.
Before we talk about solving spoofing in more detail, the best way to block forgeries is:
require EHLO with fqdn verify sender PTR record matches and
if not verify SPF It would be nice to use Domainkeys/DKIM, but the RFC
states that if Domainkey/DKIM can't be valided you are supposed to
treat it as thought it isn't there (so invalid DKIM should be
ignored)... frustrating. If you do decide to block emails with
bad/missing DKIM you will block almost everybody using ON365 as it's
almost universally misconfigured.
Use your access map to block foreign countries, etc., from which you
never expect to get email
Update your firewall to block networks you know are a problem.
I have learned a lot over the years with some hard lessons as I have administered email for some of the largest clusters/networks/providers in the world and some of the most well known dot-coms. Email is not an island unto itself. It is requires a tight integration with your DNS and firewall team and basics such as split-horizon DNS, DMARC, DKIM, SPF and good clean A/PTR records are critical to help manage the flow and authentication of valid email. Do not allow anybody from the outside to connect to port 25 to relay email (unless authenticated). Only internal users should be able to send OUT and external users be able to send IN. If someone inside is sending to someone inside, then they are connecting on the internal mail-servers port 25 and it is "trusted".
The best configuration works like this (does not matter what your MTA):
mailserver is inside a physical firewall.
barracuda or other anti-spam server is also inside firewall or dmz.
port 25 into your mailserver is blocked from the outside, but
allowed to your anti-spam/spamfirewall device
your MX tree is set up so that your mailserver is the primary, but
because it is not reachable from the outside, everybody will fall
back to your secondary (which is your anti-spam device).
Only your anti-spam device or internal-trusted systems should be
allowed to connect to your mailserver directly.
Use your firewall to prevent any internal system from sending email
outside directly (unless you have a very good reason) and force them
all to go through your internal mailserver to get outside (this is
the number one way to prevent spam on the Internet and every ISP
should do it)
Also, if you are using exchange, this will break inbound email because exchange needs more MX detail SOOOO (and it's a good idea anyway), you need to create a domain-level MX to your mailserver at the highest priority, but you ALSO need to create host-level MX, as follows (exch01 is your primary mail server):
# IN MX 10 exch01.mydomain.com.
# IN MX 20 barracuda.mydomain.com.
# IN MX 30 tertiary.externalmxprovider.xyz
exch01 IN MX 10 exch01.mydomain.com.
exch01 IN MX 20 barracuda.mydomain.com.
exch01 IN MX 30 tertiary.externalmxprovider.xyz
barracuda IN MX 10 barracuda.mydomain.com.
Make sure this information is advertised both internally and externally in your DNS.
I also recommend using your spam firewall as an outbound relay for your corporate email so that you can prevent from sending spam going out (in case an employee's computer get's compromised). Just configure your internal mailserver to use the anti-spam device as your "smart relay" for outbound mail.
If you need help doing this please let me know. Happy to help. I'm happy to help with any email, dns, or firewall configuration issue (dmarc, dkim, spf, etcx.)
David
Related
I'd like to set up custom domain authentication using DKIM and SPF for our 3rd party email marketing company (like mail chimp or constant contact). We also run MS exchange. Our Exchange guy is convinced that setting up DKIM and SPF for email marketing company will forever tie the reputation of the email marketing company to our exchange server. Is he correct? If not, how do I convince him?
I think I have enough info now to make this an answer...
Yes, if this is a permission-based list that you have sent to recently (if it's old that means likely spam traps) then I think you are correct that there's not much risk at all.
