[Mimedefang] Rejecting forged senders - comments?
ken.cormack at roadway.com
Wed Sep 20 08:29:39 EDT 2006
> If you use this machine for both incoming and outgoing mail *AND* you
> have any remote users then you'll likely start rejecting mail from those
> remote users.
Our remote users VPN into the environment, to send/receive directly through
our internal servers. But you make a good point for others who might
consider doing something like this.
> Also, you'll want to escape the @ in your tests to avoid any unexpected
> you should probably make your relay test look like "$RelayAddr =~
> /^10\.0\.0/" as well (to anchor it to the beginning of the line) just to
> make sure it doesn't mactch on some funky relay address (although it
Both of these are good ideas. :)
> you may also want to put in some SPF tests in your filter and setup SPF
> records for your domains (if possible). That may make it a little
> easier to administrate in the future.
We currently use SPF records in the external DNS world. For our own
domains, the mail servers have their own DMZ-centric "view" of DNS, that
includes internal NAT references and such, that are in a state of flux right
now as we migrate servers from an old firewall/DMZ to the new. When
everything stabilizes in that regard, I'll square away an appropriate SPF
record for the DMZ version of our zones.
> other than that, i don't see anything jumping out at me.
Thanks for the excellent feedback, Alan.
More information about the MIMEDefang