| 1 |
On Apr 25, 2013 11:31 PM, "Vinícius Ferrão" <viniciusferrao@×××××××.br> |
| 2 |
wrote: |
| 3 |
> |
| 4 |
> Hello Robert, |
| 5 |
> |
| 6 |
> The internal MTA has an Internet facing address since we have a plenty of |
| 7 |
them we just use it. |
| 8 |
> |
| 9 |
> Ordinary users connect through this internal MTA to send/receive mail. |
| 10 |
But everything that goes outside of the domain goes through the Postfix |
| 11 |
server. So I'm just uncertain about this configuration. Since the message |
| 12 |
originates in the internal MTA and the its relayed to the Postfix server... |
| 13 |
> |
| 14 |
> So I just need to know if the SPF record should include the internal MTA |
| 15 |
too, since the postfix server is already in the SPF declaration. |
| 16 |
> |
| 17 |
> Thanks in advance, |
| 18 |
> |
| 19 |
> Sent from my iPhone |
| 20 |
> |
| 21 |
> On 25/04/2013, at 13:03, "Robert Bridge" <robert@××××××××.com> wrote: |
| 22 |
> |
| 23 |
>> Just the internet facing one, as I understand it. Nothing else should |
| 24 |
ever see the internal MTA, and it may not even have a routable IP address! |
| 25 |
>> |
| 26 |
>> |
| 27 |
>> On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@×××××××.br> |
| 28 |
wrote: |
| 29 |
>>> |
| 30 |
>>> Hello Halassy, thanks for your reply. |
| 31 |
>>> |
| 32 |
>>> I'm aware of the syntax, I just mistyped it. |
| 33 |
>>> |
| 34 |
>>> The main question still continues, should I put both MTAs or just the |
| 35 |
Internet facing one? |
| 36 |
>>> |
| 37 |
>>> Thanks in advance, |
| 38 |
>>> |
| 39 |
>>> Sent from my iPhone |
| 40 |
>>> |
| 41 |
>>> On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@×××××××.hu> wrote: |
| 42 |
>>> |
| 43 |
>>> > Hello! |
| 44 |
>>> > |
| 45 |
>>> > Using MX in SPF record is a simple way to describe trivial two-way |
| 46 |
setups, that is, MX will also send the mails, not just receive them. If you |
| 47 |
have a non-trivial setup, you can use, for example IP addresses, like ip6: |
| 48 |
and ip4:. Add every address which from a mail could possibly leave your |
| 49 |
organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not |
| 50 |
what you wrote. |
| 51 |
>>> > |
| 52 |
>>> > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: |
| 53 |
>>> >> I've a question about the SPF setup in my domain. |
| 54 |
>>> >> |
| 55 |
>>> >> We have two MTAs: an exchange server that does not use SMTP to relay |
| 56 |
messages to the Internet and a Postfix Mail Gateway on the border to send |
| 57 |
and receive messages to/from the internet. |
| 58 |
>>> >> |
| 59 |
>>> >> The clients connect on the Exchange Server to relay messages to the |
| 60 |
external world. So an SMTP connection would start in the Exchange, then it |
| 61 |
relays to the Postfix server and then to the Internet. On the other hand |
| 62 |
when a message come from the Internet it first arrives in the Postfix |
| 63 |
server and after the processing it's handled to the Exchange server. |
| 64 |
>>> >> |
| 65 |
>>> >> The question is: which SPF TXT string I should use? |
| 66 |
>>> >> |
| 67 |
>>> >> The Postfix server is my only MX. And I don't know if I should |
| 68 |
include the Exchange Server name in the SPF rules. |
| 69 |
>>> >> |
| 70 |
>>> >> I was considering: vspf=1 mx -all |
| 71 |
>>> >> |
| 72 |
>>> >> But this does not include the Exchange, and I don't know if it's |
| 73 |
right or not. |
| 74 |
>>> > |
| 75 |
>>> > |
| 76 |
>>> |
| 77 |
>> |
| 78 |
|
| 79 |
Please do not top post; its frowned upon in this list. |
| 80 |
|
| 81 |
Now to answer your last question: No need. |
| 82 |
|
| 83 |
An SPF record should contain *only* the email server(s) that actually talks |
| 84 |
to another domain's email server. |
| 85 |
|
| 86 |
Since the Exchange server and the Postfix server are in the same domain, |
| 87 |
and since *only* the Postfix server actually talks to mail servers of |
| 88 |
*other* domains, you only need to specify the Postfix server in the SPF |
| 89 |
record. |
| 90 |
|
| 91 |
The situation gets complicated, though if you (1) re-relay your email |
| 92 |
(e.g., through your ISP's mail relay), or (2) use Gmail to act as an "on |
| 93 |
behalf of" mail server, or (3) both. |
| 94 |
|
| 95 |
Just for an example, here's the SPF Record for my previous office: |
| 96 |
|
| 97 |
"v=spf1 ip4:174.120.70.145 ip4:174.120.70.155 ip4:49.128.177.72 a mx |
| 98 |
ip4:49.128.177.71 a:rockefeller.post.co.id a:carnegie.post.co.id include:_ |
| 99 |
spf.google.com -all" |
| 100 |
|
| 101 |
The set of IP addresses are the ISP's mail relay servers; the a: fields are |
| 102 |
the IP addresses of our cloud servers, and some of us use Gmail as a |
| 103 |
stand-in for corporate email when we're outside the office. |
| 104 |
|
| 105 |
Rgds, |
| 106 |
-- |
Archives