Re: how to stop SPF checks from going past trusted host?

Wed, 25 Jun 2008 01:44:07 -0700 

On Jun 20, 2008, at 1:13 PM, Henrik K wrote:

On Fri, Jun 20, 2008 at 12:58:55PM -0700, Jo Rhett wrote:

On Jun 20, 2008, at 12:44 PM, Henrik K wrote:

You _need_ to have everything internal, so there will be no SPF
lookups.
Your fear of IP spoofers makes no sense to me, how do you think
someone
could accomplish that? Just put the 10.something there.


You could have said that a lot easier ;-)


I try not to spoon-feed people, I get to the point and give facts that
should be enought to solve things.



No, I meant without the insults, then the kindof apology and  
restatement ;-)  Doesn't matter, it was meant to be funny and I  
clearly failed ;-)



There has been a lot of talk already about internal/trusted/borders,  
and it
should be quite clear what you need to do to accomplish what you  
asked.



Actually, not really.  I totally understand the internal/trusted/ 
borders in the context of a "normal" environment with a DMZ, firewall,  
and especially with /24 networks.  I keep finding that things get  
really wonky when everything is public and smaller, ARIN-acceptable / 
27 and smaller networks are in use ;-)



I understand the answer of what internal and trusted networks should  
do.  I'm just not getting how I can use these properly in an all  
public (ie little trust) network.  I'm beginning to think I should  
reduce the trusted networks to 127.0.0.1 - even though I do trust some  
hosts, it would actually reduce the score of mail I really need to  
get ;-)



Well, even if you are doing things "right", unfortunately it won't  
work for
with SA. You know the documented and supported way, which works fine  
for 99%

of people.



Um, not really.   The documented and supported way has no method of  
handling my problem :-(



It should be no problem to limit hostB to accept mail only from  
hostA in
10.x. If you want to be sure, use TLS certificates to identify your  
servers
or something similar. This doesn't have anything to do with SA  
anymore.



hostB is the relay, right?  It already has those limitations.  I'm  
just trying to get hostC to accept the mail from hostA via hostB,  
without accepting mail that claims to be from hostA.   Because hostA  
can't talk to hostC, and hostA's address is widely mis-used ;-)


--
Jo Rhett

Net Consonance : consonant endings by net philanthropy, open source  
and other randomness




























					Reply via email to