Christian Brel wrote: >> > Humour me. Does this not mean a need to change the outbound to >> > either a different IP or port? >> >> IP yes. I assume your external and internal network are on different >> IP-ranges. > > What about my home workers? I don't have a VPN, they hook in by DSL > from any number of different providers from outside using SASL/TLS.
Then presumably they submit email via port 587 after appropriate authentication. Then you just add that requirement - can't remember what the exact postfix option is. I have people working from home-offices too, that's how they are set up. > It's like you say, you were thinking out loud and I can see where you > are coming from, but it's not a fix for every situation. I think it actually is. Allow mynetworks, allow authenticated users, reject everything else. > I'm also thinking about those forwarding services out there - does the > two SMTPd approach not break this in the same way SPF would break if > the forwarder was not permitted to send? I can't quite follow you - there's is no forwarding involved AFAICS? /Per Jessen, Zürich