debug linux daemon in remote server

Using GNU screen + gdb utility to debug daemon software in remote machine

 

# Launch the daemon service

/etc/init.d/dnsproxy start

 

# Create a screen session, say dns

screen -dmS dns

 

# Attach to the screen session

screen -r dns

 

# Launch gdb with in the session

gdb

attach xxxx

c

 

# Detach the screen session

Ctrl+A+D

 

 

# Debug code with gdb by Attaching to the screen session second time

screen -r dns

Disable openvpn on mycloud

OpenVpn service is used by wd/mycloud for their cloud access.

Lot’s of openvpn services will be launched,   as different user will have different OpenVpn service,  and different share will have different openvpn service

 

Solution:   Disable western digital cloud access from local dashboard

 

 

 

 

network test tool: nogotofail /Google

https://github.com/google/nogotofail

Nogotofail是一个网络安全测试工具。设计用于帮助开发人员和安全人员,以一个灵活、可扩展、功能强大的方式来识别和修复弱TLS/ SSL连接和应用与设备中的敏感明文流量。它测试包括对于普通SSL证书验证问题,HTTPS和TLS/ SSL库的Bug,SSL和STARTTLS剥离的问题,明文的问题,等等。

Nogotofail只依赖于Python的2.7和pyOpenSSL>=0.13。

 

寻找并删除Git记录中的大文件

http://www.tuicool.com/articles/vAVVZrA

寻找并删除Git记录中的大文件

最近发现 HarttleLand的Git仓库 已经达到了142M,严重影响Fork和Clone。 今晨Harttle从Git记录中定位了数百个大文件并将其删除,现在仓库恢复了27M的大小。 借此机会,本文来介绍查找和重写Git记录的命令: git rev-list , git filter-branch

首先通过 rev-list 来识别仓库记录中的大文件:

git rev-list --objects --all | grep "$(git verify-pack -v .git/objects/pack/*.idx | sort -k 3 -n | tail -5 | awk '{print$1}')"

经过确认后,通过 filter-branch 来重写涉及到的所有提交:

git filter-branch -f --prune-empty --index-filter 'git rm -rf --cached --ignore-unmatch your-file-name' --tag-name-filter cat -- --all

Git仓库的存储方式

如果你熟知Git的存储方式,跳过此节。

Git仓库位于项目根目录的 .git 文件夹,其中保存了从仓库建立( git init )以来所有的代码增删。 每一个提交(Commit)相当于一个Patch应用在之前的项目上,借此一个项目可以回到任何一次提交时的文件状态。

于是在Git中删除一个文件时,Git只是记录了该删除操作,该记录作为一个Patch存储在 .git 中。 删除前的文件仍然在Git仓库中保存着。直接删除文件并提交起不到给Git仓库瘦身的效果。

在Git仓库彻底删除一个文件只有一种办法:重写(Rewrite)涉及该文件的所有提交。 幸运的是借助 git filter-branch 便可以重写历史提交,当然这也是Git中最危险的操作。 可以说比 rm -rf * 危险一万倍。

从所有提交中删除一个文件

我清楚地记得曾提交过名为 recent-badge.psd 的文件。这是一个很大的PhotoShop文件,我要把它删掉。 filter-branch 命令可以用来重写Git仓库中的提交, 利用 filter-branch--index-filter 参数便能把它从所有Git提交中删除。

$ git filter-branch -f --prune-empty --index-filter 'git rm -rf --cached --ignore-unmatch assets/img/recent-badge.psd' --tag-name-filter cat -- --all
Rewrite 2771f50d45a0293668a30af77983d87886441640 (264/982)rm 'assets/img/recent-badge.psd'
Rewrite 1a98ecb3f39e1f200e31754714eec18bc92848ce (265/982)rm 'assets/img/recent-badge.psd'
Rewrite d4e61cfb1d88187b0561d283e663b81b738df2c7 (270/982)rm 'assets/img/recent-badge.psd'
Rewrite 4ba0df06b26cf86fd39c2cda6b012c521cbc4dc1 (271/982)rm 'assets/img/recent-badge.psd'
Rewrite 242ae98060c77863f5e826ba7e1ec47

--index-filter 参数用来指定一条Bash命令,然后Git会检出(checkout)所有的提交, 执行该命令,然后重新提交。我们在提交前移除了 recent-badge.psd 文件, 这个文件便从Git的所有记录中完全消失了。

