Menu
Reply
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
350 Views
Message 1 of 16
Flag for a moderator

Hello! Best regards, can I ask a question SMTP, VPN, SPF

Hello :-)
I've got a mail server here at home running my personal domain "LightDiodeDesigns.co.uk"... Just some fun while I'm ill...
I'd like to set my domain's SPF (SMTP server safe sender) record on it's public DNS just for that "It wasn't me you need to block for sending that junk" peace of mind..
Hotmail recieves my mails from various NTL servers..

I cant' just let my server free wheel because 86.1.0.0/16 at least is in the Public-black-list understandably...
If I had to I'd buy an open public (not pbl) Virgin address, VPN probably, is it possible.?


Dyou recoin If I fix the host-address of smtp.ntlworld.com (hosts file or on my DNS box here) am I likely to always get the same outbound sender-server each time I can list as my SPF server?

Has anyone managed? I will try but it'd be nice to know I'm going to succeed

Best regards for 2017! :-)
NEAL

0 Kudos
Reply

Helpful Answers
  • 13.62K
  • 720
  • 4.71K
Superuser
Superuser
453 Views
Message 9 of 16
Flag for a moderator
Helpful Answer

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

Using DKIM will depend on the capabilities of the mail server you are using.  The important thing is to remember you need to generate a public and private key pair using open SSL.  The private key is used by the mail server while the public key is entered as part of a DNS TXT record.

If you want to test out DKIM you can use the following tool to generate a DKIM public and private key.

http://dkimcore.org/tools/keys.html

However you should preferably download, (assuming it's not already installed), and use OpenSSL to generate the key pair yourself.  The same page provides a link explaining how the specification works, including the required OpenSSL commands to generate the key pair.  And how to publish the public key.

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

  • 13.62K
  • 720
  • 4.71K
Superuser
Superuser
348 Views
Message 11 of 16
Flag for a moderator
Helpful Answer

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

For DKIM you don't need a certificate just a public and private key pair.

You will need a certificate if you plan on securing a web or mail server - It might be worth looking at startssl.com if you're playing as you can get a domain certificate from there for free.  I currently have one for my web server.

________________________________________


Only use Helpful answer if your problems been solved.

  • 13.62K
  • 720
  • 4.71K
Superuser
Superuser
267 Views
Message 13 of 16
Flag for a moderator
Helpful Answer

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

All the IIS DKIM implementations seem pretty expensive to me.

TBH When I started playing with E-Mail - I installed hmailserver which is free.  It supports DKIM out of the box.  However you do have to set up the private and public key pairs yourself.  If the servers only sending you can even alter the bindings so it doesn't listen on POP3 or IMAP at all, and only allows inbound smtp connections from either localhost (127.0.0.1) or the local subnet.  In a default setup (192.168.0.0).

As for DMARC - it allows two things

1. For you to specify what should happen if validation of DKIM and/or SPF fails
2. To get a report for your domain.

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.


All Replies
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
341 Views
Message 2 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

[quote]
sReceived:1556;Count:18
Received: from know-smtprelay-omc-3.server.virginmedia.net ([80.0.253.67]) by BAY004-MC1F43.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Sun, 8 Jan 2017 03:38:24 -0800
Received: from quicker.LightDiodeDesigns.com ([removed])
by know-smtprelay-3-imp with bizsmtp
X-Originating-IP: [removed]
Received: from I5 ([192.168.0.11]) by quicker.LightDiodeDesigns.com with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 8 Jan 2017 11:36:46 +0000
From: Neal Sullivan <removed@LightDiodeDesigns.co.uk>
[/quote]

 

This is with SMTP.Ntlworld.com resolving to 62.254.26.221, obviously one a bank in a datacentre somewhere....
So I'll try with SMTP.Ntlworld.com fixed in the hosts file as 62.254.26.221...

I recon a 50-50 chance of success keeping the SMTP sender the same each time, anyone want to give me a probablility.? It won't be known until I've measured so I'll find out :-)
If I do a test mail everyday for a week and they show it's always now know-smtprelay-omc-3.server.virginmedia.net ([80.0.253.67]) sending through the NTL border perimiter I use this as my Safe-Sender I'd think!

Comment if you're interested! New year's fun... Especially if you've noticed the target server's timezone is 8hours in front!

NEAL

 

[MOD EDIT: Personal and private information has been removed from this post. Please do not post personal or private information in your public posts. Please review the Forum Guidelines]

0 Kudos
Reply
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
316 Views
Message 3 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

No yeah, still the same
[quote]
Received: from know-smtprelay-omc-3.server.virginmedia.net ([80.0.253.67]) by BAY004-MC5F29.hotmail.com with Microsoft SMTPSVC(7.5.7601.23143);
Sun, 8 Jan 2017 06:56:25 -0800
[/quote]

NEAL

0 Kudos
Reply
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
309 Views
Message 4 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

Only 1 way to find out if this'll work...

