Update SPF DNS record related info.
This commit is contained in:
parent
d0def4810e
commit
6952855736
|
@ -24,14 +24,12 @@ in `/etc/postfix/master.cf` (on Linux/OpenBSD) or
|
|||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_sasl_security_options=noanonymous
|
||||
-o smtpd_tls_security_level=may
|
||||
-o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o smtpd_sender_restrictions=permit_sasl_authenticated,reject
|
||||
```
|
||||
|
||||
* `2525` is the new port number for smtp service, you're free to change it to
|
||||
your favourite port number.
|
||||
* `smtpd_tls_security_level=may` allows both secure (TLS) and insecure connections.
|
||||
* Restriction rule `permit_mynetworks` will allow clients listed in Postfix
|
||||
parameter `mynetworks` to send email __WITHOUT__ smtp auth.
|
||||
|
||||
Restarting Postfix service is required. After restarting, you can check whether
|
||||
it's listening on this new port:
|
||||
|
|
|
@ -125,7 +125,7 @@ be delivered to server `mail.mydomain.com`.
|
|||
|
||||
SPF is a spam and phishing scam fighting method which uses DNS SPF-records to
|
||||
define which hosts are permitted to send e-mails for a domain. For details on
|
||||
SPF, please see [http://www.openspf.org/](http://www.openspf.org/)
|
||||
SPF, please check [wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework).
|
||||
|
||||
This works by defining a DNS SPF-record for the e-mail domain name specifying
|
||||
which hosts (e-mail servers) are permitted to send e-mail from the domain name.
|
||||
|
@ -136,33 +136,33 @@ IP address.
|
|||
|
||||
### How to setup the SPF record
|
||||
|
||||
A new SPF-record type was recently added to the DNS protocol to support this
|
||||
([RFC4408](http://www.rfc-editor.org/rfc/rfc4408.txt)).
|
||||
|
||||
However not all DNS and e-mail servers support this new record type yet, so
|
||||
SPF can also be configured in DNS using the TXT-record type.
|
||||
|
||||
Examples:
|
||||
|
||||
* SPF record refer to MX record. It means emails sent from all servers defined
|
||||
in MX record of `mydomain.com` are permitted by sender organization.
|
||||
SPF is a TXT type DNS record, you can list IP address(es) or MX domains in it.
|
||||
For example:
|
||||
|
||||
```
|
||||
mydomain.com. 3600 IN TXT "v=spf1 mx mx:mydomain.com -all"
|
||||
mydomain.com. 3600 IN TXT "v=spf1 mx -all"
|
||||
```
|
||||
|
||||
This SPF record means emails sent from all servers defined in MX record of
|
||||
`mydomain.com` are permitted to send as `someone@mydomain.com`.
|
||||
|
||||
* or SPF record refer to IP address directly. it means emails sent from
|
||||
specified IP address are permitted by sender organization.
|
||||
`-all` means prohibit emails sent from all other servers. If it's too strict
|
||||
for you, you can use `~all` instead which means soft fail (uncertain).
|
||||
|
||||
You can specify IP address(es) directly too:
|
||||
|
||||
```
|
||||
mydomain.com. 3600 IN TXT "v=spf1 ip4:192.168.1.100 -all"
|
||||
mydomain.com. 3600 IN TXT "v=spf1 ip4:111.111.111.111 ip4:111.111.111.222 -all"
|
||||
```
|
||||
|
||||
`-all` means prohibit all others.
|
||||
Of course you can have them both or more in same record:
|
||||
|
||||
```
|
||||
mydomain.com. 3600 IN TXT "v=spf1 mx ip4:111.111.111.222 -all"
|
||||
```
|
||||
|
||||
There're more valid mechanisms available, please check
|
||||
[OpenSPF web site](http://www.openspf.org/SPF_Record_Syntax) for more details.
|
||||
[wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework) for more details.