One way to convince this person would be to find out what IP address your MailChimp emails originate from (maybe send to a small list with just yourself on it but a real send). And then check out the reputation of this IP address using the tools available such as MX Toolbox and others, then show him the output. I'd be surprised if your Mailchimp assigned IP address was on any blacklists or had reputation issues
When he says exchange server is he talking about your company domain name taking a reputation hit? Or is he worried about the IP address from which you send non-marketing email? If he's worried about a separate IP that you send day-to-day email from then explain to him that your marketing emails will go out from a Mailchimp assigned IP address. If he's worried about the domain two things: 1. Your list is opt-in and you've sent recently so it's not an issue 2. If it was a bad list that would cause your domain to be blacklisted then whether you have DMARC, SPF, and DKIM doesn't matter, the originating IP that sends spam can get blocked for spamming regardless.
So I think you are right here but it's a matter of making the case.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have a domain mydomain.com
I need to use this domain on multiple servers.
I have greengeeks shared hosting as well as AWS with few EC2 machines for my web applications.
mydomain.com is hosting a marketing site via greengeeks hosting and it also provides my email server.
I want one sub domain app.mydomain.com that will point to one of my ec2 instance, another subdomain appadmin.mydomain.com point to another ec2 instance, What is the best way to setup domains and sub-domains like this. (currently i am using different domain (mydomain.org) for my aws instance, which isn't elegant)
As my mail server is on greengeeks, and I programatically send email from my ec2 app server using an email id app#mydomain.com, some email clients shows warning as "cannot verify email origin" and some pushes it in spam folder, is there a solution to it, I read about MX and SPF record but I am confused how to create them and where to put them.
Thanks,
K
I want one sub domain app.mydomain.com that will point to one of my ec2 instance, another subdomain appadmin.mydomain.com point to another ec2 instance, What is the best way to setup domains and sub-domains like this. (currently i am using different domain (mydomain.org) for my aws instance, which isn't elegant)
I'm not sure what the question is about. You should be able to make an a-record for each site. One for app.mydomain.com and another appadmin.mydomain.com.
As my mail server is on greengeeks, and I programatically send email from my ec2 app server using an email id app#mydomain.com, some email clients shows warning as "cannot verify email origin" and some pushes it in spam folder, is there a solution to it, I read about MX and SPF record but I am confused how to create them and where to put them.
SPF records are made typically made in either TXT-records, or SPF-records if your DNS provider, has a specific section for this. Both should work.
TXT records are nothing more than a record, with some text in it, but it can be interpeted as a SPF record, if specified as one (see part 1).
SPF entries are a collection of trusted IPs/hosts, that a spamfilter or mailserver can use to validate a the IP adress of the sender.
In the email message header, it will always say where the email was sent from(cant be spoofed to my knowledge). A spamfilter will compare the sender to the SPF entries of the specific domain and decide weather to reject the message or accept it.
Lets look at one example.
v=spf1 include:1.mailserver.com include:2.mailserver.com ip4:99.99.99.99 include:relay.anothermailserver.com ?all
Part 1
Specifies the version of SPF that you're using. SPFv1 should be able to do the trick for you.
v=spf1
Part 2
You specify the mailservers/IP subnets that should be allowed to send from your domain.
include:1.mailserver.com
include:2.mailserver.com
ip4:99.99.99.99
include:relay.anothermailserver.com
Part 3
Specifies weather to mark message as (~)SoftFail, (-)HardFail, (+)Pass or (?)Neutral, when the sender is not specified in your entries.
The receiving mailserver decides, weather to reject or accept a message based on their own policy. Meaning that some spamproviders/mailservers will reject a softfail, and some still may accept it.
Generally a hardfail should get rejected.
?all
If you need some material on this subject, id sugest www.openspf.org/SPF_Record_Syntax for the syntax.
Also you can use mxtoolbox.com which has a great tool, that specifies the different parts of a record.
As for the MX records. The MX specifies the receiving mailserver and in which order it should try to send the messages to them.
