Discussion:
MUA, MTA and SPF
Jesus Duarte
2012-01-06 20:22:59 UTC
Permalink
We are a regional ISP in the Pacific Northwest and have hundreds of DSL
customers. We run Postfix on our mail servers and we have all of our DSL
IPs authorized to send mail without having to use MUA authentication. For
those with email accounts with us and not on our network the MUA must
authenticate. The problem comes with our network users that are not using
SMTP authentication. If they do not authenticate, SPF keys in on the IP of
the MUA and gives an SPF error and consequently several customers have their
emails bounced.

I would think that SPF would key in on the IP of the MTA and not the MUA.
All of our MTAs are listed in our SPF RR. My question then, is this an
error in SPF checks? If not, is there some sort of "tweak" we are missing
in Postfix for authenticating our users within our IP address space short of
adding all of those IPs to our SPF record? Or do we need to contact all of
our customers and tell them they must use SMTP authentication?

OK, that was three questions. ;-) I am hoping to get a hit on a "tweak" in
Postfix.

Jesus Duarte
Murray S. Kucherawy
2012-01-06 20:33:12 UTC
Permalink
-----Original Message-----
Sent: Friday, January 06, 2012 12:23 PM
Subject: [spf-discuss] MUA, MTA and SPF
I would think that SPF would key in on the IP of the MTA and not the MUA.
It uses as one of its inputs the IP address of the SMTP client, which in your case is the MUA itself.
All of our MTAs are listed in our SPF RR. My question then, is this an
error in SPF checks? If not, is there some sort of "tweak" we are
missing in Postfix for authenticating our users within our IP address
space short of adding all of those IPs to our SPF record? Or do we
need to contact all of our customers and tell them they must use SMTP
authentication?
I don't think postfix does SPF natively, but rather via a plugin. You would thus configure the plugin not to do SPF evaluation against your MUAs, or list in your domain's SPF record all the IP addresses for your MUAs. (You probably want the former.)

-MSK
Scott Kitterman
2012-01-06 20:42:07 UTC
Permalink
Post by Murray S. Kucherawy
-----Original Message-----
Sent: Friday, January 06, 2012 12:23 PM
Cc: David Hudson; Torrie Hughes; "Marc
Subject: [spf-discuss] MUA, MTA and SPF
I would think that SPF would key in on the IP of the MTA and not the MUA.
It uses as one of its inputs the IP address of the SMTP client, which in
your case is the MUA itself.
All of our MTAs are listed in our SPF RR. My question then, is this an
error in SPF checks? If not, is there some sort of "tweak" we are
missing in Postfix for authenticating our users within our IP address
space short of adding all of those IPs to our SPF record? Or do we
need to contact all of our customers and tell them they must use SMTP
authentication?
I don't think postfix does SPF natively, but rather via a plugin. You would
thus configure the plugin not to do SPF evaluation against your MUAs, or
list in your domain's SPF record all the IP addresses for your MUAs. (You
probably want the former.)
In the early days of SPF (2003/4) there was a patchset to do SPF checking
internal to Postfix, but it is not recommended. Any SPF checking done now
should be using the policy service interface in Postfix (it was initially
developed specifically to support SPF plug-ins).

If someone could let me know how you've integrated SPF checking into your
Postfix setup, I can help you figure out how to address this problem. Postfix
does not inherently distinguish between inbound and outbound connections, so
it's a matter of setting up postfix to only check SPF when an SPF check is
appropriate.

Scott K
Benny Pedersen
2012-01-06 23:13:15 UTC
Permalink
I am hoping to get a hit on a "tweak" in Postfix.
reject local sender domains that are not authed ?

does it count that client ip is your network ?

can stupid users send with any domain as sender ?

leaseweb hello :)

PS: CC: was invalid !
Hector Santos
2012-01-14 09:33:33 UTC
Permalink
Hi Jesus,
Post by Jesus Duarte
We are a regional ISP in the Pacific Northwest and have hundreds of DSL
customers. We run Postfix on our mail servers and we have all of our DSL
IPs authorized to send mail without having to use MUA authentication. For
those with email accounts with us and not on our network the MUA must
authenticate. The problem comes with our network users that are not using
SMTP authentication. If they do not authenticate, SPF keys in on the IP of
the MUA and gives an SPF error and consequently several customers have their
emails bounced.
I would think that SPF would key in on the IP of the MTA and not the MUA.
The MUA is the MTA :), or rather contains an MTA component to send
mail. Its just special MTA that comes integrated with Mail
Pickup/Reader/Writer components.
Post by Jesus Duarte
All of our MTAs are listed in our SPF RR. My question then, is this an
error in SPF checks?
No. The SPF policy in place simply doesn't cover a segment of your users.
Post by Jesus Duarte
If not, is there some sort of "tweak" we are missing
in Postfix for authenticating our users within our IP address space short of
adding all of those IPs to our SPF record? Or do we need to contact all of
our customers and tell them they must use SMTP authentication?
OK, that was three questions. ;-) I am hoping to get a hit on a "tweak" in
Postfix.
The issue you see is quite normal for many ISP/ESPs. In general, the
only time you need to authenticate (using any method) is to determine
if the user is allow to relay (send mail outside the network). In
other words, if the target mail is for a local user or a locally
hosted domain, then your SMTP receiver should not require
authentication. This is how EMAIL grew to where it is today, by
allowing for unauthenticated transaction for the MDA. It was a
blessing for its growth, since without this, I sincerely doubt SMTP
would of taken over as fast as it did. But it was also a curse by
allowing abusive anonymous unauthenticated local mail transactions.

But the support headache about having to tell users to use SMTP AUTH
is real. One long time method widely used is help reduce these
support headaches is to implement POP B4 SMTP. Since most MUAs, if
not all, are automatically prepared to POP in frequently before the
user sends mail, this allows a method to use IP Authentication which
you already have. POPB4SMTP, while some consider a kludge, its long
known to help lower the support cost/needs to inform/tell/teach users
how to prepare SMTP authentication for their MUA which at best, you
can only cover only the top brand few.

If you don't know how it works, when the user's MUA pops in, which
requires user/password authentication, the POP server will send a
signal and data with the user's machine IP address to the SMTP server
opening a small sysop-defined time window for IP-based authentication
for the user's next SMTP session without requiring SMTP AUTH. The
time window varies for setups, ours I believe is 10 mins. It works. :)

--
HLS

Loading...