On Fri, Jun 20, 2008 at 12:58:55PM -0700, Jo Rhett wrote: > On Jun 20, 2008, at 12:44 PM, Henrik K wrote: >> You _need_ to have everything internal, so there will be no SPF >> lookups. >> Your fear of IP spoofers makes no sense to me, how do you think >> someone >> could accomplish that? Just put the 10.something there. > > You could have said that a lot easier ;-)
I try not to spoon-feed people, I get to the point and give facts that should be enought to solve things. There has been a lot of talk already about internal/trusted/borders, and it should be quite clear what you need to do to accomplish what you asked. > Unfortunately our hosts are public in a big datacenter, and on the > honeypot machines in the same network I see lots of packets and even > well designed (blind) TCP sessions from 10.x hosts. It just doesn't > make sense to trust anything received from a 10.x host. > > Especially because my 10.x hosts can't talk to this machine. It would > be one thing if I could say "trust 10.x hosts that relay via these- > other-hosts" but I can't :-( Since the trust list is single layer, > adding 10.x means trusting random-source packets. > > I'd rather use the meta rule I created looking for the relay hosts. > 10.x blind TCP streams are uncommon, but someone guessing the exact IP > ranges and hosts involved much less so. (I modified the rule quite > extensively to limit only the hosts which send mail) > > So I can understand why you might feel that I'm being overly cautious, > but I'm not sure how you would think I'm doing it wrong? Well, even if you are doing things "right", unfortunately it won't work for with SA. You know the documented and supported way, which works fine for 99% of people. It should be no problem to limit hostB to accept mail only from hostA in 10.x. If you want to be sure, use TLS certificates to identify your servers or something similar. This doesn't have anything to do with SA anymore.
