On Jun 19, 2008, at 9:12 PM, Matt Kettler wrote:
That is correct, SPF checks are applied to the first untrusted host.
The question here would be if 10.x.x.x is in fact an internal, and
presumably trusted, network, why isn't it trusted?
The mail server I'm receiving this on is in the outside world. If a
10.x address connects to it, I don't want that address to be trusted
for any reason. Only 10.x addresses that came via a trusted host ;-)
Also, presuming we're talking about your own domain, why aren't you
using split DNS and declaring 10.x.x.x as a valid source in your
internal SPF record (but not the one you expose to the outside world)
Split DNS only applies if the mail is on the "inside" which it isn't.
There actually isn't an "inside" network at all, except for this one
non-routed private network used for monitoring physical gear. It does
not route to the outside world, with the exception of mail relay.
Obviously, putting 10/8 into the published SPF record makes no
sense at all, nor does adding 10/8 to the trusted_networks.
Why do neither of those options make sense? I do both in my network,
albeit that version SPF is only in my internal view, and I actually
use 10.xx.0.0/16 not 10/8. (I only use a /16, not the whole /8)
No internal view, no internal DNS. Putting 10/8 into external DNS is
nonsense ;-)
Is there some detail that's missing here? ie: do you have a
compelling reason to not trust your internal hosts using 10/8?
Those internal hosts cannot connect to the mail server directly. Any
10.x address that does connect to the mailserver is guaranteed to be a
spammer.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
