Score:0

SPF records. Allow HELO/EHLO but not sending emails

th flag

I have a mail server, let's say mail.example.com The PTR records connect mail.example.com with my server's ips (ipv4,v6). The HELO/EHLO response is mail.example.com

Now I want to send letters like [email protected]. Let's say I set MX mail.example.com @ TXT v=spf1 mx ~all mail TXT v=spf1 a ~all

It's said I should have SPF's for subdomains to protect them from spoofing: www TXT v=spf1 -all

Let's say I don't want letters lile [email protected] to be sent. But I can't have second record like: mail TXT v=spf1 -all And it would prevent HELO/EHLO validation.

Also I have CNAME's like autoconfig/autodiscover for mail. So they aren't protected too.

Is there way to allow HELO/EHLO validation but disallow sending emails from those subdomains?

Reinto avatar
es flag
Why would you allow your mail server to send out emails from `example.com`, but not from `mail.example.com` as domain portion of the sender address (from an SPF perspective)? You can put in place other restrictions at the mail server to disallow mails from other domains.
Роман Коптев avatar
th flag
@Reinto I have put restrictions to other subdomains like spf v=spf1 -all (for *, www, ipv6, www6 etc.). But I can't do it for mail, autoconfig and autodiscover, because mail should validate HELO, and others are CNAME for it
Reinto avatar
es flag
I understand the reasoning for wildcard and subdomain restrictive SPF records, where you know the domain is not being used for email. However, I don't understand why you don't want something like `v=spf1 a -all` for your server hostname. This will allow only your mail server to be able to send on behalf of your subdomain. Even if it is not supposed to.
Reinto avatar
es flag
In regards to the CNAME records: If you control the target domain for the CNAME, you can host a TXT record there for SPF purposes.
Роман Коптев avatar
th flag
@Reinto I use mailcow installation. It's supposed in default installation mails from example.com as I described. They needs spf mx or ip4/ip6 for example for from record validation. The mailserver with web ui simple on mail subdomain (I don't use imap, smtp etc subdomains for simplicity). So mail.example.com needs spf a or ip4/ip6 or something for HELO validation. Yes I control all the domains. It requires autoconfig/autodiscover to be CNAME for mail.example.com. And it obviously has spf a ~all for it.
Роман Коптев avatar
th flag
@Reinto SPF is being used to validate both envelope from and HELO. The from refers to example.com. The HELO refers to mail.example.com. It's rather classic installation. And I have a nonrelated to mailserver webportal on the example.com. Even if I move my mailserver to example.com I don't see ways to prohibit mails from autoconfig/autodiscover that points to mail that serves webmail ui and wellknown endpoints simultaneously.
Роман Коптев avatar
th flag
I guess it's impossible to prohibit mails, but because spf for mail domain exists sombody can't spoof this subdomain. It's connected to my server ip any way.
Reinto avatar
es flag
With your current setup, only your mail server is allowed to send emails from those subdomains you mentioned. I would say that is an acceptable result, but it's not my infrastructure.
Score:0
cu flag

If we understand you correctly, this will help you: Set the SPF record for your main domain:

mail.example.com TXT "v=spf1 mx -all"

And create one more SPF record for subdomain:

www.example.com TXT "v=spf1 redirect=mail.example.com"

For any CNAMEs, create SPF records that also redirect to the main domain's SPF record:

autoconfig.example.com TXT "v=spf1 redirect=mail.example.com"
autodiscover.example.com TXT "v=spf1 redirect=mail.example.com"
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.