0

I have a mail server, let's say mail.example.com The PTR records connect mail.example.com with my server's ips (ipv4,v6). The HELO/EHLO response is mail.example.com

Now I want to send letters like user@example.com. Let's say I set MX mail.example.com @ TXT v=spf1 mx ~all mail TXT v=spf1 a ~all

It's said I should have SPF's for subdomains to protect them from spoofing: www TXT v=spf1 -all

Let's say I don't want letters lile user@mail.example.com to be sent. But I can't have second record like: mail TXT v=spf1 -all And it would prevent HELO/EHLO validation.

Also I have CNAME's like autoconfig/autodiscover for mail. So they aren't protected too.

Is there way to allow HELO/EHLO validation but disallow sending emails from those subdomains?

Роман Коптев
  • 225
  • 2
  • 9
  • Why would you allow your mail server to send out emails from `example.com`, but not from `mail.example.com` as domain portion of the sender address (from an SPF perspective)? You can put in place other restrictions at the mail server to disallow mails from other domains. – Reinto Jun 16 '23 at 07:19
  • @Reinto I have put restrictions to other subdomains like spf v=spf1 -all (for *, www, ipv6, www6 etc.). But I can't do it for mail, autoconfig and autodiscover, because mail should validate HELO, and others are CNAME for it – Роман Коптев Jun 16 '23 at 11:22
  • I understand the reasoning for wildcard and subdomain restrictive SPF records, where you know the domain is not being used for email. However, I don't understand why you don't want something like `v=spf1 a -all` for your server hostname. This will allow only your mail server to be able to send on behalf of your subdomain. Even if it is not supposed to. – Reinto Jun 16 '23 at 15:25
  • In regards to the CNAME records: If you control the target domain for the CNAME, you can host a TXT record there for SPF purposes. – Reinto Jun 16 '23 at 15:29
  • @Reinto I use mailcow installation. It's supposed in default installation mails from example.com as I described. They needs spf mx or ip4/ip6 for example for from record validation. The mailserver with web ui simple on mail subdomain (I don't use imap, smtp etc subdomains for simplicity). So mail.example.com needs spf a or ip4/ip6 or something for HELO validation. Yes I control all the domains. It requires autoconfig/autodiscover to be CNAME for mail.example.com. And it obviously has spf a ~all for it. – Роман Коптев Jun 16 '23 at 23:42
  • @Reinto SPF is being used to validate both envelope from and HELO. The from refers to example.com. The HELO refers to mail.example.com. It's rather classic installation. And I have a nonrelated to mailserver webportal on the example.com. Even if I move my mailserver to example.com I don't see ways to prohibit mails from autoconfig/autodiscover that points to mail that serves webmail ui and wellknown endpoints simultaneously. – Роман Коптев Jun 16 '23 at 23:54
  • I guess it's impossible to prohibit mails, but because spf for mail domain exists sombody can't spoof this subdomain. It's connected to my server ip any way. – Роман Коптев Jun 17 '23 at 03:56
  • With your current setup, only your mail server is allowed to send emails from those subdomains you mentioned. I would say that is an acceptable result, but it's not my infrastructure. – Reinto Jun 18 '23 at 10:44

1 Answers1

0

If we understand you correctly, this will help you: Set the SPF record for your main domain:

mail.example.com TXT "v=spf1 mx -all"

And create one more SPF record for subdomain:

www.example.com TXT "v=spf1 redirect=mail.example.com"

For any CNAMEs, create SPF records that also redirect to the main domain's SPF record:

autoconfig.example.com TXT "v=spf1 redirect=mail.example.com"
autodiscover.example.com TXT "v=spf1 redirect=mail.example.com"
VSYS Host
  • 11
  • 1