On Wednesday, 24 of February 2010, Per Jessen wrote: > > I guess you could start hashing things around > > with IPTables to redirect certain requests, but once you've done all > > of this, changed all the clients etc. etc, you are saying this would > > be *easier* than SPF? > See Mariusz Kruks suggestion - that's the way to do it. Accept > everything from mynetworks, reject everything pretending to be coming > from your domain.
Let's also add that you should receive mail on port 25 from other SMTP servers only; port 25 is not meant for endusers nowadays. So it should not (unless you have multiple servers and some complicated setup, but then you probably know what you are doing anyway) be _from_ your domain. Mail _from_ your domain (which means your clients) should be submitted to port 587 where you do not accept anything unless client authenticated himself (by SMTP-auth, being in apropriate IP-range or any other means). It all makes it quite easy to _not_ accept mail from outside world which seems to be originating in your domain. -- \------------------------/ | k...@epsilon.eu.org | | http://epsilon.eu.org/ | /------------------------\
