On Wed, 24 Feb 2010 14:37:49 +0100 Per Jessen <p...@computer.org> wrote:
> Christian Brel wrote: > > >> > Humour me. Does this not mean a need to change the outbound to > >> > either a different IP or port? > >> > >> IP yes. I assume your external and internal network are on > >> different IP-ranges. > > > > What about my home workers? I don't have a VPN, they hook in by DSL > > from any number of different providers from outside using SASL/TLS. > > Then presumably they submit email via port 587 after appropriate > authentication. No, they submit on 25 using TLS+SASL. Would making the changes to Firewall, MTA, plus potentially thosands of clients be easier than SPF? Would all those angry users screaming because they can't send mail at all be a good thing? I don't think so myself. > > It's like you say, you were thinking out loud and I can see where > > you are coming from, but it's not a fix for every situation. > > I think it actually is. Allow mynetworks, allow authenticated users, > reject everything else. But that would reject *everything* that was not authenticated or in 'my networks'. For a single IP/Port listening to the world this does not work. It requires multiple SMTP instances with different IP's or Ports which may not suit the needs of the admin and the users concerned. > Tell you what, wouldn't it be a great idea to save all the messing around and use something universal and simple for the job? Something lightweight and easy to deploy. I know! What about using SPF! > > /Per Jessen, Zürich > Of course, all this has very little to do with Spamassassin......