You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Christian Brel <br...@copperproductions.co.uk> on 2010/02/24 10:00:01 UTC
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
On Wed, 24 Feb 2010 09:18:38 +0100
Per Jessen <pe...@computer.org> wrote:
> LuKreme wrote:
>
> > On 23-Feb-10 14:17, Bowie Bailey wrote:
> >> SPF enforcement at the MTA is useless for the reasons you
> >> specified. The only exception is if you have a strict SPF policy
> >> for your own domain, you can use it to reject spam pretending to
> >> be from your users.
> >
> > And that makes it worthwhile all by itself.
> >
>
> Well, I guess it depends on your point of view - how difficult is it
> to set up an MTA to reject mails pretending to be from <yourdomain>
> that didn't originate on your MTA?
>
>
> /Per Jessen, Zürich
>
Good question - how would you do it?
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Mariusz Kruk wrote:
> On Wednesday, 24 of February 2010, Per Jessen wrote:
>> >> Well, I guess it depends on your point of view - how difficult is
>> >> it to set up an MTA to reject mails pretending to be from
>> >> <yourdomain> that didn't originate on your MTA?
>> > Good question - how would you do it?
>>
>> Postfix: I would have two different smtpd daemons - one for the
>> local network, one for the external. The external smtpd would have a
>> check_sender_access along these lines (thinking out loud here):
>>
>> check_sender_access = hash:/etc/postfix/reject_from_my_domain
>>
>> etc/postfix/reject_from_my_domain would have:
>>
>> example.com 5xx
>
> How's it different from the "standard" approach - permitting
> mynetworks and then rejecting mails "from self"? Two instances of
> postfix only make the setup more complicated.
Barely, but I think you're right, that approach works equally well.
/Per Jessen, Zürich
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
Posted by Mariusz Kruk <Ma...@epsilon.eu.org>.
On Wednesday, 24 of February 2010, Per Jessen wrote:
> >> Well, I guess it depends on your point of view - how difficult is it
> >> to set up an MTA to reject mails pretending to be from <yourdomain>
> >> that didn't originate on your MTA?
> > Good question - how would you do it?
>
> Postfix: I would have two different smtpd daemons - one for the local
> network, one for the external. The external smtpd would have a
> check_sender_access along these lines (thinking out loud here):
>
> check_sender_access = hash:/etc/postfix/reject_from_my_domain
>
> etc/postfix/reject_from_my_domain would have:
>
> example.com 5xx
How's it different from the "standard" approach - permitting mynetworks and
then rejecting mails "from self"? Two instances of postfix only make the setup
more complicated.
--
/\-\/\-\/\-\/\-\/\-\/\-\/\
\ Kruk@epsilon.eu.org /
/ http://epsilon.eu.org/ \
\/-/\/-/\/-/\/-/\/-/\/-/\/
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
Posted by Karl Pearson <ka...@ourldsfamily.com>.
On Wed, February 24, 2010 2:28 am, Per Jessen wrote:
> Christian Brel wrote:
>
>> On Wed, 24 Feb 2010 09:18:38 +0100
>> Per Jessen <pe...@computer.org> wrote:
>>
>>> LuKreme wrote:
>>>
>>> > On 23-Feb-10 14:17, Bowie Bailey wrote:
>>> >> SPF enforcement at the MTA is useless for the reasons you
>>> >> specified. The only exception is if you have a strict SPF policy
>>> >> for your own domain, you can use it to reject spam pretending to
>>> >> be from your users.
>>> >
>>> > And that makes it worthwhile all by itself.
>>> >
>>>
>>> Well, I guess it depends on your point of view - how difficult is it
>>> to set up an MTA to reject mails pretending to be from <yourdomain>
>>> that didn't originate on your MTA?
>>>
>>>
>>> /Per Jessen, Zürich
>>>
>>
>> Good question - how would you do it?
>
> Postfix: I would have two different smtpd daemons - one for the local
> network, one for the external. The external smtpd would have a
> check_sender_access along these lines (thinking out loud here):
... which is why I use sendmail. It now comes standard with 2 different
daemons, built into one so the setup isn't so complicated: one for
external access and one for internal access. Already doing what you
suggest out of the box, and it works quite well, if configured securely.
