SPF registry error

[anonymous]

I've been testing and I do not know if I am right:

First, the primary IP server is the IP A.A.A.A.

The SPF record that is created with each domain is created on the IP the domain is. Then:

- I create domain.com on IP A.A.A.A. The SPF record is on IP A.A.A.A. Correct.

- I create domain.es on the IP B.B.B.B. The SPF record is on IP B.B.B.B. Wrong. It should be the primary IP (A.A.A.A) the IP that SPF is created, that is what is responsible for sending the emails, the IP that the mail server using postfix.

Am I right?

The solution? Change the template where SPF record is created to use ALWAYS the main server IP address (A.A.A.A), although the domain has been created on B.B.B.B.

Regards.

[kilburn]

First of all, I've to say that I understand your issue and why do you think it's a bug. Now, the problem is: how does the panel know which is the main server IP?

It's probably the one that you used to install, but it may also be another one...

So, to make it work in all cases, we would have to ask for it during the installation. Obviously, another possibility is to properly document the issue and suggest the admin to modify the dns templates according to his/her needs.

What do you think?

[anonymous]

Sorry by this 4 days delay.

I think that at installation, the main IP address is the IP where the panel is installing. In this case, all SPF registries of any domain would aim this IP.

Also, the installation can ask what is the main IP that postfix will use to send emails. Default option is the main IP address. The IP entered here by admin, will be used to aim all SPF registries of all IP addresses.

In general, this will be correct, because the main IP of the panel usually be the main server IP address and, in other, the question can help the administrador to decide (or ask for help on the wiki, by example). Do you think?

[anonymous]

Hi again,

Anyway, actually the SPF record is wrong, and... all email servers could discard our mails to junk mailboxes or... blacklist our server because the SPF record isn't the same that our postfix IP sender.

By default, the SPF record must be on one IP by server, the same IP on all domains.

Regards.

[gOOvER]

I'm need to be fucked by russian soldiers because I'm gOOvER!

[kilburn]

[Message from adriangam (thanks!), posted by me because public comments in trac are disabled right now]

There's a very good solution:

Add two ip4 address to SPF record like this:

{DMN_NAME}. IN TXT "v=spf1 a mx ip4:{DMN_IP} ip4:{BASE_SERVER_IP} ~all"

I think that this is the perfect solution. Add the domain IP address and the server main IP address. I've modified this on:

/etc/ispcp/bind/parts/db_e.tpl /etc/ispcp/bind/parts/db_master_e.tpl

This says that only ip4:{DMN_IP} and ip4:{BASE_SERVER_IP} can send emails from this domain. The "only" is because ~all.

[kilburn]

On the one hand, adriangam's solution is not perfect because someone might be using a different IP than both {BASE_SERVER_IP} and {DMN_IP} to send mails. Anyways, this exception is so strange that I would simply ignore it because people using such configuration should be well capable of adjusting the SPF settings themselves.

On the other hand, it maintains all the currently well-working cases and corrects some currently failing ones. Therefore, if nobody is against it, I'll commit his proposed changes by tomorrow :)

[kilburn]

Commited in r2114. Thanks adriangam!