--all 参数告诉Git我们需要重写所有分支(或引用)。

寻找大文件的ID

删掉了 recent-badge.psd 后我仍不满足,我要找到所有的大文件,并把它删掉。 verify-pack 命令用来验证Git打包的归档文件,我们用它来找到那些大文件。 例如:

$ git verify-pack -v .git/objects/pack/*.idx
8fa15d279de33ce28a3289fd33951374084231e4 tree   135 137 144088922
a44a50b2ffb1f8283c8e64aafb8e7628249d7453 tree   33 43 144089059
b57d99f38fe22491e4a2d30c2b081ecb7bbb329c tree   99 97 144089102
2d4ffaffc11758d561ea1a6d57dd8ee17ee1d836 blob   644952 644959 144089199
8cf81ebfeec409f19e7a47a76517317f3bfa268d blob   695898 695871 144734158
...

-v (verbose)参数是打印详细信息。

输出的第一列是文件ID,第二列表示文件(blob)或目录(tree),第三列是文件大小。 现在得到了所有的文件ID及其大小,需要写一点Bash了!

先按照第三列排序,并取最大的5条,然后打印出每项的第一列(这一列是文件ID):

$ git verify-pack -v .git/objects/pack/*.idx | sort -k 3 -n | tail -10 | awk '{print$1}')"
f846f156d16f74243b67e3dabec58a3128744352 
4a1546e732b2e2a352b7bf220c1a22ad859abf89 
f72d04efe6d0b41b067f9fbbc62455f28d3670d2 
49bdf300ddf57d1946bc9c6570d94a38ac9d6a50 
9c073d4177af5d2e43ada41f92efb18d9462a536

现在变得到了最大的5个文件的ID,而我需要文件名才能用 filter-branch 移除它。 我现在需要文件ID和文件名的映射关系。

文件名与ID映射

rev-list 命令用来列出Git仓库中的提交,我们用它来列出所有提交中涉及的文件名及其ID。 该命令可以指定只显示某个引用(或分支)的上下游的提交。例如:

git rev-list foo bar ^baz

将会列出所有从 foobar 可到达,但从 baz 不可到达的提交。我们将会用到 rev-list 的两个参数:

  • --objects :列出该提交涉及的所有文件ID。
  • --all :所有分支的提交,相当于指定了位于 /refs 下的所有引用。

我们看看这条命令的输出:

$ git rev-list --objects --all
c252878ac09a3979a80520b82a71dc2dae4529f9
7bc7d05c6097063f531580ba4c32921464a6c456 _drafts
dcce26ed53fbb869dc7d5b71742d2f9e523bfe42 _layouts
414186c794a0d58695abb75c548bdbfec1de2763 _layouts/default.html
1934eeffe3d242375510dff28cffa6de6b3de367 _layouts/post.html
5f14647875f2177a6d37b8bfbcdb4629af595b64 _posts
6cdbb293d453ced07e6a07e0aa6e580e6a5538f4 _posts/2013-10-12-2.md
...

现在就得到了文件名(如 _posts/2013-10-12-2.md )和ID(如 6cdbb293d453ced07e6a07e0aa6e580e6a5538f4 )的映射关系。

得到文件名列表

前面我们通过 rev-list 得到了文件名-ID的对应关系,通过 verify-pack 得到了最大的5个文件ID。 用后者筛选前者便能得到最大的5个文件的文件名:

$ git rev-list --objects --all | grep "$(git verify-pack -v .git/objects/pack/*.idx | sort -k 3 -n | tail -5 | awk '{print$1}')"
f846f156d16f74243b67e3dabec58a3128744352 assets/img/recent-badge.psd
4a1546e732b2e2a352b7bf220c1a22ad859abf89 assets/img/album/me/IMG_0276.JPG
f72d04efe6d0b41b067f9fbbc62455f28d3670d2 assets/img/album/me/IMG_0389.JPG
49bdf300ddf57d1946bc9c6570d94a38ac9d6a50 assets/img/album/me/IMG_0813.JPG
9c073d4177af5d2e43ada41f92efb18d9462a536 assets/img/album/me/IMG_0891.JPG

先把上面输出存到 large-files.txt 中。还记得吗? --tree-filter 参数中我们需要给出一行的文件名列表。上述列表我们需要处理一下:

$ cat large-files.txt| awk '{print $2}' | tr '\n' ' '
assets/img/recent-badge.psd assets/img/album/me/IMG_0276.JPG assets/img/album/me/IMG_0389.JPG assets/img/album/me/IMG_0813.JPG assets/img/album/me/IMG_0891.JPG

现在便得到了一行的文件列表。把它存到 large-files-inline.txt 中。

删除所有大文件

现在得到了要删除的大文件列表 large-files-inline.txt ,把它传入到 --tree-filter 中即可:

git filter-branch -f --prune-empty --index-filter "git rm -rf --cached --ignore-unmatch `cat large-files-inline.txt`" --tag-name-filter cat -- --all

注意这里 --index-filter 的参数要用双引号,因为 cat large-files-inline.txt 还需要Bash的解析。

至此已经干掉了那些大文件,来看看瘦身了多少吧! 注意 filter-branch 之后 .git 目录下会有大量的备份。 需要克隆一份当前仓库来看效果:

git clone --no-hardlinks file:///Users/harttle/harttle.com /tmp/harttle.com

仓库大小变为25.76M了!从原来的142M!

也可以进入项目目录通过 du -d 1 -h 查看磁盘占用的大小。

当然到此为止我们更改的都是本地仓库,现在把这些改变Push到远程仓库中去!

git push origin --force --all

因为不是fast forward,所以需要指定 --force 参数。

这里的 --all 会将所有分支都推送到 origin 上。当然你也可以只推送 master 分支: git push origin master --force 。但是!如果其它远程分支有那些大文件提交的话,仍然没有瘦身!

参考阅读

How to Setup Your Own Mail Server that Will Deliver

http://blog.online-domain-tools.com/2015/02/09/how-to-setup-your-own-mail-server-that-will-deliver/

There are many reasons why you might want to have your own SMTP server. But there are also many reasons why lots of businesses outsource email sending to third party services. One of the big problems with having your own SMTP server is that it is quite hard to set the whole thing up to get a solid delivery rate. What does it mean? It means that if you just naively install an SMTP server and try to send emails through it, many of your emails will not be delivered. Moreover, you will not even know that your emails did not reach their recipients. If you have decided that you want your own SMTP server, this article will help you reach a solid delivery rate – i.e. your emails will be delivered to existing mail boxes and will not get deleted as spam. If something is not configured perfectly, your emails can be lost completely without a notice, moved to Junk folders, or not accepted for a delivery. So, if you are asking following questions: How to deliver an email? How to setup MX server? How to increase the delivery rate? Just keep reading.

Note that the methods described in this article will work for you only if you are a legitimate business and do not intend to send spam. If you do send spam, it is a good thing that your emails are not delivered, and even if you set everything properly, many of your mails will get deleted.

This article only discusses sending emails. Receiving emails with your own mail server is another wide topic. We will use the term mail server universally for all roles and names such as mail exchanger, MX host, MTA (mail transfer agent), or mail relay.

Choose the Right Software – DKIM Support is Required

You would think that every professional mail server software will simply support all features that are needed to deliver emails today. While this is true for most of the mail server software out there, this is not the case of Microsoft IIS SMTP Server. This SMTP server by itself does not include a crucial feature called DKIM (we will discuss it in a greater detail later in this article) and you can search the Internet to find many third party products that will add this feature to your IIS SMTP Server, but these are not cheap. If you are on Windows OS and unless you want to pay for having DKIM feature in your server, you want to avoid IIS SMTP Server. You can try hMailServer for example. It is free, open source, mail server and it works well, DKIM included.

Recommendation: Whatever mail server software you choose, make sure it does support DKIM.

Connection to the Internet – You Need Dedicated IP Address and PTR Record

In order to fight spam, people developed number of ways and heuristics to distinguish between trustworthy mail servers and servers used for sending spam. To have a long term excellent delivery rate and thus being able to deliver emails today, means to comply with most of these techniques. One of the feature that good mail servers do have is that they are sending emails from IP addresses with a valid reverse DNS record (PTR record).

If your mail server wants to send an email, it finds a target mail server, which is responsible to deliver messages to the given recipient’s address, and attempts to send the email through it. If the target mail server sees that the request comes from IP address without a valid PTR record, it can refuse to accept any messages from you. Many mail servers also require that the domain name in PTR record corresponds with the domain name part of the source email address of the message to be sent. For example, if you are about to send an email from xyz@example.com, you might need to have your PTR record set to something.example.com.