One activity rejects attempts to send email pretending to be 'on the
inside' and the other rejects to send email pretending to be 'on the
outside' thus preventing much of what has been discussed ...
>
> check_sender_access = hash:/etc/postfix/reject_from_my_domain
>
> etc/postfix/reject_from_my_domain would have:
>
> example.com 5xx
>
>
> /Per Jessen, Zürich
>
---
Karl Pearson
Karlp@ourldsfamily.com
Owner/Administrator of the sites at
http://ourldsfamily.com
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---
Democracy is two wolves and a lamb voting on what to have
for lunch. Liberty is a well-armed lamb contesting the vote.
--Benjamin Franklin
---
Prayer for Obama, et al: http://scriptures.lds.org/en/ps/109/8#8 (~)
---
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Kai Schaetzl wrote:
> Christian Brel wrote on Wed, 24 Feb 2010 10:02:02 +0000:
>
>> So you would reject outbound mail from your domain? I'm sure that's a
>> typo.
>
> He just didn't show the full configuration. It's obvious that you put
> your allowance checks first.
>
> Kai
I did also say 'thinking out loud here', so yes, it was obviously not a
complete config. However, smtpd is not involved in sending outbound
mail, so my sender access check would not get in the way.
/Per Jessen, Zürich
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
Christian Brel wrote on Wed, 24 Feb 2010 10:02:02 +0000:
> So you would reject outbound mail from your domain? I'm sure that's a
> typo.
He just didn't show the full configuration. It's obvious that you put your
allowance checks first.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 10:28:24 +0100
Per Jessen <pe...@computer.org> wrote:
> Christian Brel wrote:
>
> > On Wed, 24 Feb 2010 09:18:38 +0100
> > Per Jessen <pe...@computer.org> wrote:
> >
> >> LuKreme wrote:
> >>
> >> > On 23-Feb-10 14:17, Bowie Bailey wrote:
> >> >> SPF enforcement at the MTA is useless for the reasons you
> >> >> specified. The only exception is if you have a strict SPF policy
> >> >> for your own domain, you can use it to reject spam pretending to
> >> >> be from your users.
> >> >
> >> > And that makes it worthwhile all by itself.
> >> >
> >>
> >> Well, I guess it depends on your point of view - how difficult is
> >> it to set up an MTA to reject mails pretending to be from
> >> <yourdomain> that didn't originate on your MTA?
> >>
> >>
> >> /Per Jessen, Zürich
> >>
> >
> > Good question - how would you do it?
>
> Postfix: I would have two different smtpd daemons - one for the local
> network, one for the external. The external smtpd would have a
> check_sender_access along these lines (thinking out loud here):
>
> check_sender_access = hash:/etc/postfix/reject_from_my_domain
>
> etc/postfix/reject_from_my_domain would have:
>
> example.com 5xx
>
>
> /Per Jessen, Zürich
>
So you would reject outbound mail from your domain? I'm sure that's a
typo. The agrovation of multi-instancing Postfix onto a different port
or IP, seeking help from their aggressive and abusive user list when it
fails to work -v- SPF. Ummm such a choice.....
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Kai Schaetzl wrote:
> You don't have to run two postfixes for this.
>
> Kai
I wasn't suggesting two postfixes, only two smtpds, but what Mariusz
said is even easier.
/Per Jessen, Zürich
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Mariusz Kruk <Ma...@epsilon.eu.org>.
On Wednesday, 24 of February 2010, Per Jessen wrote:
> > I guess you could start hashing things around
> > with IPTables to redirect certain requests, but once you've done all
> > of this, changed all the clients etc. etc, you are saying this would
> > be *easier* than SPF?
> See Mariusz Kruks suggestion - that's the way to do it. Accept
> everything from mynetworks, reject everything pretending to be coming
> from your domain.
Let's also add that you should receive mail on port 25 from other SMTP servers
only; port 25 is not meant for endusers nowadays. So it should not (unless you
have multiple servers and some complicated setup, but then you probably know
what you are doing anyway) be _from_ your domain. Mail _from_ your domain
(which means your clients) should be submitted to port 587 where you do not
accept anything unless client authenticated himself (by SMTP-auth, being in
apropriate IP-range or any other means).
