[Mimedefang] Rejecting forged senders - comments?

Cormack, Ken ken.cormack at roadway.com
Wed Sep 20 08:29:39 EDT 2006


>   If you use this machine for both incoming and outgoing mail *AND* you
> have any remote users then you'll likely start rejecting mail from those
> remote users.

Our remote users VPN into the environment, to send/receive directly through
our internal servers.  But you make a good point for others who might
consider doing something like this.

> Also, you'll want to escape the @ in your tests to avoid any unexpected
> results.

> you should probably make your relay test look like "$RelayAddr =~
> /^10\.0\.0/" as well (to anchor it to the beginning of the line) just to
> make sure it doesn't mactch on some funky relay address (although it
> shouldn't).

Both of these are good ideas.  :)

> you may also want to put in some SPF tests in your filter and setup SPF
> records for your domains (if possible).  That may make it a little
> easier to administrate in the future.

We currently use SPF records in the external DNS world.  For our own
domains, the mail servers have their own DMZ-centric "view" of DNS, that
includes internal NAT references and such, that are in a state of flux right
now as we migrate servers from an old firewall/DMZ to the new.  When
everything stabilizes in that regard, I'll square away an appropriate SPF
record for the DMZ version of our zones.

> other than that, i don't see anything jumping out at me.

Thanks for the excellent feedback, Alan.

Ken




More information about the MIMEDefang mailing list