>...
>Mark Martinec wrote:
>
>> As required per docs, the MTA is considered trusted and internal,
>> and MSA is declared trusted and NOT internal.
>> (both MSA and MTA are on the same IP network)
>>...
>>
>> Is it normal that our own MSA ip address is being submitted for RBL tests?
>
>It' normal, in the sense that that's what the code says to do. I'm sure
>that this isn't optimal, but it works better than the way we did it
>before (lastuntrusted FP'd all over).
>
>
>> dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
>>...
>> Good, <REMOTE> is being tested for RBL.
>>
>> dbg: spf: checking EnvelopeFrom (helo=<MSA>, ip=<MSA>,
>> [EMAIL PROTECTED])
>>...
>> Hmm, I don't think that our own <MSA> is supposed to be tested for SPF.
>> It is normal?
>
>Yeah, and correct. Your MSA is the host responsible for sending the
>mail to your server running SA. Your SPF record must cover the MSAs IP.
>
>Looking at the options, SA could either check the IP of your MSA or the
>IP of the remote client. Obviously checking the remote client IP is wrong.
>
>
>> And here is an unfortunate consequence:
>>...
>
>Yeah, fix your SPF record.
>
>
>Daryl
>
Everything Daryl says is correct, except possibly the word "record"
in the last sentence could/should be plural:)
In the name of stricter security, you have a few options: You could
use "views" in BIND to present different SPF 'TXT' RRs to the outside world
and internally and/or (depending on where and if you do host/domain address
re-writing), you could provide a restricted SPF record for just the MSA host.
Something like:
MSA_HOST IN TXT "v=spf1 a -all"
Whether or not this will work depends on the RHS of mail addresses on email
sent from your MSA to your MTA. If your MSA sends mail with a RHS of its
own hostname, and the MTA rewrites the source hostname to the domain name,
this will allow you to keep your current SPF record for the MTA (which is
more restrictive than it would be if you added another source).
Anyway, "it works for me" to do it this way. And BIND "views" are
more effort to setup, but what I would recommend if you can't use this.
Paul Shupak
[EMAIL PROTECTED]
