[BALUG-Admin] --> hard fail (-all) Re: BALUG & SPF, {temp, lists}.balug.org, etc.
Michael Paoli
Michael.Paoli@cal.berkeley.edu
Sun Sep 24 18:05:16 PDT 2017
SPF has continued to look fine,
updated the records from ~all (soft-fail) to -all (hard fail).
TTL 14400 - so up to 4 hours (+ propagation delays) until 100%
effective Internet-wide.
$ FCEDIT=ex fc -1
/tmp/bash-fc-241632800115: unmodified: line 1
:1,$d
:0a
(
for ns in $(dig -t NS balug.org. +short); do
for ip in $(dig +noall +answer +short "$ns" A "$ns" AAAA |
sort -u); do
for s in '' lists. temp.; do
dig +noall +answer +norecurse @"$ip" "$s"balug.org. TXT \
"$s"balug.org. SPF |
sed -e 's/$/ ['"$ns $ip"']/'
done
done
done
)
.
:w
/tmp/bash-fc-241632800115: 12 lines, 329 characters
:q
(
for ns in $(dig -t NS balug.org. +short); do
for ip in $(dig +noall +answer +short "$ns" A "$ns" AAAA |
sort -u); do
for s in '' lists. temp.; do
dig +noall +answer +norecurse @"$ip" "$s"balug.org. TXT \
"$s"balug.org. SPF |
sed -e 's/$/ ['"$ns $ip"']/'
done
done
done
)
balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
lists.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
lists.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
temp.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
temp.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
198.144.194.238]
balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
lists.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
lists.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
temp.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
temp.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.balug.org.
2001:470:1f04:19e::2]
balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
lists.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
lists.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
temp.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
temp.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
2600:3c01::f03c:91ff:fe96:e78e]
balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
lists.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
lists.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
temp.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
temp.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all" [ns1.svlug.org.
64.62.190.98]
balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
lists.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
lists.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
temp.balug.org. 14400 IN TXT "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
temp.balug.org. 14400 IN SPF "v=spf1
ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 -all"
[ns1.linuxmafia.com. 198.144.195.186]
$
> From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
> Subject: BALUG & SPF, {temp,lists}.balug.org, etc.
> Date: Tue, 19 Sep 2017 05:27:08 -0700
> SPF ... I've added SPF records:
>
> The ~all (soft-fail) is intended to be quite temporary ...
> intending to strip that out in the coming day(s) to week or so.
> It's mostly there as a "just in case" to prevent hard fail should
> anything else be particularly screwed up or incorrect.
> Expecting to alter that bit to hard fail in near future (notably after
> some mailings have exercised the SPF at least some reasonable bit and
> that all looks fine and good). So ...
> be on notice :-) ... presumably nobody/nothing has any legitimate
> need/reason to do SMTP envelope FROM from the
> @{lists.,temp.,}balug.org domains - other than what's emailed from
> the (VM) host itself.
> One can, "of course", use Reply-To - e.g. I do that
> BALUG-Announce postings for meetings - as those ask for RSVP,
> and many folks just click "Reply" without specifically targeting
> the RSVP address ... so ... just easier to set Reply-To to the
> RSVP address - then most of the actual replies from folks (at least
> from that particular mailing) gets emailed to the generally
> intended/desired email address.
>
> TXT *and* SPF DNS RR types? Yeah, I included type SPF, mostly for
> any (deprecated) stuff that may still be using (or preferring) that.
> Doesn't much hurt to also have it included ... save for the hazard of
> potentially not consistently maintaining SPF when altering TXT.
> Interesting too, BIND 9.9.5 - named-checkconf complains if RR type
> TXT SPF record(s) are present but corresponding(/matching?) RR type
> SPF are absent. Perhaps more/most current version of BIND changes that
> behavior in named-checkconf? If I get curious/board, I might also
> do some DNS query logging (notably around time of sending some of the
> larger list mailings - most notably BALUG-Announce, but likewise to
> lesser extent BALUG-Talk) ... and see what kinds of ratios show up
> for TXT and SPF RR queries.
>
> $ (for s in '' lists. temp.; do dig +noall +answer "$s"balug.org.
> TXT "$s"balug.org. SPF; done)
> balug.org. 14400 IN TXT "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> balug.org. 14400 IN SPF "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> lists.balug.org. 14400 IN TXT "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> lists.balug.org. 14400 IN SPF "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> temp.balug.org. 14400 IN TXT "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> temp.balug.org. 14400 IN SPF "v=spf1
> ip4:198.144.194.238 ip6:2001:470:1f04:19e::2 ~all"
> $
>
> {temp,lists}.balug.org.:
>
> @list.balug.org probably mostly or entirely works - but certainly haven't
> fully tested/validated it ... at least yet.
>
> https://lists.balug.org/[...] isn't yet fully operational - some more
> web configuration bits before that's all fully squared away.
>
> mailman (and possibly some exim4 bits too?) - still need to update
> configurations (once all other prerequisite bits have been properly covered),
> to make lists.balug.org once again the canonical, while preserving
> compatibility with temp.balug.org (at least until about 2010-11-30).
>
More information about the BALUG-Admin
mailing list