Example
Sending a mail to administrator#mydomain.com
MX record for mydomain.com
Priority = 10 / 99.99.99.99
Priority = 20 / server1.mymailserver.com
Priority = 30 / server2.mymailserver.com
Priority = 5 / myloadbalancer.mymailserver.com
Here it will look up the MX-records for mydomain.com, find the MX with the lowest priority and send the message to that IP/Host. If it doesnt get an answear from the server, it will proceed to try and send to the next MX-entry. If the message is accepted by receiving mailserver, then the mail goes through. If no answer is given by any of the MX-entries, it will notify the sender address, that the message could not be sent.
Please let me know if i missed something.
/AG
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 4 years ago.
Improve this question
I have recently acquired a domain name via Google Domains. I have set some configuration to have it point at an OpenShift application via Cloudflare. Cloudflare requires me to set their DNS servers, which I did in Google Domain.
At Cloudflare, I have created two CNAME records (and nothing else). One is an alias from my mydomain.com to some.url.at.openfshit.com, and the other is from www to mydomain.com.
Yet, within Gmail Domain, I have also set an email using my domain name which is to be forwarded to a private email. But, I don't receive any emails when testing.
I am wondering whether I could have my emails forwarded properly. Is it a matter of creating a MX record at Cloudflare? If yes, with what configuration?
P.S.: I have set a MX record using instructions available here, but I get:
Delivery to the following recipient failed permanently:
contact#mydomain.com
Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain chartvibes.com by aspmx.l.google.com. [2607:f8b0:4001:c20::1b].
The error that the other server returned was:
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 https://support.google.com/mail/answer/6596 p123si522326ioe.111 - gsmtp
The MX records you're using are for G Suite accounts. You can still forward emails with Cloudflare and Google Domains, but you'll need different MX records. As Overdrivr pointed out in a comment below, you can find your MX records in the DNS settings in Google Domains. Once you're in the DNS settings page, look for a collapsible panel called "Email forward" under the "Synthetic records" section. You should see something like this
Then, make a backup of your Cloudflare DNS setup, erase all MX records and add the ones listed in your account using the number right before the mail server (e.g., 5, 10, etc.) as its priority.
It might take a few minutes for the changes to take effect. If you try to send an email right after changing the records, it's likely that you'll get a message saying that the address could not be found, but it'll have the G Suite mail server in the Remote-MTA field (aspmx.l.google.com) instead of gmr-smtp-in.l.google.com. If this is the case, just wait for a few more minutes and try again
I'm not sure if you already have a solution to this, but if you do, I'm interested in how to do it too. Could you please post your solution here if you find one ?
The bad news is, it cannot be done because the way Google Domains work. Google Domains has email forwarding, but it works only when you're using Google's DNS servers. It's the same with all hosting services or whatever they're called.
I think Google just has an email forwarding service that can forward upto 100 alias email addresses per domain to an actual email address. But the actual email address has to exist somewhere. The ones you set up in the Domains console are just aliases or forwarding instructions.
For Cloudflare email forwarding to work, you need to use the SMTP servers where the actual email addresses exist, but since Domains has no actual email service servers, the emails sent out are failing with email account does not exist. The instructions you mentioned are for the Google Apps, which have actual email/gmail addresses set up, but they cost $5/user/month.
The only solution that I can think of to get around this issue is to have our own mail server, and have cloudflare point to those, and then forward/deliver the emails from that mail server.
Hope this helps.
EDIT :
I probably didn't research this well enough before, but looks like people are getting around this issue by using a third party email forwarding service called mailgun
The actual article describing how to use it is on lowendtalk
Some discussion surrounding it is here
I am trying to send mails with mailgun. My DNS config (SPF,DKIM) seems to be ok and are being validated in mailgun service. I can send mail to several users with gmail, live and most others mail providers. However, I have a problem when I sent an email for email accounts of my university.
The message is rejected with the following alert:
"554 5.7.1 : Client host rejected: MX-CIDR"
My current DNS settings are:
TXT # "v=spf1 include:mailgun.org ~all"
MX 10 mxa.mailgun.org.
MX 10 mxb.mailgun.org.