It all makes it quite easy to _not_ accept mail from outside world which seems
to be originating in your domain.
--
\------------------------/
| Kruk@epsilon.eu.org |
| http://epsilon.eu.org/ |
/------------------------\
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 13:38:55 +0200
Henrik K <he...@hege.li> wrote:
> On Wed, Feb 24, 2010 at 11:30:25AM +0000, Christian Brel wrote:
> > On Wed, 24 Feb 2010 11:39:43 +0100
> > "Rob Sterenborg" <R....@netsourcing.nl> wrote:
> >
> > > On 2010-02-24, Kai Schaetzl wrote:
> > >
> > > > > Postfix: I would have two different smtpd daemons - one for
> > >
> > > > You don't have to run two postfixes for this.
> > >
> > > I think Per means: 2 smtpd processes, not 2 Postfixes..
> > >
> > >
> > > --
> > > Rob
> > >
> >
> > Humour me.
>
> Please stop humouring our resident troll.
>
That would be you then as your post has no purpose other than to
inflame. Kinda reminds me of that old saying 'takes one to know one.'
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Henrik K <he...@hege.li>.
On Wed, Feb 24, 2010 at 11:30:25AM +0000, Christian Brel wrote:
> On Wed, 24 Feb 2010 11:39:43 +0100
> "Rob Sterenborg" <R....@netsourcing.nl> wrote:
>
> > On 2010-02-24, Kai Schaetzl wrote:
> >
> > > > Postfix: I would have two different smtpd daemons - one for
> >
> > > You don't have to run two postfixes for this.
> >
> > I think Per means: 2 smtpd processes, not 2 Postfixes..
> >
> >
> > --
> > Rob
> >
>
> Humour me.
Please stop humouring our resident troll.
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Mariusz Kruk <Ma...@epsilon.eu.org>.
On Wednesday, 24 of February 2010, Christian Brel wrote:
> > IP yes. I assume your external and internal network are on different
> > IP-ranges.
> > What about my home workers? I don't have a VPN, they hook in by DSL
> from any number of different providers from outside using SASL/TLS.
They should be using submission service on port 587 and authenticate
themselves, for example with smtp-auth. (of course you can still authenticate
them and let them send on port 25 - it's perfectly possible from technical
point of view; because you authenticate your clients, right?).
> I'm also thinking about those forwarding services out there - does the
> two SMTPd approach not break this in the same way SPF would break if
> the forwarder was not permitted to send?
In case of forwarding the envelope address is that of the original sender, not
that of the receiver.
You have email from address1@domain1.com to address2@domain2.com. MX for
domain2.com tries to forward the mail to address3@domain3.com, so it sends
mail from address1@domain1.com to address3@domain3.com. Domain3.com checks SPF
records and sees that domain2.com is not permitted to send mails for
domain1.com, so it refuses to accept such mail.
We were talking about (let's assume we're domain3.com) not letting people from
outside world send mail "from" domain3.com.
--
Kruk@ -\ |
}-> epsilon.eu.org |
http:// -/ |
|
Re: [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
Christian Brel wrote on Wed, 24 Feb 2010 12:39:47 +0000:
> What about my home workers?
they use SMTP AUTH. It works, believe us. With a standard postfix.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Mariusz Kruk <Ma...@epsilon.eu.org>.
On Wednesday, 24 of February 2010, Christian Brel wrote:
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.
Well, you _should_ use submission anyway.
(BTW, in my experience it's easier to filter one kind of traffic on 25, and
another on 587 than filtering both on one port. YMMV)
> > > It's like you say, you were thinking out loud and I can see where
> > > you are coming from, but it's not a fix for every situation.
> > I think it actually is. Allow mynetworks, allow authenticated users,
> > reject everything else.
> But that would reject *everything* that was not authenticated or in 'my
> networks'. For a single IP/Port listening to the world this does not
> work. It requires multiple SMTP instances with different IP's or Ports
> which may not suit the needs of the admin and the users concerned.
It doesn't.
permit mynetworks/sasl_authenticated/whatever,
reject my_domains,
permit my_destination,
reject_everything_else.
Of course you may add other restrictions in this chain.