Moreover, some email systems go even further than that. They do not accept any email if the PTR record does not contain or start with mail, smtp, or mx. Although this limitation is not very common, you can only increase your chance to deliver your emails if your PTR record complies with it. This is sometimes called reverse hostname naming convention or rDNS naming convention. In our example with an email from xyz@example.com, you would need to set your PTR record to mail.example.com to increase your chance of delivery. In case of two mail servers, you can go with mail1.example.com and mail2.example.com and it will work just fine.

In order to be able to set a PTR record for your IP address, it is usually required that you have a dedicated IP address for your server provided by your hosting or ISP. It is highly recommended that a single IP address has at most one PTR record and this is why a shared IP address is not a good idea.

Recommendation: Make sure your server’s IP address has a valid PTR record, and that its domain name corresponds with the source email address from which you send emails. If you want to further increase your delivery rate, you may want to set your PTR record’s FQDN to start with mail, smtp, or mx.

Do Have Sender Policy Framework (SPF) Configured

Another action that the target mail server can do to verify your trustworthiness is to check your SPF record. SPF record is a TXT record in DNS that defines which hosts are allowed to send emails with source address set to a particular domain.

A SPF record is a TXT DNS record that starts with v=spf1. Then there is a list of parameters separated by spaces. The full list of parameters is described in SPF Record Syntax. There are also applications, such as SPF Wizard that will help you create your SPF record correctly.

Whatever way you construct your SPF, make sure that it is restrictive. This means that it defines a limited number of servers that are allowed to send emails on behalf of your domain, and forbids all other servers to do so. This is done by having -all as a part of your SPF record (usually at its end). What happens if you do not restrict your SPF record with -all? A minority of mail servers mail not accept your emails at all, but more likely scenario is that while counting a total spam score of your email, it will simply score worse. Another reason for having this restriction is that if someone attempts to send email pretending to be from you, it will not be delivered. If the restriction is not implemented, the attacker is more likely to succeed and have their fake mail delivered.

Examples

Let’s assume again that your domain name is example.com, and that you want to send email from address something@example.com. Let’s further assume that IP address of example.com is 198.51.100.123. Here are some examples of good SPF records:

v=spf1 a -all

This record allows your emails to be delivered by hosts which IP address is contained in A DNS records of example.com. Since we assume that its IP address is only 198.51.100.123, your mail server will have to run from this IP address.

v=spf1 a ip4:198.51.100.124 -all

This record allows your mail server to run from 198.51.100.123, or from 198.51.100.124. The .123 address is allowed by the a mechanism in the SPF record, while the .124 address is explicitly allowed by the ip4 mechanism.

v=spf1 a ip4:198.51.100.124 include:hotmail.com -all

In this example, we have extended the list of allowed servers even further. In this case, we allow Hotmail email service to send emails on our behalf too. The include mechanism requires the included domain to have its own valid SPF record. Hotmail complies with this requirement and thus hotmail.com email servers that can deliver emails for hotmail.com domain will also be allowed to deliver emails from example.com.

Recommendation: Configure your SPF record properly and restrictively.

DKIM and DomainKeys

You have probably heard about DKIM and DomainKeys. Good news is that you do not have to worry about DomainKeys. It has been replaced with DKIM entirely and not having DomainKeys is not a disadvantage today. Not having DKIM, however, is a very serious problem which will kill your delivery rate. So what is DKIM?

DKIM stands for DomainKeys Identified Mail, a protocol that introduces digital signatures to email delivery systems. It is just another mechanism that the target mail server can use to verify that the incoming message is being sent by someone who is authorized to do so. If the sender passes the DKIM check, it is almost certain that the source email address is not forged. The mechanism works as follows.

  • First, you need to generate a public and a private key that will be used to sign and verify messages from your mail server.
  • Then you configure your mail server software to sign all messages it sends out with the generated key.
  • You also need to create DKIM DNS record, in which you publish your public key.
  • When your server is sending an email to the target mail server, the target mail server sees that your email is signed using DKIM, it performs DNS lookup to obtain your public key and uses it to verify the signature in the email message. If it matches, the email is more likely to be delivered.

So, how do you generate the keys? There is very simple DKIM Wizard on port25.com. Just fill in your domain name and something that is called DomainKey Selector. The selector is just any simple string you want – e.g. dkim. The wizard generates you public and private keys. Other way to generate the keys is using OpenSSL’s genrsa command.