DKIM was validated as well. I checked my domain at mxtoolbox and the dns config pass in all tests. I did not find errors related with that alert in others questions. May someone help me to fix it?
Update 1:
Just some more informations:
1) I dont send, and I have absolutely no intention to send spam. I created an educational website, used by students and instructors, and they send messages sometimes between each others. I also send mail to confirm registers, recovery password, as a lot of others websites do. I only send messages to people who was agreed with my terms of service, that includes the information about my mail policy. It is a small service, I never sent more than 2,000 messages in a month (I have 800 registered users so far)
2) I do not believe I was blacklisted, mxtools verify several blacklists databases and my IP have passed in all verifications. Also, the server is not rejecting all messages from my IP, I can send messages with my personal email with the same domain, but I use different services to handle my personal inbox with my domain and the emails send by my website. So, I guess it may be a DNS record mistake.
3) I only use mailgun (or others transactional email services like mandrill or sendgrid) because it is highly recommended (and easy). I use a small VPS and it is hard to configure my own email service (I am a programmer, I am not an expert in that kind of configuration). If exists negative factors about the use of these systems, I really like to know and learn more.
I see no evidence posted that the reason the receiving mail server is rejecting your mail is because of your SPF records.
There isn't even any evidence here that the receiving mail servers are even performing SPF checks on their incoming mail.
Can you explain why exactly you believe that this has anything to do with SPF?
Just because someone's rejecting your mail, and you happen to be messing around with your SPF records, doesn't mean that the reason for your mail being rejected is due to your SPF records.
The only ones who can tell you exactly why your email is being rejected, and what needs to be done to fix it, is the receiving mail servers' administrators, and that's who you should be asking. They are the only ones who know exactly how their mail servers are configured, and how they work. Unless it's evident from the text of the error message, and it's not, anyone else's answer will be nothing but guesswork.
And actually my guess would be that, if anything, the error message seems to suggest that they have simply blacklisted your IP address range, period, for whatever reason. I would interpret "MX-CIDR" as meaning "MX's IP address' (you can Google what "CIDR" means by yourself); i.e.: sending mail server's IP address is explicitly blacklisted from sending them mail.
Now, taking from the referenced domain's web site, I quote:
"Our software automatically manages the delivery process to give your emails the best chance of landing in the inbox."
I would think that the only type of folks who would be concerned about having "the best chance of landing in" someone inbox would be all the typical spamming parasites. I browsed through the referenced website, and I couldn't shake off a slimy feeling I get after typically wandering into a typical spam spewer.
Is this domain being used to send spam?
If so, then you probably know the answer to your question, already.
Certain SPF libraries might reject emails when trying to perform a reverse lookup on the domain that you're sending from.
They usually get this from the MX records attached to the domain and if there's a mismatch it'll fail out with a rejection (more detail here: http://www.zytrax.com/books/dns/ch9/spf.html).
It's usually only a problem if the receiving server is not necessarily configured correctly, or is being super harsh on incoming mail due to an overwhelming amount of spam.
When developing an application that sends out notification email messages, what are the best practices for
not getting flagged as a spammer by your hosting company. (Cover any of:)
best technique for not flooding a mail server
best mail server products, if you were to set up your own
sending messages as if from a specific user but still clearly from your application (to ensure complaints, etc come back to you) without breaking good email etiquette
any other lessons learned
not getting flagged as spam by the receiver's client? (Cover any of:)
configuring and using sender-id, domain-keys, SPF, reverse-dns, etc to make sure your emails are properly identified
best SMTP header techniques to avoid getting flagged as spam when sending emails for users (for example, using Sender and From headers together)
any other lessons learned
An additional requirement: this application would be sending a single message to a single recipient based upon an event. So, techniques for sending the same messages to multiple recipients will not apply.
