[BALUG-Admin] BALUG & SPF

Rick Moen rick@linuxmafia.com
Fri Aug 18 07:58:31 PDT 2017 

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> Well, notably at present, balug.org. and temp.balug.org. are
> pretty dang independent and unrelated.  Until balug.org.
> (and lists.balug.org., etc.) are ripped out from under DreamHost.com. ...

{sigh}  Here, let me hand it to you on a platter.  We'll do through the
whole zonefile.

These would be taken care of by a single SPF 'A' directive (if they send
mail, which clearly most do not):

balug.org.                         IN A       208.97.176.67
archive.balug.org.                 IN A       198.144.194.238
www.balug.org.                     IN A       198.144.194.238
balug-sf-lug-v1.balug.org.         IN A       198.144.194.238
balug-sf-lug-v2.balug.org.         IN A       198.144.194.238
balug-untangle.balug.org.          IN A       64.2.3.203
balug-sf-lug-v1.console.balug.org. IN A       208.96.15.250
balug-sf-lug-v2.console.balug.org. IN A       208.96.15.250
balug-untangle.console.balug.org.  IN A       64.2.3.195
sf-lug-v1.console.balug.org.       IN A       208.96.15.250
sf-lug-v2.console.balug.org.       IN A       208.96.15.250
untangle.console.balug.org.        IN A       64.2.3.195
ftp.balug.org.                     IN A       208.97.176.67
lists.balug.org.                   IN A       66.33.216.72
mail.balug.org.                    IN A       208.113.200.129
mailboxes.balug.org.               IN A       66.33.205.233
www.mailboxes.balug.org.           IN A       66.33.205.233
mysql.balug.org.                   IN A       208.97.161.83
ns1.balug.org.                     IN A       198.144.194.238
rsvp.balug.org.                    IN A       198.144.194.238
secure.balug.org.                  IN A       198.144.194.238
www.secure.balug.org.              IN A       198.144.194.238
sf-lug.balug.org.                  IN A       208.96.15.252
www.sf-lug.balug.org.              IN A       208.96.15.252
sf-lug-v1.balug.org.               IN A       208.96.15.252
sf-lug-v2.balug.org.               IN A       208.96.15.252
ssh.balug.org.                     IN A       208.97.176.67
untangle.balug.org.                IN A       64.2.3.203
vicki.balug.org.                   IN A       208.96.15.250
webmail.balug.org.                 IN A       208.97.187.139
www.webmail.balug.org.             IN A       208.97.187.139
webmaster.balug.org.               IN A       198.144.194.238
wiki.balug.org.                    IN A       198.144.194.238
www.wiki.balug.org.                IN A       198.144.194.238
www.balug.org.                     IN A       208.97.176.67
www0.balug.org.                    IN A       208.97.176.67
www1.balug.org.                    IN A       198.144.194.238
www2.balug.org.                    IN A       64.2.3.203

These two can be taken care of by a single SPF 'MX' directive:

mail.balug.org.                    IN MX      0 mx1.sub5.homie.mail.dreamhost.com.
mail.balug.org.                    IN MX      0 mx2.sub5.homie.mail.dreamhost.com.

These can be taken care of by a single ipv6: directive if we're
concerned about that.  


ns1.balug.org.                     IN AAAA    2001:470:1f04:19e::2
rsvp.balug.org.                    IN AAAA    2001:470:1f04:19e::2
secure.balug.org.                  IN AAAA    2001:470:1f04:19e::2
www.secure.balug.org.              IN AAAA    2001:470:1f04:19e::2
webmaster.balug.org.               IN AAAA    2001:470:1f04:19e::2
wiki.balug.org.                    IN AAAA    2001:470:1f04:19e::2
www1.balug.org.                    IN AAAA    2001:470:1f04:19e::2
balug-sf-lug-v1.balug.org.         IN AAAA    2001:470:1f04:19e::2
balug-sf-lug-v2.balug.org.         IN AAAA    2001:470:1f04:19e::2

This can be taken care of by a single include: directive.

balug-dreamhost.balug.org.         CNAME   charles-carroll.dreamhost.com.


So, I make that to be:

balug.org.     IN TXT "v=spf1 a mx ipv6:2001:470:1f04:19e::2 include:dreamhost.com -all"

That literally takes care of _every_ existing entry in the balug.org DNS
that could possibly originate mail, plus every host that Dreamhost
thinks might originate mail.

And, when you and Michael Hubbard give Dreamhost the heave-ho, all the
need happen whenever convenient is removing the include: directive.
(No hurry about that.  No real harm if it remains.)

We should do it now.  It's a one-line addition to DNS, and I've just
handed you that line, already made.

> Yes, effectively don't - or no guarantees it won't change.
> DreamHost does sometimes make changes to hostnames, IP addresses,
> etc., and with no notice of such changes - the only way I know about
> such changes is they show up in DNS, etc.

That's what the include: is for.

> No assurances those correlate or will continue to correlate.

If Dreamhost doesn't know where it sends SMTP from, then we have a lot
bigger problems.

Does their own mail fail their own SPF and get rejected as forgeries?
No, I really don't think so.  Then, their SPF record is a good enough 
statement of what they declare their SMTP hosts to be.  Which, gosh, if
they cannot get that right, they would be _really_ in the wrong line of
business.  But they demonstrably do get it right.  Hallelujah.

> Ah, now that makes sense.  I mean why would DreamHost trust their own
> hosting after all?  ;->

I assume it's because Dreamhost customers find it convenient to
originate Dreamhost-hosted mail from Google, relay.mailchannels.net, and
sendgrid.net -- and Dreamhost helps them by insuring that such
outsourced mail-sending won't get rejected as forging dreamhost.com's
envelope header.

Actually, if you look closely, they _did_ fsck up the first include:
directive, the one for _spf.google.com.  Which fortunately doesn't
adversely affect us, because we don't try to originate balug.org
outbound mail from Google.

More information about the BALUG-Admin mailing list