Windows Server How ToYour Windows Server Knowledge Base

Some time ago i got non delivery record (NDR) mail message stating that my mail  could not be delivered to recipient X which resides in domain Y. You`ll say it is daily stuff… but the main problem is that i have never send this message by myself. Someone used my mail address to spam others. This is big threat to me and my company because it affects people`s confidence in me and my company`s reliability. What can we do about it you`ll ask ?

We can use help of Sender Policy Framework (SPF) which stands for open standart specifying a technical method to prevent sender address forgery. SPF allows the owner of a domain to specify their mail sending policy, for example which mail servers they use to send mail from their domain. To make it work we need that both sides were configured in right way. Domain owner must publish mail sending servers in SPF record and place this record in DNS server within his DNS zone.  Mail receiving server must enforce these policies vis SPF record check function.

Lets leave theory alone and try to generate SPF record for your domain.

For that first of all follow this wizard which will guide you through SPF record creation.

After you have SPF record generated and if your Windows server 2003 hosts yourdomain.com zone open DNS management snap in, navigate to yourdomain.com zone and choose to add “Other new Records…”. Select Text (TXT) record type and press “Create Record…” button. Copy data you generated earlier using wizard and paste it to “Text” textbox.  Click OK button and you are done.

Note, if you dont control your domain zone then contact your ISP and ask him to add SPF record for you.

One of my many tasks is to generate CSR requests to third party well known certification authorities. To do that i am using free tool that is supported by Windows server 2003 and Windows Xp -  “OpenSSL”.

You can download this tool and VisualC++ 2008 Redistributables needed for OpenSSL to work from here

After tool install we are ready to proceed with CSR generation.

1. Generate a private key protected by password

Open command line, navigate to OpenSSL install directory bin folder (usually it is C:\OpenSSL\bin) and type:

openssl genrsa -des3 -out Prvkey.key 1024

2. Generate CSR file

openssl req -new -key Prvkey.key -out Mycsr.csr

After you`ll press enter you will be asked to supply following information:

Country Name (2 letter code) [AU]:  Two letter ISO abbreviation for your country.
State or Province Name (full name) [Some-State]: The state or province where your organization is located.
Locality Name (eg, city) []: The city where your organization is located.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Legal name of your organization.
Organizational Unit Name (eg, section) []: Optional additional organization information, such as department
Common Name (eg, YOUR name) []: domain name you are issuing certificate for, ex. mail.mydomain.com
Email Address []: your organization contact email, ex. info@mydomain.com
Additional info:
A challenge password []: press Enter
An optional company name []: press Enter

CSR file was created.

You can check Mycsr.csr contents with Notepad or Wordpad it must look like this:

—–BEGIN CERTIFICATE REQUEST—–
MIIBzTCCATYCAQAwgYwxCzAJBgNVBAYTAkxUMRAwDgYDVQQIEwd2aWxuaXVzMRAw
DgYDVQQHEwd2aWxuaXVzMRMwEQYDVQQKEwpVQUIgSG9zdGV4MQswCQYDVQQLEwJJ
VDEaMBgGA1UEAxMRbWFpbC5teWRvbWFpbi5jb20xGzAZBgkqhkiG9w0BCQEWDGlu
Zm9AaW5mby5sdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoX5ZsNf63Bq9
7OZpUPcix0auCBs8VzcV4o+5cWIGjuosLhfWLZKGHdTfctUzU8CTjbU501X54Od+
kcPjMrRKhQmeGoZ2aeBoU+O619CW8zrIs79SGt6AHObM2JjAvygHnE5jpH7atO/8
/LpapjZQnKmU8YkM6PVVKQ++iMi5o4MCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GB
AAqqWMa4dY34e+t5lqf0Xfpwx20q+Q/YSOiIB7dWQ2vXreaAEsFGk3kQmiS01uWd
r2xIw2XenIOzPI1IKfkytbYyS+CdOymkFJ5ZBVDpyfAECNaamn9Q43SlJ87kYTrq
wx6bw6LEAqY85xTQLrJ57SRw217F35Td24CFiKgMAukd
—–END CERTIFICATE REQUEST—–

Ok, now you are ready to send CSR file to third party Certification Authority and request your certificate.