Discussion:
Configuration Problem
Roman Gelfand
2013-08-23 17:41:11 UTC
Permalink
My domain is hosted by yahoo. Outside of yahoo, I use another
outbound mail server.

My goal is to designate yahoo's smtp server and my outbound server as
the only legitimate outbound server.

My spf configuration is as follows:

"v=spf1 a:smtp.bizmail.yahoo.com ip4:XX.XXX.XXX.XX -all" where my
server is XX.XXX.XXX.XX.

This configuration works for my server but not yahoo. I am guessing
the problem is smtp.bizmail.yahoo.com cname.

I spoke with yahoo.. They are not providing me with ip ranges or subnets.

Is there a way to make this work or, perhaps, someone may have done
this already.


Thanks in advance
alan
2013-08-23 18:48:29 UTC
Permalink
At 18:41 23/08/2013 Friday, you wrote:
>My domain is hosted by yahoo. Outside of yahoo, I use another
>outbound mail server.
>
>My goal is to designate yahoo's smtp server and my outbound server as
>the only legitimate outbound server.
>
>My spf configuration is as follows:
>
>"v=spf1 a:smtp.bizmail.yahoo.com ip4:XX.XXX.XXX.XX -all" where my
>server is XX.XXX.XXX.XX.
>
>This configuration works for my server but not yahoo. I am guessing
>the problem is smtp.bizmail.yahoo.com cname.
>
>I spoke with yahoo.. They are not providing me with ip ranges or subnets.
>
>Is there a way to make this work or, perhaps, someone may have done
>this already.
>
>
>Thanks in advance

ok first issue is its yahoo and they seem to have a religious fear/hatred/revulsion/whatever for spf
so no help there

(i would take that as a sign that you would be better served paying to have your domain hosted elsewhere where they are more supportive of your use of your domain, even many of the free hosts do a better job)

that aside problem two is that
smtp.bizmail.yahoo.com is where you send mail too, not where they send it to us from

as you mentioned its a cname so a: will never work (ok it might but thats down to how the programmers wrote the spf library)
either way the ip it eventually becomes is not the ip you send from (just the ip you submit your mail to)
(there may be 1 to infinity more hops through yahoos systems before its onward journey to the internet)

as you sent this mail from a gmail(and via gmail), and neglected to bother telling us the domain name in question

we can neither look at your spf records/domain/or sending ips to help any further

but as you have a gmail sending yourself a series of emails should result in a fair approximation of what ips they send from

then quick whois will tell you the block they belong to
then add ip4:that-block/bitmask for each block yahoo is discovered sending from

terminate your record ?all till confident you have a 90%ish complete list
then switch to ~all so if/when yahoo add more your less likely to experience total failure (as you will with -all)
Roman Gelfand
2013-08-25 01:39:41 UTC
Permalink
Thanks a lot for your advise. I didn't even realize that yahoo could
be relaying from one smtp server to another within their network.

Anyway following your lead, I did a dig on smtp.bizmail.yahoo.com and found this

smtp.bizmail.yahoo.com. 295 IN CNAME
smtp.bizmail.mail.fy4.b.yahoo.com.
smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN CNAME
any-smtp.bizmail.mail.fy4.b.yahoo.com.
any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 98.139.221.242
any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 208.71.40.208
any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 98.138.105.25

I, then, looked up whois and found these fall into 2 huge networks
98.136.0.0/14
208.71.40.0/21

Is this range should be all they have or do you think there is more
and I need fish around more?