--
\.\.\.\.\.\.\.\.\.\.\.\.\.\
.\.Kruk@epsilon.eu.org.\.\.
\.http://epsilon.eu.org/\.\
.\.\.\.\.\.\.\.\.\.\.\.\.\.
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Ned Slider <ne...@unixmail.co.uk>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 17:31:19 +0100
> Kai Schaetzl <ma...@conactive.com> wrote:
>
>> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
>>
>>> But that would reject *everything* that was not authenticated or in
>>> 'my networks'.
>> Indeed, that's the purpose. And it doesn't matter if you get the mail
>> via 25 or 587. 587 is just a convenience. Any other access to use
>> your server for relaying should not be allowed at all. I really
>> suggest you sit back and read the postfix documentation instead of
>> questioning and questioning in the blue air. It's an absolute
>> standard postfix configuration that you just seem to have not been
>> made aware for years.
>>
>> Kai
>>
>
>
> I'm confused. The mail you have just sent to the list has;
> 'From: Kai Schaetzl <ma...@conactive.com>'
>
Envelope sender, not the "from" address.
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a
Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 17:31:19 +0100
Kai Schaetzl <ma...@conactive.com> wrote:
> Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
>
> > But that would reject *everything* that was not authenticated or in
> > 'my networks'.
>
> Indeed, that's the purpose. And it doesn't matter if you get the mail
> via 25 or 587. 587 is just a convenience. Any other access to use
> your server for relaying should not be allowed at all. I really
> suggest you sit back and read the postfix documentation instead of
> questioning and questioning in the blue air. It's an absolute
> standard postfix configuration that you just seem to have not been
> made aware for years.
>
> Kai
>
I'm confused. The mail you have just sent to the list has;
'From: Kai Schaetzl <ma...@conactive.com>'
Yet the server is:
mail.apache.org (hermes.apache.org [140.211.11.3])
#aka a forwarder in this context#
Now, if we do as you say and you have somebody else at conactive.com
who is subscribed to the list, what happens to this mail when it comes
across: 'reject my_domains,'
Granted SPF won't help anyone here (I don't think anyone would add
an entry for 140.211.11.3 in their SPF unless they were really keen)
Re: [SPAM:9.6] [SPAM:9.6] [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
Christian Brel wrote on Wed, 24 Feb 2010 14:56:49 +0000:
> But that would reject *everything* that was not authenticated or in 'my
> networks'.
Indeed, that's the purpose. And it doesn't matter if you get the mail via
25 or 587. 587 is just a convenience. Any other access to use your server
for relaying should not be allowed at all. I really suggest you sit back
and read the postfix documentation instead of questioning and questioning
in the blue air. It's an absolute standard postfix configuration that you
just seem to have not been made aware for years.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 17:09:31 +0100
Per Jessen <pe...@computer.org> wrote:
> > Tell you what, wouldn't it be a great idea to save all the messing
> > around and use something universal and simple for the job? Something
> > lightweight and easy to deploy. I know! What about using SPF!
>
> Christian, I suspect we don't have quite the same understanding of
> what 'easy' means.
I guess that is so.
Personally I find the multiple use of Postfixens trivial easy and have
it deployed that way to get over it's inability to whitelist body and
header checks {at all}. In general terms your fix may not suit
common MTA's like Exchange (I feel quite disgusted to have described
Exchange as an MTA and will now go and wash my typing fingers.....)
I did find a bad place to use SPF - and that is
on a well known spam filter made by an American company. Enable it there
and watch the machine grind to a halt..... 'it's a feature - not a bug'
LOL.... could'nt resist it... I'll get my coat......
>
>
> /Per Jessen, Zürich
>
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 14:37:49 +0100
> Per Jessen <pe...@computer.org> wrote:
>
>> Christian Brel wrote:
>>
>> >> > Humour me. Does this not mean a need to change the outbound to
>> >> > either a different IP or port?
>> >>
>> >> IP yes. I assume your external and internal network are on
>> >> different IP-ranges.
>> >
>> > What about my home workers? I don't have a VPN, they hook in by DSL
>> > from any number of different providers from outside using SASL/TLS.
>>
>> Then presumably they submit email via port 587 after appropriate
>> authentication.