|
||||
|
||||
## DKIM record for the mail domain name {: id="dkim" }
|
||||
|
||||
|
@ -388,6 +388,5 @@ take a look:
|
|||
|
||||
## References
|
||||
|
||||
* [http://en.wikipedia.org/wiki/MX_record](http://en.wikipedia.org/wiki/MX_record)
|
||||
* [http://www.openspf.org/](http://www.openspf.org/)
|
||||
* [wikipedia: Sender Policy Framework](https://en.wikipedia.org/wiki/Sender_Policy_Framework)
|
||||
* [http://www.dkim.org/](http://www.dkim.org/)
|
||||
|
|
|
@ -46,15 +46,13 @@ in <code>/etc/postfix/master.cf</code> (on Linux/OpenBSD) or
|
|||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_sasl_security_options=noanonymous
|
||||
-o smtpd_tls_security_level=may
|
||||
-o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
|
||||
-o smtpd_sender_restrictions=permit_sasl_authenticated,reject
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li><code>2525</code> is the new port number for smtp service, you're free to change it to
|
||||
your favourite port number.</li>
|
||||
<li><code>smtpd_tls_security_level=may</code> allows both secure (TLS) and insecure connections.</li>
|
||||
<li>Restriction rule <code>permit_mynetworks</code> will allow clients listed in Postfix
|
||||
parameter <code>mynetworks</code> to send email <strong>WITHOUT</strong> smtp auth.</li>
|
||||
</ul>
|
||||
<p>Restarting Postfix service is required. After restarting, you can check whether
|
||||
it's listening on this new port:</p>
|
||||
|
|
|
@ -156,35 +156,32 @@ be delivered to server <code>mail.mydomain.com</code>.</p>
|
|||
<h3 id="what-is-a-spf-record">What is a SPF record</h3>
|
||||
<p>SPF is a spam and phishing scam fighting method which uses DNS SPF-records to
|
||||
define which hosts are permitted to send e-mails for a domain. For details on
|
||||
SPF, please see <a href="http://www.openspf.org/">http://www.openspf.org/</a></p>
|
||||
SPF, please check <a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">wikipedia</a>.</p>
|
||||
<p>This works by defining a DNS SPF-record for the e-mail domain name specifying
|
||||
which hosts (e-mail servers) are permitted to send e-mail from the domain name.</p>
|
||||
<p>Other e-mail servers can lookup this record when receiving an e-mail from this
|
||||
domain name to verify that sending e-mail server is connecting from a permitted
|
||||
IP address.</p>
|
||||
<h3 id="how-to-setup-the-spf-record">How to setup the SPF record</h3>
|
||||
<p>A new SPF-record type was recently added to the DNS protocol to support this
|
||||
(<a href="http://www.rfc-editor.org/rfc/rfc4408.txt">RFC4408</a>).</p>
|
||||
<p>However not all DNS and e-mail servers support this new record type yet, so
|
||||
SPF can also be configured in DNS using the TXT-record type.</p>
|
||||
<p>Examples:</p>
|
||||
<ul>
|
||||
<li>SPF record refer to MX record. It means emails sent from all servers defined
|
||||
in MX record of <code>mydomain.com</code> are permitted by sender organization.</li>
|
||||
</ul>
|
||||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 mx mx:mydomain.com -all"
|
||||
<p>SPF is a TXT type DNS record, you can list IP address(es) or MX domains in it.
|
||||
For example:</p>
|
||||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 mx -all"
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>or SPF record refer to IP address directly. it means emails sent from
|
||||
specified IP address are permitted by sender organization.</li>
|
||||
</ul>
|
||||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 ip4:192.168.1.100 -all"
|
||||
<p>This SPF record means emails sent from all servers defined in MX record of
|
||||
<code>mydomain.com</code> are permitted to send as <code>someone@mydomain.com</code>.</p>
|
||||
<p><code>-all</code> means prohibit emails sent from all other servers. If it's too strict
|
||||
for you, you can use <code>~all</code> instead which means soft fail (uncertain).</p>
|
||||
<p>You can specify IP address(es) directly too:</p>
|
||||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 ip4:111.111.111.111 ip4:111.111.111.222 -all"
|
||||
</code></pre>
|
||||
|
||||
<p>Of course you can have them both or more in same record:</p>
|
||||
<pre><code>mydomain.com. 3600 IN TXT "v=spf1 mx ip4:111.111.111.222 -all"
|
||||
</code></pre>
|
||||
|
||||
<p><code>-all</code> means prohibit all others.</p>
|
||||
<p>There're more valid mechanisms available, please check
|
||||
<a href="http://www.openspf.org/SPF_Record_Syntax">OpenSPF web site</a> for more details.</p>
|
||||
<a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">wikipedia</a> for more details.</p>
|
||||
<h2 id="dkim">DKIM record for the mail domain name</h2>
|
||||
<h3 id="what-is-a-dkim-record">What is a DKIM record</h3>
|
||||
<p>DKIM allows an organization to take responsibility for a message in a way that
|
||||
|
@ -393,8 +390,7 @@ take a look:</p>
|
|||
</ul>
|
||||
<h2 id="references">References</h2>
|
||||
<ul>
|
||||
<li><a href="http://en.wikipedia.org/wiki/MX_record">http://en.wikipedia.org/wiki/MX_record</a></li>
|
||||
<li><a href="http://www.openspf.org/">http://www.openspf.org/</a></li>
|
||||
<li><a href="https://en.wikipedia.org/wiki/Sender_Policy_Framework">wikipedia: Sender Policy Framework</a></li>
|
||||
<li><a href="http://www.dkim.org/">http://www.dkim.org/</a></li>
|
||||
</ul><div class="footer">
|
||||
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
|
||||
|
|
Loading…
Reference in New Issue