On Wednesday, 24 of February 2010, Christian Brel wrote:
> > IP yes. I assume your external and internal network are on different
> > IP-ranges.
> > What about my home workers? I don't have a VPN, they hook in by DSL
> from any number of different providers from outside using SASL/TLS.
They should be using submission service on port 587 and authenticate
themselves, for example with smtp-auth. (of course you can still authenticate
them and let them send on port 25 - it's perfectly possible from technical
point of view; because you authenticate your clients, right?).
> I'm also thinking about those forwarding services out there - does the
> two SMTPd approach not break this in the same way SPF would break if
> the forwarder was not permitted to send?
In case of forwarding the envelope address is that of the original sender, not
that of the receiver.
You have email from addre...@domain1.com to addre...@domain2.com. MX for
domain2.com tries to forward the mail to addre...@domain3.com, so it sends
mail from addre...@domain1.com to addre...@domain3.com. Domain3.com checks SPF
records and sees that domain2.com is not permitted to send mails for
domain1.com, so it refuses to accept such mail.
We were talking about (let's assume we're domain3.com) not letting people from
outside world send mail "from" domain3.com.
--
Kruk@ -\ |
}-> epsilon.eu.org |
http:// -/ |
|