If you have your keys, you need to configure your mail server to use the private key to sign the messages. How this is done depends entirely on which mail server software you use. So check up its manual or try to ask Google. If your mail server software supports DKIM, it should be easy to find. It should be noted here that there are two so called canonicalization algorithms called simple and relaxed. You are likely to see them as options to choose from in the configuration of your mail server software. Possibly, you might be asked to decided which algorithm to use for email headers and which for email body. These algorithms refer to a way how your email messages are signed. You do want to use the relaxed algorithm for both headers and body. The simple algorithm allows almost no modifications to the email message on its way from the sender to the recipient. This sounds great except that in the email delivering world, the message is quite likely to be modified. Various headers can be added through various anti-spam and anti-virus mechanisms or proxies, minor reformatting of the body is also possible. This means that if you choose the simple algorithm, your email is less likely to be delivered.

Now you need to create the DKIM DNS record. It is a TXT record that is usually identified with v=DKIM1. Assuming your domain is example.com and your DomainKey Selector is dkim then the name of the TXT record must be dkim._domainkey.example.com. Its value can be something as simple as the following:

v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY_HERE;

The only required parameter here is p with your public key. What you need to make sure, however, is that your record’s value does not contain t=y as this would make your record say that you are only testing DKIM and that it does not need to be respected.

If you need to know more about DKIM, continue to dkim.org.

Recommendation: Configure your mail server to sign outgoing emails using DKIM. Use relaxed canonicalization algorithm.

Create postmaster Account or Alias

RFC 5321 prescribes that every domain must have postmaster mailbox and accept emails to it. There exist mail systems that do check this before accepting an email from you. So, make sure that you create a postmaster account or at least an alias on your mail server.

Use of no-reply Address

If you use a no-reply address, from which you send emails that recipients should not reply to, your messages might have trouble to reach some mailboxes. This is because some mail servers require the source email address to exist, otherwise they refuse to deliver the message. The email verification is done using an SMTP protocol to your incoming email servers (defined in MX DNS records).

There is a discussion on whether or not it is good for your business to use no-reply address. But if you choose to use this mechanism, then you want to create a mailbox for that no-reply email address, so that it appears to be a valid address if someone checks it.

Recommendation: If you use no-reply address, create a mailbox or an alias for it.

Do Not Be Open Relay or Open Proxy

Make sure your mail server software is not configured to be an open relay or an open proxy. This would mean that you let anonymous users to send emails from your mail server. Always require users to be authenticated before they can send email through your SMTP server. The Internet is scanned by robots all the time and you can be sure that if you open your server to anonymous senders, your email server will be misused soon after it is installed. You will end up on blacklists and will be forced to restrict the access to your server.

Test Your Settings

If you have everything ready, it is time for testing your configuration. Start with checking your DKIM record, simply using DKIM Record Checker. Just fill in your selector value and your domain and submit the form.

If everything is OK, you can try to send an email to a very handy verification tool by port25.com. In order to perform the check, you need to send an email either to check-auth@verifier.port25.com or to check-auth2@verifier.port25.com. The verification result is going to be sent to you to the address specified in MAIL FROM SMTP command, if you use check-auth@verifier.port25.com. If you use the second variant – check-auth2@verifier.port25.com – the result will be sent to the address specified in From header of the email message.

The most important part of the result email that you receive will look like this:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

If this is the case then you just passed the tests and your configuration is correct. Do not worry about neutral DomainKeys check result, we have mentioned already that DomainKeys is not used anymore, DKIM is neutral result means that you do not implement that mechanism. If you fail a test, there is a detailed information included in in the result email.

However, even if you pass port25.com verifier test, it does not mean that all mail systems will consider your DKIM/SPF records as valid. This may sound weird but Microsoft’s services such as Hotmail.com or Outlook.com are actually much more sensitive to the actual syntax of DNS record values. This is why it is a good idea to make extra tests – tests with real world mail servers. You should be able to pass test with Gmail easily. Simply create an account on Gmail and send a mail to it from your mail server. Then wait until the email appears in your Gmail account and view its source (how to do this is described in Google’s help center).

In the email headers, look for the Authentication-Results header, which should look like this:

Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of something@example.com designates 198.51.100.123 as permitted sender) smtp.mail=something@example.com;
       dkim=pass header.i=@example.com

If you see there spf=pass and dkim=pass you passed the test. Other values means that something is wrong.

