spf at metro
Jun 18, 2004, 5:07 AM
Post #4 of 4
On Fri, Jun 18, 2004 at 01:38:27PM +0200, DONOSOR00 wrote:
> Hi again:
> first of all, thank you, Koen, for answering so fast.
No problem, always glad if I can help.
> > Is your dmz forwarder also doing masquerading? If not, are you
> > always sending out mail using some static set of domains (say, your
> > company domains)?
> No, it's not doing masquerading. I'm always sending out mail using the
> same static domains.
> > I think it is not neccesary to do srs in your setup, as long as you
> > only sent mail with envelope sender addresses in domains that have
> > the dmz outgoing mail server in their spf record as +. SRS is for
> > those cases where you forward mail from some arbitrary domain (not
> > in your control) to another arbitrary mail server. If the former
> > publishes spf, and the latter checks, forwarding without srs will
> > fail, since the envelope sender will contain the sender's domain
> > and your mail server delivers this mail to the spf checking
> > receiver. Well, that's my short intro to srs.
> So SRS it's only necessary if I do some kind of masquerading? OK, I
> won't use SRS.
I'm afraid I misphrased my reply a bit. With masquerading i meant the rewriting of the sender envelope by your
final outgoing mail server, so that all your mail comes from 'somedomain.com'.
Anyway, it does not matter too much:
> > I guess this also sort of answers 1: you'll have to include your
> > outgoing mail server into the domains you use in your envelope
> > sender adresses.
> This is the only thing I don't understand. I must make public my
> intranet's mail servers in the dmz's DNS? And what's about my DMZ's
> servers which only send reports inside the localdomain? Is it necessary
> to add them? Is any way to 'bypass' their emails?
As long as the mail servers that receive the status report emails are not checking spf (which they don't in your case i seem to understand), there is no need to change anything in order to make it work. If the machine does check spf, you can add a local policy to most spf implementations. Now that I think of it. Your receiving 'front' email server is probably the same as the forwarding server, or is it not?
The other thing, about making public your intranet's mail server in the dmz's dns. I don't completely understand what you mean by that phrase, but the only thing you need to make public (ie. publish in the internet) are spf records for the domains that occur in the envelope sender addresses of mail that ultimatelly is delivered to recipients over the internet.
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/
Archives at http://archives.listbox.com/spf-help/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2