> If I have to allow in the SPF record that the message can come in
> from many (all?) other IP's then the defensive function of SPF
> becomes pretty useless, or not?
No, it's not completely useless. Even if you can't query _your own_
SPF record unless it's set to accept wildcard sending IPs--and you
can't use WHITELIST AUTH for those IPs--you can still publish an
internal DNS zone for your domain that doesn't contain an SPF record,
while publishing a more restrictive policy in your public DNS record.
This would enable _remote_ servers to apply your more restrictive
policy and prevent forgery of your domain from zombie IPs, while your
internal servers would use different logic.
> A local user in my terms is anyone that connect to our server and
> both Imail and Declude handle this as outgoing message.
Hmm...that's pretty confusing, too. Does the nature of a sending user
change depending on the recipient domain? Not really. It sounds like
you mean "local" = "messages from authed or IPed users who _would_ be
allowed to relay, even if they are not currently relaying the current
message" (or as I referred to it in another thread, "VIP sessions").
> Remote users send (incomming) messages that are delivered to local
> users.
In both IMail and Declude terms, that nomenclature isn't actually
used. An IMail "treated as local" user can definitely send mail for
remote or local delivery, for example, and a Declude "local user" is
based on sender domain.
In order to deploy SPF, you definitely need to have a consistent idea
of which sessions deserve elevated privileges in theory--and which of
those sessions you can detect in practice.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
SpamAssassin plugs into Declude!
http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