>
> No, they submit on 25 using TLS+SASL. Would making
> the changes to Firewall, MTA, plus potentially thosands of clients be
> easier than SPF? Would all those angry users screaming because they
> can't send mail at all be a good thing? I don't think so myself.
Then keep them on port 25, it's no big deal as long as they are
authenticated.
>> > It's like you say, you were thinking out loud and I can see where
>> > you are coming from, but it's not a fix for every situation.
>>
>> I think it actually is. Allow mynetworks, allow authenticated users,
>> reject everything else.
>
> But that would reject *everything* that was not authenticated or in
> 'my networks'.
No. See Mariusz' explanation.
> Tell you what, wouldn't it be a great idea to save all the messing
> around and use something universal and simple for the job? Something
> lightweight and easy to deploy. I know! What about using SPF!
Christian, I suspect we don't have quite the same understanding of
what 'easy' means.
/Per Jessen, Zürich
Re: [SPAM:9.6] Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What
a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 14:37:49 +0100
Per Jessen <pe...@computer.org> wrote:
> Christian Brel wrote:
>
> >> > Humour me. Does this not mean a need to change the outbound to
> >> > either a different IP or port?
> >>
> >> IP yes. I assume your external and internal network are on
> >> different IP-ranges.
> >
> > What about my home workers? I don't have a VPN, they hook in by DSL
> > from any number of different providers from outside using SASL/TLS.
>
> Then presumably they submit email via port 587 after appropriate
> authentication.
No, they submit on 25 using TLS+SASL. Would making
the changes to Firewall, MTA, plus potentially thosands of clients be
easier than SPF? Would all those angry users screaming because they
can't send mail at all be a good thing? I don't think so myself.
> > It's like you say, you were thinking out loud and I can see where
> > you are coming from, but it's not a fix for every situation.
>
> I think it actually is. Allow mynetworks, allow authenticated users,
> reject everything else.
But that would reject *everything* that was not authenticated or in 'my
networks'. For a single IP/Port listening to the world this does not
work. It requires multiple SMTP instances with different IP's or Ports
which may not suit the needs of the admin and the users concerned.
>
Tell you what, wouldn't it be a great idea to save all the messing
around and use something universal and simple for the job? Something
lightweight and easy to deploy. I know! What about using SPF!
>
> /Per Jessen, Zürich
>
Of course, all this has very little to do with Spamassassin......
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Christian Brel wrote:
>> > Humour me. Does this not mean a need to change the outbound to
>> > either a different IP or port?
>>
>> IP yes. I assume your external and internal network are on different
>> IP-ranges.
>
> What about my home workers? I don't have a VPN, they hook in by DSL
> from any number of different providers from outside using SASL/TLS.
Then presumably they submit email via port 587 after appropriate
authentication. Then you just add that requirement - can't remember
what the exact postfix option is. I have people working from
home-offices too, that's how they are set up.
> It's like you say, you were thinking out loud and I can see where you
> are coming from, but it's not a fix for every situation.
I think it actually is. Allow mynetworks, allow authenticated users,
reject everything else.
> I'm also thinking about those forwarding services out there - does the
> two SMTPd approach not break this in the same way SPF would break if
> the forwarder was not permitted to send?
I can't quite follow you - there's is no forwarding involved AFAICS?
/Per Jessen, Zürich
Re: [SPAM:9.6] Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 12:41:29 +0100
Per Jessen <pe...@computer.org> wrote:
> Christian Brel wrote:
>
> > On Wed, 24 Feb 2010 11:39:43 +0100
> > "Rob Sterenborg" <R....@netsourcing.nl> wrote:
> >
> >> On 2010-02-24, Kai Schaetzl wrote:
> >>
> >> > > Postfix: I would have two different smtpd daemons - one for
> >>
> >> > You don't have to run two postfixes for this.
> >>
> >> I think Per means: 2 smtpd processes, not 2 Postfixes..
> >>
> >>
> >> --
> >> Rob
> >>
> >
> > Humour me. Does this not mean a need to change the outbound to
> > either a different IP or port?
>
> IP yes. I assume your external and internal network are on different
> IP-ranges.
What about my home workers? I don't have a VPN, they hook in by DSL
from any number of different providers from outside using SASL/TLS.
It's like you say, you were thinking out loud and I can see where you
are coming from, but it's not a fix for every situation.
I'm also thinking about those forwarding services out there - does the
two SMTPd approach not break this in the same way SPF would break if
the forwarder was not permitted to send?
>
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 11:39:43 +0100
> "Rob Sterenborg" <R....@netsourcing.nl> wrote:
>
>> On 2010-02-24, Kai Schaetzl wrote:
>>
>> > > Postfix: I would have two different smtpd daemons - one for
>>
>> > You don't have to run two postfixes for this.
>>
>> I think Per means: 2 smtpd processes, not 2 Postfixes..
>>
>>
>> --
>> Rob
>>
>
> Humour me. Does this not mean a need to change the outbound to either
> a different IP or port?
IP yes. I assume your external and internal network are on different
IP-ranges.
> I guess you could start hashing things around
> with IPTables to redirect certain requests, but once you've done all
> of this, changed all the clients etc. etc, you are saying this would
> be *easier* than SPF?
See Mariusz Kruks suggestion - that's the way to do it. Accept
everything from mynetworks, reject everything pretending to be coming
from your domain.
/Per Jessen, Zürich
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Christian Brel <br...@copperproductions.co.uk>.
On Wed, 24 Feb 2010 11:39:43 +0100
"Rob Sterenborg" <R....@netsourcing.nl> wrote:
> On 2010-02-24, Kai Schaetzl wrote:
>
> > > Postfix: I would have two different smtpd daemons - one for
>
> > You don't have to run two postfixes for this.
>
> I think Per means: 2 smtpd processes, not 2 Postfixes..
>
>
> --
> Rob
>
Humour me. Does this not mean a need to change the outbound to either a
different IP or port? I guess you could start hashing things around
with IPTables to redirect certain requests, but once you've done all of
this, changed all the clients etc. etc, you are saying this would be
*easier* than SPF?
Sure, I get the sentiment but I don't necessarily agree that large
changes would be better than making use of a simple DNS based mechanism
that already exists. Factor in the millions of email users who
don't use Postfix and run things like Exchange and things tend to widen
up.
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
Rob Sterenborg wrote on Wed, 24 Feb 2010 11:39:43 +0100:
> I think Per means: 2 smtpd processes, not 2 Postfixes..
and I meant what he meant ;-)
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
RE: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Rob Sterenborg <R....@netsourcing.nl>.
On 2010-02-24, Kai Schaetzl wrote:
> > Postfix: I would have two different smtpd daemons - one for
> You don't have to run two postfixes for this.
I think Per means: 2 smtpd processes, not 2 Postfixes..
--
Rob
Re: [SPAM:9.6] Off Topic - SPF - What a Disaster
Posted by Kai Schaetzl <ma...@conactive.com>.
You don't have to run two postfixes for this.
Kai
--
Get your web at Conactive Internet Services: http://www.conactive.com
Re: [SPAM:9.6] Re: Off Topic - SPF - What a Disaster
Posted by Per Jessen <pe...@computer.org>.
Christian Brel wrote:
> On Wed, 24 Feb 2010 09:18:38 +0100
> Per Jessen <pe...@computer.org> wrote:
>
>> LuKreme wrote:
>>
>> > On 23-Feb-10 14:17, Bowie Bailey wrote:
>> >> SPF enforcement at the MTA is useless for the reasons you
>> >> specified. The only exception is if you have a strict SPF policy
>> >> for your own domain, you can use it to reject spam pretending to
>> >> be from your users.
>> >
>> > And that makes it worthwhile all by itself.
>> >
>>
>> Well, I guess it depends on your point of view - how difficult is it
>> to set up an MTA to reject mails pretending to be from <yourdomain>
>> that didn't originate on your MTA?
>>
>>
>> /Per Jessen, Zürich
>>
>
> Good question - how would you do it?
Postfix: I would have two different smtpd daemons - one for the local
network, one for the external. The external smtpd would have a
check_sender_access along these lines (thinking out loud here):
check_sender_access = hash:/etc/postfix/reject_from_my_domain
etc/postfix/reject_from_my_domain would have:
example.com 5xx
/Per Jessen, Zürich