Mailing List Archive: SPF: Help

Question about dmz's forwarder

Index | Next | Previous | View Threaded

DONOSOR00 at terra

Jun 18, 2004, 4:02 AM

Post #1 of 4 (1019 views)
Permalink

Question about dmz's forwarder

Hi all:

I've got 2 nets sharing the same domain 'example.com', one with public
IPs (dmz) with it's own DNS and 2 email servers, one alone, and the
other one a forwarder to the intranet's email 'transporter'. The DNS, of
course, has no register of the intranet's hosts.

In the intranet I've got one dns with all the intranet+dmz servers.
Also, there's a postfix server which 'transport' email for some final
email servers.

I want to use spf. I guess I must configure it only on the dmz's
servers, but there are my questions:

Must I use SRS as all my intranet generated email is going out thru the
dmz's forwarder?

Should the dmz's DNS have in its spf register the intranet's servers?

Every dmz's server send email reports to my account in the intranet
mail server. Must these servers be in the spf register?

Sorry for my English.

Thank you.
Bye

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

spf at metro

Jun 18, 2004, 4:17 AM

Post #2 of 4 (955 views)
Permalink

Re: Question about dmz's forwarder [In reply to]

Hello,

There are three things to consider here:

1. which domains do you need to _publish_ spf for

2. which mail servers need to do spf _checking_

3. which mail servers need to do srs

To start with 2: you only need spf checking on the email server(s) that accept incoming connections from the internet, eg. your receiving mail ervers. If your other mail servers do only accept mail from one server that accepts mail from the outside, you need it only on the 'front' server.

Is your dmz forwarder also doing masquerading? If not, are you always sending out mail using some static set of domains (say, your company domains)?
I think it is not neccesary to do srs in your setup, as long as you only sent mail with envelope sender addresses in domains that have the dmz outgoing mail server in their spf record as +. SRS is for those cases where you forward mail from some arbitrary domain (not in your control) to another arbitrary mail server. If the former publishes spf, and the latter checks, forwarding without srs will fail, since the envelope sender will contain the sender's domain and your mail server delivers this mail to the spf checking receiver. Well, that's my short intro to srs.

I guess this also sort of answers 1: you'll have to include your outgoing mail server into the domains you use in your envelope sender adresses.

Hope this helps,

Koen

On Fri, Jun 18, 2004 at 01:02:53PM +0200, DONOSOR00 wrote:
> Hi all:
>
> I've got 2 nets sharing the same domain 'example.com', one with public
> IPs (dmz) with it's own DNS and 2 email servers, one alone, and the
> other one a forwarder to the intranet's email 'transporter'. The DNS, of
> course, has no register of the intranet's hosts.
>
> In the intranet I've got one dns with all the intranet+dmz servers.
> Also, there's a postfix server which 'transport' email for some final
> email servers.
>
> I want to use spf. I guess I must configure it only on the dmz's
> servers, but there are my questions:
>
> Must I use SRS as all my intranet generated email is going out thru the
> dmz's forwarder?
>
> Should the dmz's DNS have in its spf register the intranet's servers?
>
> Every dmz's server send email reports to my account in the intranet
> mail server. Must these servers be in the spf register?
>
> Sorry for my English.
>
> Thank you.
> Bye
>
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

DONOSOR00 at terra

Jun 18, 2004, 4:38 AM

Post #3 of 4 (997 views)
Permalink

Re: Question about dmz's forwarder [In reply to]

Hi again:

first of all, thank you, Koen, for answering so fast.

----- Mensaje Original -----
De: Koen Martens <spf [at] metro>

> There are three things to consider here:
>
> 1. which domains do you need to _publish_ spf for
>
> 2. which mail servers need to do spf _checking_
>
> 3. which mail servers need to do srs
>
> To start with 2: you only need spf checking on the email server(s)
> that accept incoming connections from the internet, eg. your
> receiving mail ervers. If your other mail servers do only accept
> mail from one server that accepts mail from the outside, you need
> it only on the 'front' server.

OK, this is very clear.

>
> Is your dmz forwarder also doing masquerading? If not, are you
> always sending out mail using some static set of domains (say, your
> company domains)?

No, it's not doing masquerading. I'm always sending out mail using the
same static domains.

> I think it is not neccesary to do srs in your setup, as long as you
> only sent mail with envelope sender addresses in domains that have
> the dmz outgoing mail server in their spf record as +. SRS is for
> those cases where you forward mail from some arbitrary domain (not
> in your control) to another arbitrary mail server. If the former
> publishes spf, and the latter checks, forwarding without srs will
> fail, since the envelope sender will contain the sender's domain
> and your mail server delivers this mail to the spf checking
> receiver. Well, that's my short intro to srs.

So SRS it's only necessary if I do some kind of masquerading? OK, I
won't use SRS.

>
> I guess this also sort of answers 1: you'll have to include your
> outgoing mail server into the domains you use in your envelope
> sender adresses.

This is the only thing I don't understand. I must make public my
intranet's mail servers in the dmz's DNS? And what's about my DMZ's
servers which only send reports inside the localdomain? Is it necessary
to add them? Is any way to 'bypass' their emails?

>
> Hope this helps,
>

Yes, sure, thanks.

Bye.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

spf at metro

Jun 18, 2004, 5:07 AM

Post #4 of 4 (1025 views)
Permalink

Re: Question about dmz's forwarder [In reply to]

On Fri, Jun 18, 2004 at 01:38:27PM +0200, DONOSOR00 wrote:
> Hi again:
>
> first of all, thank you, Koen, for answering so fast.

No problem, always glad if I can help.

> > Is your dmz forwarder also doing masquerading? If not, are you
> > always sending out mail using some static set of domains (say, your
> > company domains)?
>
> No, it's not doing masquerading. I'm always sending out mail using the
> same static domains.

Ok,

> > I think it is not neccesary to do srs in your setup, as long as you
> > only sent mail with envelope sender addresses in domains that have
> > the dmz outgoing mail server in their spf record as +. SRS is for
> > those cases where you forward mail from some arbitrary domain (not
> > in your control) to another arbitrary mail server. If the former
> > publishes spf, and the latter checks, forwarding without srs will
> > fail, since the envelope sender will contain the sender's domain
> > and your mail server delivers this mail to the spf checking
> > receiver. Well, that's my short intro to srs.
>
> So SRS it's only necessary if I do some kind of masquerading? OK, I
> won't use SRS.

I'm afraid I misphrased my reply a bit. With masquerading i meant the rewriting of the sender envelope by your
final outgoing mail server, so that all your mail comes from 'somedomain.com'.

Anyway, it does not matter too much:

> > I guess this also sort of answers 1: you'll have to include your
> > outgoing mail server into the domains you use in your envelope
> > sender adresses.
> This is the only thing I don't understand. I must make public my
> intranet's mail servers in the dmz's DNS? And what's about my DMZ's
> servers which only send reports inside the localdomain? Is it necessary
> to add them? Is any way to 'bypass' their emails?

As long as the mail servers that receive the status report emails are not checking spf (which they don't in your case i seem to understand), there is no need to change anything in order to make it work. If the machine does check spf, you can add a local policy to most spf implementations. Now that I think of it. Your receiving 'front' email server is probably the same as the forwarding server, or is it not?

The other thing, about making public your intranet's mail server in the dmz's dns. I don't completely understand what you mean by that phrase, but the only thing you need to make public (ie. publish in the internet) are spf records for the domains that occur in the envelope sender addresses of mail that ultimatelly is delivered to recipients over the internet.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help [at] v2

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads