We run exim on-premises with spamassassin (all external email comes in this way and routes to Exchange online). We also use a number of 3rd party email service providers (for things such as marketing campaigns) used by various departments at our institution. External providers use valid From: addresses pertaining to come from our own domain, but generally use their own domain for Return-Path. This gives us a headache to identify genuine email arriving from external providers (using our From: @domain address) from spam (using forged From: addresses).
The two approaches we have been considering are to develop a list of valid email providers, which will be a task in itself, and either (1) allow only these external IPs (whitelist) to route through our exim servers (if sending address is from our domain) or (2) enforce external providers to authenticate to our on-premises servers (block un-auth connections using our domain). Departments do have a habit of going out and employing external providers without notice. We are leaning towards option(1) but overhead in maintaining an up-to-date list and possibility of omissions and external IPs changing is a concern. Do others find this? There is SPF, but still require valid server list, and worries of breaking something. Can I ask what other institutions do in these circumstances? What methods or technologies do you use? Do you maintain 'whitelists', or enforce authentication, or employ different methods 'on-premises' to identify genuine 3rd party emails using internal addresses from forgeries? Thanks for any advice. Stuart. The University of Aberdeen is a charity registered in Scotland, No SC013683. Tha Oilthigh Obar Dheathain na charthannas cl?raichte ann an Alba, ?ir. SC013683. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