Now let’s do this once again, but with Hotmail account. There are many recipients that use Microsoft email services, so it is very important to make and pass this test. Send an email to your Hotmail account and view its source. Look for the Authentication-Results header. If you do not see pass values, your configuration is almost OK, just not in the format accepted by Microsoft. In that case, review values in your SPF and DKIM DNS records and make sure that you use only one space as a delimiter after semicolon, no tabs, no new lines, just one space. Also make sure there are no quotes in your record value.

Recommendation: Use port25.com verifier to check your SPF and DKIM settings, but also make a test with a real Hotmail account.

Avoid Blacklists

There exist many blacklists, commonly called DNSBL or RBL, that attempt to list servers known to send spam. Blacklists are used for automatic filtration by some mail servers, so once your IP address is on a blacklist, it may have very negative consequences to your ability to deliver your emails.

Even if you are not a spammer, it is possible that IP of your mail server appears on some blacklists. How is this possible? One of the common situations is that a network of legitimate business is infected with malware that sends spam from within their computers. One or two days of infection can easily lead to be blacklisted. Another scenario is that the static IP address, which your hosting has assigned to you, has previously been assigned to a client who sent spam. Your IP address thus could be blacklisted even before you install an operating system to your server.

Fortunately, it is easy today to know whether your IP address is blacklisted or not. You can use free mail server blacklist checker to perform a check against over a hundred of blacklists at once. If it is crucial for your business to be able to deliver an email, you might be interested in automated blacklist monitoring service that alerts you if an IP address of your mail server appears on a blacklist.

If you are not sure whether your message that you want to send out can cause you a problem or not, you might be interested in reading Controlling the Assault of Non-Solicited Pornography and Marketing Act – aka CAN-SPAM. This is United States law that regulates the sending of commercial email. Even if you are not a US business, you want to comply with this law because you can be blacklisted otherwise.

Recommendation: Check whether your IP address is blacklisted after your hosting assigns it to you, and then check it from time to time or have it monitored. Comply with CAN-SPAM.

Commercial Certification

Optionally, you can get yourself a certification from a commercial authority that will maximize your delivery rate. You will still need to implement the steps mentioned above, so you can not just buy it. If you care a lot about your delivery rate to Microsoft and Yahoo email services, you might consider buying Return Path Certification. It’s not cheap, so really consider if those emails you need to deliver to your customers using Microsoft and Yahoo services are worth a couple of thousands dollars per year. If so, go for it.

Note that without a certification, you will still be able to deliver emails to both Microsoft and Yahoo. However, some of your emails may be lost from time to time, or reach the recipient’s junk folder instead of their inbox; especially when you start sending emails from a new IP address that does not have a good long reputation yet.

Your Emails Will Be Delivered Now

That’s it! If you configured everything as recommended, you should now be able to deliver emails to most of the mail systems in the world.

Here is a quick summary of what is necessary to achieve an excellent delivery rate:

  1. Choose mail server software that supports DKIM.
  2. Run the mail server on a machine with dedicated IP address and set a valid PTR record for it that starts with “mail”, “smtp” or “mx”.
  3. Create a restrictive SPF DNS record.
  4. Generate DKIM keys, configure your mail server to use the private key to sign outgoing emails and publish the public key in DKIM DNS record.
  5. Do have postmaster account or alias.
  6. If you use no-reply address, create a mailbox or alias for it.
  7. Make sure your server is not configured to be an open relay or a proxy.
  8. Test your DKIM/SPF settings, do not forget Hotmail test.
  9. Regularly check your mail server’s IP address against blacklists. Ask for removal if you are blacklisted. Comply with CAN-SPAM.
  10. Optionally, consider buying Return Path Certification if you need high delivery rate to Microsoft and Yahoo emails.

Setup DNS server to resolve my domain

How to setup DNS server on two host  to resolve my_domain:

Login into Godaddy account

Goto the Domain Detail of mydomain:

From Host Name:

         Register two hosts into mydomain:   ns1=host1_ip,. ns2=host2_ip

From Nameservers:

        Change Setup Type from Standard to Custom

       Add the two Nameservers:  ns1.mydomain  ns2.mydomain

 

Login into host1 & host2

Setup DNS server, with the following config:

T-NS record:       ns1.mydomain, ns2.mydomain  (dns server)

T_MX record:     mx1.mydomain,  mx2.mydoamin  (email server)

T_TXT record:  “v=spf1 …”       (for email  )

“goodle-site-verification=…”    (for email, and web server)

 

SPF record for email:

“v=spf1 a a:host1.domain.net a:host2.domain.net mx ip:11.22.33.44 -all”

Only following host allowed for SMTP delivery”

host1.domain.net, host2.domain.net, 11.22.33.44, all in MX record

 

Google site notification:  (Verify domain by adding a TXT/SPF record)

Refer to:

https://www.google.com/webmasters/verification/home?hl=en

 

 How to Add PTR record for mx server:

PTR record is managed by ISP,  not the DNS supplier, such as Godaddy

Some VPS supplier support PTR record modification, such as Hostus, ComfortHost.

