how to handle SPF records for spilt dns
donovan jeffrey j
donovan at beth.k12.pa.us
Tue Aug 3 02:58:55 UTC 2010
On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:
> On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:
>>
>> Greetings
>>
>> i have an internal dns server it resolvs all my queries from the inside.
>> I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external.
>>
>> i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside?
>>
>> any insight suggestions and flames welcome
>>
> Hi,
>
> Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests?
clamav is picking up from an old relay and I think it's lowering the score because of an spf check. 192.168.1.2 is my mail gateway internal interface.
myfilter.mydomain.com] received a message from 192.168.1.2 that claimed an envelope sender address of foo.money at dealstodaycheap.info.
However, the domain dealstodaycheap.info has declared using SPF that it does not send mail through 192.168.1.1. That is why the message was rejected.
i don't want my internal filter to lower scores just because that relay doesn't have an spf record, and I do not want to call the relay local. i want everything scanned from there.
I may also not be understanding What Spf record clamav is looking for. my relay or his relay or mydomain ? i best start with my domain.
> If postfix (since its the MTA used in your post, youm likely are), use:
> submission inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
> -o receive_override_options=no_milters
>
> But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals).
>
> Cheers
> Noel
>
thanks for the reply noel,
i saw that option on a web site and i thought it was a typo ( ~ ) vs ( - ) what is the difference.
-j
On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:
> On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:
>>
>> Greetings
>>
>> i have an internal dns server it resolvs all my queries from the inside.
>> I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external.
>>
>> i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside?
>>
>> any insight suggestions and flames welcome
>>
> Hi,
>
> Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests?
> If postfix (since its the MTA used in your post, youm likely are), use:
> submission inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
> -o receive_override_options=no_milters
>
> But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals).
>
> Cheers
> Noel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100802/5ee3fed6/attachment.html>
More information about the bind-users
mailing list