On Wednesday, 24 of February 2010, Christian Brel wrote: > > IP yes. I assume your external and internal network are on different > > IP-ranges. > > What about my home workers? I don't have a VPN, they hook in by DSL > from any number of different providers from outside using SASL/TLS.
They should be using submission service on port 587 and authenticate themselves, for example with smtp-auth. (of course you can still authenticate them and let them send on port 25 - it's perfectly possible from technical point of view; because you authenticate your clients, right?). > I'm also thinking about those forwarding services out there - does the > two SMTPd approach not break this in the same way SPF would break if > the forwarder was not permitted to send? In case of forwarding the envelope address is that of the original sender, not that of the receiver. You have email from addre...@domain1.com to addre...@domain2.com. MX for domain2.com tries to forward the mail to addre...@domain3.com, so it sends mail from addre...@domain1.com to addre...@domain3.com. Domain3.com checks SPF records and sees that domain2.com is not permitted to send mails for domain1.com, so it refuses to accept such mail. We were talking about (let's assume we're domain3.com) not letting people from outside world send mail "from" domain3.com. -- Kruk@ -\ | }-> epsilon.eu.org | http:// -/ | |