 

 Tool for email server check:

https://mxtoolbox.com/

SPF 记录:原理、语法及配置方法简介

https://www.renfei.org/blog/introduction-to-spf.html

SPF,全称为 Sender Policy Framework,即发件人策略框架。

当前 Email 通信,还是在使用 SMTP 这个协议。SMTP 的全称为 Simple Mail Transfer Protocol,即「简单邮件传输协议」。正如它的名字锁暗示的,SMTP 实际上是一个非常简单(甚至简陋)的传输协议,本身并没有很好的安全措施。根据 SMTP 的规则,发件人的邮箱地址是可以由发信方任意声明的。在 SMTP 协议制定的时候也许还好,但在垃圾和诈骗邮件横行的今天,这显然是极不安全的。

SPF 出现的目的,就是为了防止随意伪造发件人。

SPF 记录的原理

SPF 记录实际上是服务器的一个 DNS 记录,原理其实很简单:

假设邮件服务器收到了一封邮件,来自主机的 IP 是173.194.72.103,并且声称发件人为email@example.com。为了确认发件人不是伪造的,邮件服务器会去查询example.com的 SPF 记录。如果该域的 SPF 记录设置允许 IP 为173.194.72.103的主机发送邮件,则服务器就认为这封邮件是合法的;如果不允许,则通常会退信,或将其标记为垃圾/仿冒邮件。

因为不怀好心的人虽然可以「声称」他的邮件来自example.com,但是他却无权操作example.com的 DNS 记录;同时他也无法伪造自己的 IP 地址。因此 SPF 是很有效的,当前基本上所有的邮件服务提供商(例如 Gmail、QQ 邮箱等)都会验证它。

SPF 记录的语法

一条 SPF 记录定义了一个或者多个 mechanism,而 mechanism 则定义了哪些 IP 是允许的,哪些 IP 是拒绝的。

这些 mechanism 包括以下几类:

all | ip4 | ip6 | a | mx | ptr | exists | include

每个 mechanism 可以有四种前缀:

"+"  Pass(通过)
"-"  Fail(拒绝)
"~"  Soft Fail(软拒绝)
"?"  Neutral(中立)

测试时,将从前往后依次测试每个 mechanism。如果一个 mechanism 包含了要查询的 IP 地址(称为命中),则测试结果由相应 mechanism 的前缀决定。默认的前缀为+。如果测试完所有的 mechanisms 也没有命中,则结果为 Neutral。

除了以上四种情况,还有 None(无结果)、PermError(永久错误)和 TempError(临时错误)三种其他情况。对于这些情况的解释和服务器通常的处理办法如下:

结果 含义 服务器处理办法
Pass 发件 IP 是合法的 接受来信
Fail 发件 IP 是非法的 退信
Soft Fail 发件 IP 非法,但是不采取强硬措施 接受来信,但是做标记
Neutral SPF 记录中没有关于发件 IP 是否合法的信息 接受来信
None 服务器没有设定 SPF 记录 接受来信
PermError 发生了严重错误(例如 SPF 记录语法错误) 没有规定
TempError 发生了临时错误(例如 DNS 查询失败) 接受或拒绝

注意,上面所说的「服务器处理办法」仅仅是 SPF 标准做出的建议,并非所有的邮件服务器都严格遵循这套规定。

Mechanisms

下面介绍上面提到的 mechanism:

all

表示所有 IP,肯定会命中。因此通常把它放在 SPF 记录的结尾,表示处理剩下的所有情况。例如:

"v=spf1 -all" 拒绝所有(表示这个域名不会发出邮件)
"v=spf1 +all" 接受所有(域名所有者认为 SPF 是没有用的,或者根本不在乎它)

ip4

格式为ip4:<ip4-address>或者ip4:<ip4-network>/<prefix-length>,指定一个 IPv4 地址或者地址段。如果prefix-length没有给出,则默认为/32。例如:

