[Mimedefang] Rejecting forged senders - comments?

[Cormack, Ken]

> You might also ask yourself whether you expect to get any legitimate
> non-auth mail from your domain addresses via your MX hosts on port 25.  

> We see a lot of spam coming in to our MX hosts using valid internal mail
> addresses as the sender address.  The reality though (for us at least)
> is that we have no reason to see this type of traffic.

Our gateways sit in a DMZ, which limits the IP addresses (via firewalls) to
only those other handful of machines on the same segment within the DMZ, and
a single internal SMTP routing system (which then domain-routes to the
appropriate exchange servers for inbound, and is the wildcard-mx host for
internally generated mail heading outbound.)  So our range of Ips from which
mail from my domains should be generated, is known, and fairly small.  Any
remote users all VPN in to the internal network, thus all their email is
sent and received to/from the clients, via internal connections via the
Exchange servers and my internal routing host.  All other traffic touching
my gateways is coming "from the Internet".