I've given the SPF-Allowed-range 512 cluster hosts (/22) for the virgin cluster so 2* /24 networks around the 253 of 80.0.253.67... I still think it might stay the same now I'm always going to the same SMPT.NtlWorld....

Only one way to find out!! :-)

LightDiodeDesigns.co.uk.  IN TXT "v=spf1 ip4:80.0.252.0/23 ip4:8.1.5.7/32 ~all"

NEAL :-D

0 Kudos
Reply
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
292 Views
Message 5 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

HAPPY DAYS
[headerQuote = "Received-SPF: Pass (protection.outlook.com: domain of lightdiodedesigns.com  designates 220.0.253.67 as permitted sender) receiver=protection.outlook.com;
 client-ip=220.0.253.67; helo= know-smtprelay-omc-3.server.virginmedia.net;                  "/]

 

0 Kudos
Reply
  • 38
  • 0
  • 3
NealSullivan
On our wavelength
270 Views
Message 6 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

NSLookup explains everything!         "v=spf1 include:_spf.ntlworld.com ~all" will include everything from the _spf.ntlworld txt record.. ip4:80.0.253.64/28 ip4:81.104.62.32/28

[nslookup]
>set quertype=txt

> ntlworld.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
ntlworld.com    text =

        "v=spf1 include:_spf.ntlworld.com ~all"
> _spf.ntlworld.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
_spf.ntlworld.com       text =

        "v=spf1 include:_smtprelay.virginmedia.com include:_ziggo.virginmedia.com ~all"
> _smtprelay.virginmedia.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
_smtprelay.virginmedia.com      text =

        "v=spf1 ip4:80.0.253.64/28 ip4:81.104.62.32/28 ~all"
[/nslookup]

0 Kudos
Reply
  • 13.62K
  • 720
  • 4.71K
Superuser
Superuser
254 Views
Message 7 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

I've only just come across this thread.

It looks like you've already found the answer for yourself.  Basically if you are only using Virgins outbound smtp servers to relay your domains mail then your record simply needed to be v=spf1 include:_smtprelay.virginmedia.com -all

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

  • 38
  • 0
  • 3
NealSullivan
On our wavelength
246 Views
Message 8 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

Yeah been working well... I'd hate to have spam sent in my name and this seems a good idea.. Any DKIM advice, or DMARC?
Yay, thanks! :-)
NEAL

0 Kudos
Reply
  • 13.62K
  • 720
  • 4.71K
Superuser
Superuser
454 Views
Message 9 of 16
Flag for a moderator
Helpful Answer

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

Using DKIM will depend on the capabilities of the mail server you are using.  The important thing is to remember you need to generate a public and private key pair using open SSL.  The private key is used by the mail server while the public key is entered as part of a DNS TXT record.

If you want to test out DKIM you can use the following tool to generate a DKIM public and private key.

http://dkimcore.org/tools/keys.html

However you should preferably download, (assuming it's not already installed), and use OpenSSL to generate the key pair yourself.  The same page provides a link explaining how the specification works, including the required OpenSSL commands to generate the key pair.  And how to publish the public key.

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

  • 38
  • 0
  • 3
NealSullivan
On our wavelength
225 Views
Message 10 of 16
Flag for a moderator

Re: Hello! Best regards, can I ask a question SMTP, VPN, SPF

Yeah I will try that, thank you.. Much appreciated
I'm considering buying a trusted SSL cert probably to root an MS2003 certificate server that currently runs the mail services here (off a lid-less Samsung I5 laptop) if that'll do the job.. But I know little of SSL in transfer so it's a good link you've sent.. The setup here is only keeping me active for fun while I'm ill. :-) It'd be nice to have code and email signage and dot1x and all sorts! :-) I've got some logon id-card readers here, any advice as uses?

It's been looking here like I will need a server upgrade soonish so "Microsoft 10 server" (or whatever called) will most likely be the one, any thoughts.? (Azure etc)

To be honest when I get a lot of spam (>10/day)  I turn off the SMTP inbound for a week and the 2nd-MX takes all to a catchall Hotmail for their decision hopefully knocking me off send lists, does seem to work. It all comes to Outlook I do like Outook's now proper active-sync connection to Hotmail.
I have to keep an eye out for SMTP-Auth brute-forcers and block them regularly, pain in th.

Nice one, playing with security is fun when it doesn't really matter, thanks for the tips!

Neal

0 Kudos
Reply