"v=spf1 ip4:192.168.0.1/16 -all"
只允许在 192.168.0.1 ~ 192.168.255.255 范围内的 IP

ip6

格式和ip4的很类似,默认的prefix-length/128。例如:

"v=spf1 ip6:1080::8:800:200C:417A/96 -all"
只允许在 1080::8:800:0000:0000 ~ 1080::8:800:FFFF:FFFF 范围内的 IP

a 和 mx

这俩的格式是相同的,以a为例,格式为以下四种之一:

a
a/<prefix-length>
a:<domain>
a:<domain>/<prefix-length>

会命中相应域名的 a 记录(或 mx 记录)中包含的 IP 地址(或地址段)。如果没有提供域名,则使用当前域名。例如:

"v=spf1 mx -all"
允许当前域名的 mx 记录对应的 IP 地址。

"v=spf1 mx mx:deferrals.example.com -all"
允许当前域名和 deferrals.example.com 的 mx 记录对应的 IP 地址。

"v=spf1 a/24 -all"
类似地,这个用法则允许一个地址段。

例如,这是一个比较常见的 SPF 记录,它表示支持当前域名的 a 记录和 mx 记录,同时支持一个给定的 IP 地址;其他地址则拒绝:

v=spf1 a mx ip4:173.194.72.103 -all

include

格式为include:<domain>,表示引入<domain>域名下的 SPF 记录。注意,如果该域名下不存在 SPF 记录,则会导致一个PermError结果。例如:

"v=spf1 include:example.com -all" 即采用和 example.com 完全一样的 SPF 记录

exists

格式为exists:<domain>。将对<domain>执行一个 A 查询,如果有返回结果(无论结果是什么),都会看作命中。

ptr

格式为ptr或者ptr:<domain>。使用ptr机制会带来大量很大开销的 DNS 查询,所以连官方都不推荐使用它。

关于v=spf1

这是必须的,这个表示采用 SPF 1 版本,现在它的最新版本就是第 1 版。

Modifiers

SPF 记录中还可以包括两种可选的 modifier;一个 modifier 只能出现一次。

redirect

格式为redirect=<domain>

将用给定域名的 SPF 记录替换当前记录。

exp

格式为exp=<domain>,目的是如果邮件被拒绝,可以给出一个消息。而消息的具体内容会首先对<domain>执行 TXT 查询,然后执行宏扩展得到。

如何用 SPF 保护我的域名

如果你拥有自己的域名,并且用它发送邮件,那么你应该为它添加 SPF。通过域名服务商提供的「域名解析」、「DNS Editor」或者「DNS Zone Editor」等功能添加,并填写正确的 SPF 数据就可以了。

严格来说,SPF 数据应该创建为 SPF 记录。但是鉴于很多 DNS 服务商不支持 SPF 记录,甚至有的邮件服务器也不支持 SPF 记录,因此也可以创建为一条 TXT 记录。目前,你应该至少创建一条 TXT 记录。

因为本质上 SPF 的作用是为一个域名指定合法的发件 IP,所以你需要知道自己使用的邮件服务器的发件 IP 是什么。如果你使用第三方的域名邮箱服务(比如腾讯的域名邮箱),那么他们应该有相应的文档告诉你该怎么填写。如果你用虚拟主机,则主机提供商也应该会告诉你。

生效时间

SPF 记录本质上是一个 DNS 记录,所以并不是修改之后立即生效的——通常需要几个小时的时间。

一些工具

虽然我不能帮你决定 SPF 该填什么,但是这里有一些非常好用的工具可以帮助你,点击它们在新窗口打开:

  • Open SPF:官方网站,有很多资料,值得一看。
  • RFC 4408:SPFv1 的规范全文。
  • SPF Recored Testing Tools:帮助你验证域名是否存在 SPF 记录、记录的语法是否正确,以及输入 IP 和 host 来测试是不是真正管用。
  • SPF: Why?:为什么我发的邮件被拒绝了?
  • Beveridge Hosting DNS Lookup:图形界面的dig,也可以显示查询到的 SPF 信息。
  • Beveridge SPF Test:另一个根据 IP 和 host 验证 SPF 是否通过的工具。
  • Gmail:如果你有 Gmail 的话,可以给自己的 Gmail 邮箱发一封邮件,然后用 Gmail 独有的 Show Original 功能查看 Gmail 服务器的 SPF 判断结果。