On 8/9/2010 10:20 AM, Nicolas Michel wrote:
On 08/09/2010 05:15 PM, Noel Jones wrote:
On 8/9/2010 9:29 AM, Nicolas Michel wrote:
Hello,
I want to know if there is a way to reject connections from
host not listed in the MX records of the domain it claims
to be.
For example : a host with IP WWW.XXX.YYY.ZZZ try so send a
mail to my domain (we'll call it mydomain.be) and claims that
the sender is u...@otherdomain.com
If WWW.XXX.YYY.ZZZ is not a MX server of otherdomain.com my
mail server will reject the connection.
If it is possible, will it cause some troubles? Will I loose
some legitimate mails? Because of misconfiguration or an other
reason?
Not a good plan, you'll lose lots of legit mail. Many
organizations use
split systems -- an MX for incoming only and a separate
server is used
for outgoing.
The larger the organization, the more likely they use a
split system.
The legit outgoing server may not even be in the same
netblock or same
geographic region as the MX.
This is why SPF was invented.
-- Noel Jones
I already heard about SPF but never used it. Is it working
well? Is it hard to configure?
Many people find SPF useful, but it is not without
controversy. The postfix list is not an appropriate place to
discuss merits or faults of the SPF specification.
SPF records are easy for a domain owner to publish via a
simple DNS record.
Postfix can reject or tag mail based on SPF results by using a
milter or external policy service. Here's a good place to
start: http://www.openspf.org/
-- Noel Jones