best technique for not flooding a mail server
not a lot you can do about this beyond checking with your mail server admin (if it's a shared hosting account / not in your control). but if the requirement is one email to a single recipient per event, that shouldn't be too much of an issue. the things that tend to clog mail systems are emails with hundreds (or more) of recipients.
if you have events firing off all the time, perhaps consider consolidating them and having an email sent that summarizes them periodically.
sending messages as if from a specific user but still clearly from your application (to ensure complaints, etc come back to you) without breaking good email etiquette
you can accomplish this by using the "Reply-To" header, which will then have clients use that address instead of the From address when an email message is being composed.
you should also set the "Return-Path" header of any email, as email without this will often get filtered off.
ex.
From: me#me.com
Return-Path: me#me.com
Reply-To: auto#myapp.com
configuring and using sender-id, domain-keys, SPF, reverse-dns, etc to make sure your emails are properly identified
this is all highly dependent on how much ownership you have of your mail and DNS servers. spf/sender-id etc... are all DNS issues, so you would need to have access to DNS.
in your example this could present quite the problem. as you are setting mail to be from a specific user, that user would have to have SPF (for example) set in their DNS to allow your mail server as a valid sender. you can imagine how messy (if not outright impossible) this would get with a number of users with various domain names.
as for reverse DNS and the like, it really depends. most client ISP's, etc... will just check to see that reverse DNS is set. (ie, 1.2.3.4 resolves to host.here.domain.com, even if host.here.domain.com doesn't resolve back to 1.2.3.4). this is due to the amount of shared hosting out there (where mail servers will often report themselves as the client's domain name, and not the real mail server).
there are a few stringent networks that require matching reverse DNS, but this requires that you have control over the mail server if it doesn't match in the first place.
if you can be a bit more specific i may be able to provide a bit more advice, but generally, for people who need to send application mail, and don't have a pile of control over their environment, i'd suggest the following:
make sure to set a "Return-Path"
it's nice to add your app and abuse info as well in headers ie: "X-Mailer" and "X-Abuse-To" (these are custom headers, for informational purposes only really)
make sure reverse DNS is set for the IP address of your outgoing mail server
first a quick correction to the previous
return-path: is a header added by recieving system based on the envelope-sender of the incomming message
for spf to work the return-path/envelope-sender needs to be yourapp#yourdomain.com
and ensure the spf record for yourdomain.com {or if per-user spf} for yourapp#yourdomain.com allows mails to originate on the server that hosts the app/sends the email
this envelope-sender is the address that will recieve all bounces/errors
now sender-id is different entirely it checks the return-path/envelope-sender
and the
from: address {stored inside the message}
if sending
from: hisname yourapp#yourdomain.com
reply-to: hisname hisaddres#hisdomain.com
this will be a non-issue
if sending
from: hisname hisaddres#hisdomain.com
it will be and you must add a
Resent-From: hisname yourapp#yourdomain.com
as this specifies to ignore the from: for sender-id checks use this instead as it has been sent by you on his behalf
now for the other bits that are worthwhile
ip's mentioned are your mailservers
a have your ip's ptr point to a name that also resolves to the same ip
FQDNS
b have your server helo/ehlo with whatever.domain.com where domain.com is the same as the domain of the name in step A {not the same name for resons below}
c have that helo/ehlo servername also resolve to the ip of your server
d add the following spf record to that helo/ehlo name "v=spf1 a -all"
{meaning allow helo/ehlo with this name from ip's this name points to only}
e add the following sender-id lines to the helo/ehlo name {purely for completeness
"spf2.0/mfrom,pra -all" {ie there are no users#this-domain}
f add the following spf to the FQDNS-name and any other hostnames for your server
"v=spf1 -all" {ie no machines will ever helo/ehlo as this name and no users#this-domain}
{as the fqdns name can be determined by bots/infections its better to never allow this name to be used in helo/ehlo greetings directly it is enough that it be from the same domain as the helo/ehlo identity to prove the validity of both}