Christian Brel wrote: > On Wed, 24 Feb 2010 14:37:49 +0100 > Per Jessen <p...@computer.org> wrote: > >> Christian Brel wrote: >> >> >> > Humour me. Does this not mean a need to change the outbound to >> >> > either a different IP or port? >> >> >> >> IP yes. I assume your external and internal network are on >> >> different IP-ranges. >> > >> > What about my home workers? I don't have a VPN, they hook in by DSL >> > from any number of different providers from outside using SASL/TLS. >> >> Then presumably they submit email via port 587 after appropriate >> authentication. > > No, they submit on 25 using TLS+SASL. Would making > the changes to Firewall, MTA, plus potentially thosands of clients be > easier than SPF? Would all those angry users screaming because they > can't send mail at all be a good thing? I don't think so myself.
Then keep them on port 25, it's no big deal as long as they are authenticated. >> > It's like you say, you were thinking out loud and I can see where >> > you are coming from, but it's not a fix for every situation. >> >> I think it actually is. Allow mynetworks, allow authenticated users, >> reject everything else. > > But that would reject *everything* that was not authenticated or in > 'my networks'. No. See Mariusz' explanation. > Tell you what, wouldn't it be a great idea to save all the messing > around and use something universal and simple for the job? Something > lightweight and easy to deploy. I know! What about using SPF! Christian, I suspect we don't have quite the same understanding of what 'easy' means. /Per Jessen, Zürich