[BALUG-Admin] BALUG & SPF, {temp,lists}.balug.org, etc.

Tue Sep 19 05:27:08 PDT 2017

SPF ... I've added SPF records:

The ~all (soft-fail) is intended to be quite temporary ...
intending to strip that out in the coming day(s) to week or so.
It's mostly there as a "just in case" to prevent hard fail should
anything else be particularly screwed up or incorrect.
Expecting to alter that bit to hard fail in near future (notably after
some mailings have exercised the SPF at least some reasonable bit and
that all looks fine and good).  So ...
be on notice :-) ... presumably nobody/nothing has any legitimate
need/reason to do SMTP envelope FROM from the
@{lists.,temp.,}balug.org domains - other than what's emailed from
the (VM) host itself.
One can, "of course", use Reply-To - e.g. I do that
BALUG-Announce postings for meetings - as those ask for RSVP,
and many folks just click "Reply" without specifically targeting
the RSVP address ... so ... just easier to set Reply-To to the
RSVP address - then most of the actual replies from folks (at least
from that particular mailing) gets emailed to the generally
intended/desired email address.

TXT *and* SPF DNS RR types?  Yeah, I included type SPF, mostly for
any (deprecated) stuff that may still be using (or preferring) that.
Doesn't much hurt to also have it included ... save for the hazard of
potentially not consistently maintaining SPF when altering TXT.
Interesting too, BIND 9.9.5 - named-checkconf complains if RR type
TXT SPF record(s) are present but corresponding(/matching?) RR type
SPF are absent.  Perhaps more/most current version of BIND changes that
behavior in named-checkconf?  If I get curious/board, I might also
do some DNS query logging (notably around time of sending some of the
larger list mailings - most notably BALUG-Announce, but likewise to
lesser extent BALUG-Talk) ... and see what kinds of ratios show up
for TXT and SPF RR queries.

$ (for s in '' lists. temp.; do dig +noall +answer "$s"balug.org. TXT  
"$s"balug.org. SPF; done)
balug.org.              14400   IN      TXT     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
balug.org.              14400   IN      SPF     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
lists.balug.org.        14400   IN      TXT     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
lists.balug.org.        14400   IN      SPF     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
temp.balug.org.         14400   IN      TXT     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
temp.balug.org.         14400   IN      SPF     "v=spf1  
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
$

{temp,lists}.balug.org.:

@list.balug.org probably mostly or entirely works - but certainly haven't
fully tested/validated it ... at least yet.

https://lists.balug.org/[...] isn't yet fully operational - some more
web configuration bits before that's all fully squared away.

mailman (and possibly some exim4 bits too?) - still need to update
configurations (once all other prerequisite bits have been properly covered),
to make lists.balug.org once again the canonical, while preserving
compatibility with temp.balug.org (at least until about 2010-11-30).