configuration error in lists.isc.org

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Sat Aug 8 03:13:57 UTC 2015 

 
On 2015-08-07 07:34, wbrown at e1b.org wrote: 

> From: "Lawrence K. Chen, P.Eng." <lkchen at ksu.edu> 
> 
>> OTOH, we have caved on adding systems that aren't 'ours'...though how much of 
>> Office365 is actually 'ours'....but I think we currently have a couple 
>> includes for mass emailing solutions or our survey system (normally we push 
>> for them to use a subomain, our old in-house survey system was on its own 
>> subdomain, which the new one can use, but its more flexible on what users can 
>> use....it then comes down to whether there's a SPF rule in their way or not.
> 
> SPF has nothing to dow with who owns the servers. It states who is allowed to send email on behalf of the domain. If you are using O365 for your mail, you add their SPF records. If you use a mail service provider for your marketing emails, be sure to add them. Just make sure you don't exceed the limits on how many DNS queries are required to fully resolved the SPF record. I'm starting to see more records overloaded with includes, MX, and other types that require further queries. 
> 
> We now return you to our regularly scheduled program.

But, the point of 'ours' is trusting that system is only generating mail as us
that we expect it to generate. Generally we expect servers we operate to be
trustworthy (which has somewhat improved now that our general SMTP server is
usable from, say, guest wireless.

Before we moved to Office365, our email provider had configured that our
outgoing mail was processed to come out from one of two pools. One pool for
spam/virus check good mail from our exclusive use, and the everything else
pool that is shared with with all the other tenants. With no guarantee that
another tenant's account get hijacked and starts send forged emails with our
domain....

So, when we were with this provider, our SPF had exclusive pool as good, but
included the other pool prefixed with '~'..... Meanwhile, Office365 claims to
employ a similar system where there are pools used only for send tested good
emails, and other pools that they send everything else through and if IPs get
blocked they don't care.... where we have one include:spf...., which in turn
has another include:spfa...., which in turn has another include:spfb.... for
over 50,000 IPs + a ip6:/48....to be all trusted. Then there's the include
that survey company provides, which just contains a single include for who
actually send their mails? Which seems strange familiar...also noticed that
they're using Dyn for NS. Probably because it seems to be a subset of what
mass marketing mailer has in their chain of spf includes.... And, we
include:outbound.mailhop.org for people that go abroad and want to get around
places that block port 25, which is like everywhere now.... though the number
of alternatives has probably reduced the need for this.

Though I still have my mailhop account, even though its now DuoCircle that
owns it. But, still have one domain with Dyn, Along with some dyndns names....
Like for my ec2 instances --a dyndns domain so I can find them easier, and
they use mailhop to send me alerts....

But, given how Office365 operates, its unlikely that rogue tenant would be
able to impersonate us.... and ... we can't speak for anybody else, but I
trusted Dyn with email for many years now, trying to recall when I got the
account....think it was sometime after I stopped using PocketMail....

- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
 with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150807/6dbeb93e/attachment-0001.html>

More information about the bind-users mailing list