Thanks again for your help

On Fri, Aug 23, 2013 at 2:48 PM, alan <***@alandoherty.net> wrote:
> At 18:41 23/08/2013 Friday, you wrote:
>>My domain is hosted by yahoo. Outside of yahoo, I use another
>>outbound mail server.
>>
>>My goal is to designate yahoo's smtp server and my outbound server as
>>the only legitimate outbound server.
>>
>>My spf configuration is as follows:
>>
>>"v=spf1 a:smtp.bizmail.yahoo.com ip4:XX.XXX.XXX.XX -all" where my
>>server is XX.XXX.XXX.XX.
>>
>>This configuration works for my server but not yahoo. I am guessing
>>the problem is smtp.bizmail.yahoo.com cname.
>>
>>I spoke with yahoo.. They are not providing me with ip ranges or subnets.
>>
>>Is there a way to make this work or, perhaps, someone may have done
>>this already.
>>
>>
>>Thanks in advance
>
> ok first issue is its yahoo and they seem to have a religious fear/hatred/revulsion/whatever for spf
> so no help there
>
> (i would take that as a sign that you would be better served paying to have your domain hosted elsewhere where they are more supportive of your use of your domain, even many of the free hosts do a better job)
>
> that aside problem two is that
> smtp.bizmail.yahoo.com is where you send mail too, not where they send it to us from
>
> as you mentioned its a cname so a: will never work (ok it might but thats down to how the programmers wrote the spf library)
> either way the ip it eventually becomes is not the ip you send from (just the ip you submit your mail to)
> (there may be 1 to infinity more hops through yahoos systems before its onward journey to the internet)
>
> as you sent this mail from a gmail(and via gmail), and neglected to bother telling us the domain name in question
>
> we can neither look at your spf records/domain/or sending ips to help any further
>
> but as you have a gmail sending yourself a series of emails should result in a fair approximation of what ips they send from
>
> then quick whois will tell you the block they belong to
> then add ip4:that-block/bitmask for each block yahoo is discovered sending from
>
> terminate your record ?all till confident you have a 90%ish complete list
> then switch to ~all so if/when yahoo add more your less likely to experience total failure (as you will with -all)
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/735/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/735/24896328-acfdfa29
> Modify Your Subscription: https://www.listbox.com/member/?&
> Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20130823144838:9DAA8914-0C24-11E3-A542-C19B3A6CD538
> Powered by Listbox: http://www.listbox.com
alan
2013-08-25 03:00:59 UTC
Permalink
At 02:39 25/08/2013 Sunday, Roman Gelfand wrote:
>Thanks a lot for your advise. I didn't even realize that yahoo could
>be relaying from one smtp server to another within their network.

no large isp uses either the same ips for sending as receiving or uses any non tiered clustered load-balanced approach

even small isps like the ones i work for may have only a few physical servers but we will have a different ip for sending and receiving on each (as it makes securing and load balancing easier

(one or more inbound ips load balanced to the least stressed server)
one dedicated ip per server for outbound so we can know which servers logs to check if we get a complaint of bad mail from xyz ip


>Anyway following your lead, I did a dig on smtp.bizmail.yahoo.com and found this
>
>smtp.bizmail.yahoo.com. 295 IN CNAME
>smtp.bizmail.mail.fy4.b.yahoo.com.
>smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN CNAME
>any-smtp.bizmail.mail.fy4.b.yahoo.com.
>any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 98.139.221.242
>any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 208.71.40.208
>any-smtp.bizmail.mail.fy4.b.yahoo.com. 295 IN A 98.138.105.25

ok its interesting as it shows somehow how the load balance their receiving side
as id guess the fy4.b alters each lookup (or over time) to point at the next least loaded cluster


>I, then, looked up whois and found these fall into 2 huge networks
>98.136.0.0/14
>208.71.40.0/21
>
>Is this range should be all they have or do you think there is more
>and I need fish around more?

there is likely more
at least
<http://whois.arin.net/rest/poc/NA258-ARIN/orgs>http://whois.arin.net/rest/poc/NA258-ARIN/orgs

http://whois.arin.net/rest/org/YAOO/nets
<http://whois.arin.net/rest/org/YAHO/nets>http://whois.arin.net/rest/org/YAHO/nets
http://whois.arin.net/rest/org/YAHOO-1/nets
<http://whois.arin.net/rest/org/YAHOOI-2/nets>http://whois.arin.net/rest/org/YAHOOI-2/nets

and thats just the US based ones their is a good chance they have blocks in other cheap hosting countries too

as i said

A forget smtp.bizmail.yahoo.com

B send yourself mail via yahoo (to gmail or this list)
or even direct to me and I'll send you back the ips

C look at the ips/names that the mail comes from (only), these are the blocks yahoo uses to send your mail
(they maybe within the same ranges, they may not, either way their sending ips are all your interested in, not their receiving ones like smtp.bizmail.yahoo.com)

you might find they only send from a very limited range based on your username
(as i cant see them placing all customers in the one basket they would likely use different ranges for free service customers to paying, as they don't want one services reputation damage (spammers-on the free webmail) causing harm to all (or maybe they do, who knows)

>Thanks again for your help

it would be much easier if you just used the domain in question on-list we would already have 2 sending ips to look at

yahoo might be the one and only excuse for using the ptr: record, but i still think
Loading...