SRS can work without SPF, but not vice versa, i.e., issues with forwards may arise if SPF is implemented
- DNS TXT records;
- SMTP server.
DNS TXT Records
Once the SPF resource is enabled in H-Sphere, DNS TXT records will be provided for each A and MX records in
DNS TXT records have the following format:
domain.com IN TXT "v=spf1 spf_string"
Here, spf1 is SPF version, and spf_string takes the combination of the so-called mechanisms:
"a, ptr, mx, ip4, include, all". all is a finalizing mechanism and must be placed at the end.
Please read more explanations on mechanisms in TXT DNS records.
Each mechanism may have a prefix pointing to a certain type of processing messages:
- fail (message is rejected)
~ softfail (message is passed with warning)
+ pass (message is passed - the default prefix value)
Thus, the simplest SPF record will be:
domain.com IN TXT "v=spf1 -all"
It means that you deny sending any mail from this domain, i.e., you may use this domain for any hosting except mail hosting.
(-all is thus somewhat similar to deny all in Apache).
Consider the following record:
domain.com IN TXT "v=spf1 mx a:test.com/24 ptr:test2.com -all"
If a message is sent with MAIL FROM: firstname.lastname@example.org and from the client IP 126.96.36.199, SMTP server will check:
a) whether test3.com MX records (at least one of them) are resolved to IP 188.8.131.52;
b) whether the IP 184.108.40.206 is in a test.com's IP subnet (mask 255.255.255.0);
c) whether the PTR record for IP 220.127.116.11 is resolved to test2.com;
If none of the above conditions are met, then the last directive -all meaning "deny all other" takes effect,
and the message will be rejected.
The include directive is used if you wish to delegate SPF check for another domain, for example:
"v=spf1 include:example.net -all"
At the level of qmail server, the following SMTP parameters should be configured
in respective files in /var/qmail/control directory:
For more details, refer to Qmail Configuration and
SPF Implementation for Qmail.
SRS (Sender Re-write Scheme)
SRS mechanism is used in two cases:
- To form SRS-compliant mail address for forwarding messages via forward mail resources,
in accordance with SRS convention;
- To form reverse SRS-compliant reverse mail address in case of reply.
H-Sphere provides the following Qmail controls for SRS
(they are located in the /var/qmail/control/srs/ directory):
SRS secrets files: reverse_srs_secrets (for reverse mail) and srs_secrets (for forwards).
These files contain a set of lines with keys, each key in a separate line.
These keys, called secrets, are used to validate hash from SRS formatted e-mail address.
The most recent key is on top of the list. Qmail takes it first when checking SRS address,
and if it doesn't fit, Qmail takes these keys one after another. If none fit, the message will be rejected.
The revers_srs_secrets file has 400 permissions and vpopmail:vchkpw ownership.
The srs_secrets file has 400 permissions and qmaill:qmail ownership.
srs_maxage - an integer value for the maximum permitted age of a rewritten address.
SRS rewritten addresses expire after a specified number of days
after which it is assumed no more bounces may be generated in response to the original mail. Mail sent to
expired SRS address is dropped without ceremony.
The default (about a month) should be appropriate for all purposes.
The script /var/qmail/bin/setsrssecret runs as cron on mail servers to set these controls.