[EMAIL PROTECTED] wrote:
> Roger Taranto wrote:
>> The reason I ask is that my dad's SPF record is listed as ~all for his
>> externally-visible static IP address, but when machines internal to
>> his network connect to send mail, they look forged since they have a
>> 192.168 address. Suggestions?
>
> Bypass SPF checking on
> * mail from private address ranges
> * mail delivered via SMTP AUTH
> * mail that is otherwise "known good" in any way
>
Better: use split DNS. Have your internal SPF record list 192.168 addresses, as
well as public ones. Have your external one list only public IPs.
For example, if I at my desktop look up evi-inc.com's spf record I get:
"v=spf1 mx ptr ip4:162.84.101.0/24 ip4:208.39.140.174/32 ip4:208.39.141.80/28
ip4:10.xx.xx.0/24 ip4:10.xx.xx.0/24 ip4:10.xx.xx.0/24 ip4:192.168.xx.0/24 -all"
(I chose to censor some details with xx's but you get the point).
However if you look it up you'll get:
"v=spf1 mx ptr ip4:162.84.101.0/24 ip4:208.39.141.80/28 ip4:208.39.140.174/32
-all"
This is because the evi-inc.com domain is served in two views on the same server
using bind. This is primarily done so hosts inside my network resolve
xanadu.evi-inc.com as it's internal address. Hosts on the outside resolve it as
208.39.141.94.
This also has other benefits. All my internal servers and hosts are only present
in the internal zone file. Only hosts which have public IP mappings are
resolvable in the external view. This adds extra protection against someone
doing recon by probing what hosts are resolvable and seeing which ones have what
internal IPs.
This internal vs external completely transparent to the clients, and is done by
using bind's views such that internal hosts see a different view of the domain
than external hosts do.
view "internal" {
match-clients { *ACL matching internal clients* };
zone "evi-inc.com" IN {
*zone file specifiers for internal zone*
};
}
view "external" {
// all other hosts (ie: those outside our network)
match-clients {any; };
zone "evi-inc.com" IN {
*zone file specifiers for external zone*
};
}
The other way of getting split-dns is to have physically separate servers acting
as authoritative servers for the outside and resolving servers for the inside.
