On 08/10/11 10:48, Michael Scheidell wrote: > On 8/10/11 10:33 AM, Michael Orlitzky wrote: >> On 08/10/11 10:26, Michael Scheidell wrote: >>> so, what brain decided it would be ok to use 169.* addresses for their >>> internal ip's? >>> >>> was it microsoft? (var says that ms uses these for their internal >>> clustering ip's for clustered exchange servers >> http://en.wikipedia.org/wiki/Link-local_address >> > I am moving more to assume ms are idiots. this seems to be the default > config for exchange clusters. > > So, we open a bugzilla and put 169.254* addresses into 'local_networks' > by default? like rfc1918? > it the example, sa sees the internal (trusted) 172* ip, and sees 'first > untrusted' (the 169* address!) > spf fails, rbls are consulted. all could be avoided if ms actually > followed RFC's
I'm not sure what else you've got going on here (Where is amavis? Who's doing SPF checks?) but yeah, 169.254.0.0/16 should be considered local. I think it's a fine default for Exchange, though. Having it be unreachable by default means that someone who knows what he's doing has to go in and make it accessible from other networks. It's a huge improvement from listening on 0.0.0.0/0 with submission/relay open to everyone.
