On Jun 20, 2008, at 12:44 PM, Henrik K wrote:
You _need_ to have everything internal, so there will be no SPF
lookups.
Your fear of IP spoofers makes no sense to me, how do you think
someone
could accomplish that? Just put the 10.something there.
You could have said that a lot easier ;-)
Unfortunately our hosts are public in a big datacenter, and on the
honeypot machines in the same network I see lots of packets and even
well designed (blind) TCP sessions from 10.x hosts. It just doesn't
make sense to trust anything received from a 10.x host.
Especially because my 10.x hosts can't talk to this machine. It would
be one thing if I could say "trust 10.x hosts that relay via these-
other-hosts" but I can't :-( Since the trust list is single layer,
adding 10.x means trusting random-source packets.
I'd rather use the meta rule I created looking for the relay hosts.
10.x blind TCP streams are uncommon, but someone guessing the exact IP
ranges and hosts involved much less so. (I modified the rule quite
extensively to limit only the hosts which send mail)
So I can understand why you might feel that I'm being overly cautious,
but I'm not sure how you would think I'm doing it wrong?
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
