Quoting Paul Mc Auley (lists at peema.org):
> Since you ask, the linux.ie domain isn't exclusively used for mailing
> lists, and since the assorted users of the domain are scattered hither and
> yon, it's not a given that they are in a position to use the linux.ie MXes
> to send e-mail via them.
So, the real questions from the linux.ie sysadmin perspective then
become: (1) Is there some way to programmatically describe where users of
that domain send mail from? (SPFv2's RR syntax permits fairly complex
specs.)
(2) In the event that linux.ie permits and expects people to be able to
send regular, unauthenticated port-25 mail from anywhere and everywhere,
and seriously expects it to not smell spammy in consequence, how's that
approach working out for you in 2009? Most places, that become an
administrative disaster around a decade back, at minimum tarnishing
one's domain's reputation past what sysadmins usually are willing to
endure. Most places therefore long ago noticed the change of millennium
and deployed RFC2476 SMTP AUTH or similar for their roaming users.
Time passes; open relays go out of fashion, unencrypted telnet becomes
passe, leaving RPC portmappers open to public probing becomes gauche,
expecting your outgoing mail to appear from arbitrary IPs' port 25
becomes unworkable. And disco is still dead.
But whatever works for ILUG, really. Don't suddenly update to sysadmin
best practices just for fashion's sake. I'm sure SMTP will become
widely trustworthy again, any day now.
> If you define SPF records for a domain then any mail server which uses SPF
> as a criterion for pass/fail will reject mails that are sent through some
> other SMTP server.
Yes, locally, I call this "preventing unauthorised MXes from believably
forging my domain's outgoing mail", and call it very much a feature, not
a bug. Your mileage may differ.<tm>
> Finally in not all cases are the MXes listed the actual home server of the
> domain, if you list that actual server in the SPF records you are
> publishing that as a candidate for carpet bombing to try and bypass mail
> filters; that's less of a risk if you identify a subnet rather than a host
> as an additional valid source.
Indeed you cannot keep an MTA's IP address a secret and simultaneously
publish its membership in a public roster of the domain's authorised
MXes (mail sources). Were I trying to solve the rather bizarre problem you
outline, I'd probably relay the mail from a secret, unadvertised IP to
an advertised IP included in the authorised MX roster, which would put
new headers on the outbound mail.
However, I personally prefer not to pretend that my public MTAs are
secrets. (I decline to hide from spammers.) I do my best to ensure
that _no_ system I run that accepts mail is a fruitful place to "try to
bypass filters".
--
Cheers, Crypto lets someone say "Hi! I absolutely definitely have
Rick Moen a name somewhat like the name of a large familiar
rick at linuxmafia.com organization, and I'd like to steal your data!" and lots
McQ! (4x80) of users will say "OK, fine, whatever." -- John Levine
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
