Join Log in
Score:0
Роман Коптев avatar Server

SPF records. Allow HELO/EHLO but not sending emails

th flag
Роман Коптев

I have a mail server, let's say mail.example.com The PTR records connect mail.example.com with my server's ips (ipv4,v6). The HELO/EHLO response is mail.example.com

Now I want to send letters like [email protected]. Let's say I set MX mail.example.com @ TXT v=spf1 mx ~all mail TXT v=spf1 a ~all

It's said I should have SPF's for subdomains to protect them from spoofing: www TXT v=spf1 -all

Let's say I don't want letters lile [email protected] to be sent. But I can't have second record like: mail TXT v=spf1 -all And it would prevent HELO/EHLO validation.

Also I have CNAME's like autoconfig/autodiscover for mail. So they aren't protected too.

Is there way to allow HELO/EHLO validation but disallow sending emails from those subdomains?

115
1 + 8
spf
Reinto avatar
es flag
Reinto
Why would you allow your mail server to send out emails from `example.com`, but not from `mail.example.com` as domain portion of the sender address (from an SPF perspective)? You can put in place other restrictions at the mail server to disallow mails from other domains.
0
Reply
Роман Коптев avatar
th flag
Роман Коптев
@Reinto I have put restrictions to other subdomains like spf v=spf1 -all (for *, www, ipv6, www6 etc.). But I can't do it for mail, autoconfig and autodiscover, because mail should validate HELO, and others are CNAME for it
0
Reply
Reinto avatar
es flag
Reinto
I understand the reasoning for wildcard and subdomain restrictive SPF records, where you know the domain is not being used for email. However, I don't understand why you don't want something like `v=spf1 a -all` for your server hostname. This will allow only your mail server to be able to send on behalf of your subdomain. Even if it is not supposed to.
0
Reply
Reinto avatar
es flag
Reinto
In regards to the CNAME records: If you control the target domain for the CNAME, you can host a TXT record there for SPF purposes.
0
Reply
Роман Коптев avatar
th flag
Роман Коптев
@Reinto I use mailcow installation. It's supposed in default installation mails from example.com as I described. They needs spf mx or ip4/ip6 for example for from record validation. The mailserver with web ui simple on mail subdomain (I don't use imap, smtp etc subdomains for simplicity). So mail.example.com needs spf a or ip4/ip6 or something for HELO validation. Yes I control all the domains. It requires autoconfig/autodiscover to be CNAME for mail.example.com. And it obviously has spf a ~all for it.
0
Reply
Роман Коптев avatar
th flag
Роман Коптев
@Reinto SPF is being used to validate both envelope from and HELO. The from refers to example.com. The HELO refers to mail.example.com. It's rather classic installation. And I have a nonrelated to mailserver webportal on the example.com. Even if I move my mailserver to example.com I don't see ways to prohibit mails from autoconfig/autodiscover that points to mail that serves webmail ui and wellknown endpoints simultaneously.
0
Reply
Роман Коптев avatar
th flag
Роман Коптев
I guess it's impossible to prohibit mails, but because spf for mail domain exists sombody can't spoof this subdomain. It's connected to my server ip any way.
0
Reply
Reinto avatar
es flag
Reinto
With your current setup, only your mail server is allowed to send emails from those subdomains you mentioned. I would say that is an acceptable result, but it's not my infrastructure.
0
Reply
Score:0
VSYS Host avatar Server
cu flag
VSYS Host

If we understand you correctly, this will help you: Set the SPF record for your main domain:

mail.example.com TXT "v=spf1 mx -all"

And create one more SPF record for subdomain:

www.example.com TXT "v=spf1 redirect=mail.example.com"

For any CNAMEs, create SPF records that also redirect to the main domain's SPF record:

autoconfig.example.com TXT "v=spf1 redirect=mail.example.com"
autodiscover.example.com TXT "v=spf1 redirect=mail.example.com"
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.