[Mimedefang] Process SPF checking for certain recipient domains

G.W. Haywood mimedefang at jubileegroup.co.uk
Sat Jul 26 13:53:37 EDT 2014 

Hi Jon,

On Sat, 26 Jul 2014, Jon Rowlan wrote:

> That is helpful

That was the intention. :)

> although for some odd reason I feel very much told off :-)

Er, sorry about that.  I spend too much time dealing with issues
caused by mail systems which have been badly configured by others.
Sometimes I get a little tetchy.

> I should have added that I checked the sender domains and they all had
> SPF in place which is why I was tempted to try using the SPF mechanism.

SPF is a sort of Good Samaritan thing.  By and large the Internet
protocols were developed for technical reasons by technical people.
It never occurred to them that one day criminals would be by far the
most numerous users.  SMTP permits very simple forgery of mail sender
addresses because at the time we (mea culpa) didn't think about the
problems which we'd be facing forty years down the line.  SPF lets
others check, in a fairly secure way, mail claiming to be from your
domain is coming from a server entitled to send it.  Simple as that.
But not much use to you unless other people use it too.  Most of the
time they don't, and in the unlikely event that they do, more often
than not they get it wrong.

> I have tried using hosts.deny but that doesn't seem to work for me,

You're doing it wrong. :)

To use hosts.deny (and hosts.allow) you have to be running what's
known as a 'super-server'.  The super-server is started instead of
the service that would normally have been run, it checks the files
hosts.allow and hosts.deny, and then it either runs the service or
it doesn't, depending on what it finds in those files.  There are
other ways of doing the same thing.  Check out the man pages for
inetd, tcpd, hosts_access, services and xinetd.  If you don't have
the man pages you might need to install the relevant packages, what
they're called depends on what distribution you're using but they
should be easy to find.  You would either use inetd or xinetd, not
both at the same time.  I tend to use the more venerable inetd but
xinetd has its followers (and its advantages).  There are pages on
Wikipedia which give brief descriptions in less, er, manpage style.

> iptables may well be something to look at as you say.

There's great documentation, if rather a lot of it to digest at one
sitting, on the Netfilter Website.  It will very much be worth your
while spending some quality time with it:

http://www.netfilter.org/documentation/index.html

At our sites iptables does most of the heavy lifting.  We block about
25% of the IPV4 address space where 95% of the malicious connections
come from.  The mail filtering system can do the rest with one hand
tied behind its back.

--

73,
Ged.

More information about the MIMEDefang mailing list