* [gentoo-server] SPF Record with Multiple Servers @ 2013-04-24 23:32 Vinícius Ferrão 2013-04-25 8:13 ` Halassy Zoltán 0 siblings, 1 reply; 7+ messages in thread From: Vinícius Ferrão @ 2013-04-24 23:32 UTC (permalink / raw To: <gentoo-server@lists.gentoo.org> Hi all, I've a question about the SPF setup in my domain. We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. The question is: which SPF TXT string I should use? The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. I was considering: vspf=1 mx -all But this does not include the Exchange, and I don't know if it's right or not. Thanks in advance, Sent from my iPhone ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-24 23:32 [gentoo-server] SPF Record with Multiple Servers Vinícius Ferrão @ 2013-04-25 8:13 ` Halassy Zoltán 2013-04-25 15:57 ` Vinícius Ferrão 0 siblings, 1 reply; 7+ messages in thread From: Halassy Zoltán @ 2013-04-25 8:13 UTC (permalink / raw To: gentoo-server [-- Attachment #1: Type: text/plain, Size: 1374 bytes --] Hello! Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: > I've a question about the SPF setup in my domain. > > We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. > > The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. > > The question is: which SPF TXT string I should use? > > The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. > > I was considering: vspf=1 mx -all > > But this does not include the Exchange, and I don't know if it's right or not. [-- Attachment #2: S/MIME kriptográfiai aláírás --] [-- Type: application/pkcs7-signature, Size: 4462 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-25 8:13 ` Halassy Zoltán @ 2013-04-25 15:57 ` Vinícius Ferrão 2013-04-25 16:02 ` Robert Bridge 0 siblings, 1 reply; 7+ messages in thread From: Vinícius Ferrão @ 2013-04-25 15:57 UTC (permalink / raw To: <gentoo-server@lists.gentoo.org> Hello Halassy, thanks for your reply. I'm aware of the syntax, I just mistyped it. The main question still continues, should I put both MTAs or just the Internet facing one? Thanks in advance, Sent from my iPhone On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu> wrote: > Hello! > > Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. > > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: >> I've a question about the SPF setup in my domain. >> >> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. >> >> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. >> >> The question is: which SPF TXT string I should use? >> >> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. >> >> I was considering: vspf=1 mx -all >> >> But this does not include the Exchange, and I don't know if it's right or not. > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-25 15:57 ` Vinícius Ferrão @ 2013-04-25 16:02 ` Robert Bridge 2013-04-25 16:30 ` Vinícius Ferrão 0 siblings, 1 reply; 7+ messages in thread From: Robert Bridge @ 2013-04-25 16:02 UTC (permalink / raw To: gentoo-server [-- Attachment #1: Type: text/plain, Size: 2020 bytes --] Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@if.ufrj.br> wrote: > Hello Halassy, thanks for your reply. > > I'm aware of the syntax, I just mistyped it. > > The main question still continues, should I put both MTAs or just the > Internet facing one? > > Thanks in advance, > > Sent from my iPhone > > On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu> wrote: > > > Hello! > > > > Using MX in SPF record is a simple way to describe trivial two-way > setups, that is, MX will also send the mails, not just receive them. If you > have a non-trivial setup, you can use, for example IP addresses, like ip6: > and ip4:. Add every address which from a mail could possibly leave your > organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not > what you wrote. > > > > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: > >> I've a question about the SPF setup in my domain. > >> > >> We have two MTAs: an exchange server that does not use SMTP to relay > messages to the Internet and a Postfix Mail Gateway on the border to send > and receive messages to/from the internet. > >> > >> The clients connect on the Exchange Server to relay messages to the > external world. So an SMTP connection would start in the Exchange, then it > relays to the Postfix server and then to the Internet. On the other hand > when a message come from the Internet it first arrives in the Postfix > server and after the processing it's handled to the Exchange server. > >> > >> The question is: which SPF TXT string I should use? > >> > >> The Postfix server is my only MX. And I don't know if I should include > the Exchange Server name in the SPF rules. > >> > >> I was considering: vspf=1 mx -all > >> > >> But this does not include the Exchange, and I don't know if it's right > or not. > > > > > > [-- Attachment #2: Type: text/html, Size: 2614 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-25 16:02 ` Robert Bridge @ 2013-04-25 16:30 ` Vinícius Ferrão 2013-04-25 16:45 ` Robert Bridge 2013-04-25 16:53 ` Pandu Poluan 0 siblings, 2 replies; 7+ messages in thread From: Vinícius Ferrão @ 2013-04-25 16:30 UTC (permalink / raw To: <gentoo-server@lists.gentoo.org>; +Cc: gentoo-server@lists.gentoo.org [-- Attachment #1: Type: text/plain, Size: 2682 bytes --] Hello Robert, The internal MTA has an Internet facing address since we have a plenty of them we just use it. Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server... So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration. Thanks in advance, Sent from my iPhone On 25/04/2013, at 13:03, "Robert Bridge" <robert@robbieab.com<mailto:robert@robbieab.com>> wrote: Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@if.ufrj.br<mailto:viniciusferrao@if.ufrj.br>> wrote: Hello Halassy, thanks for your reply. I'm aware of the syntax, I just mistyped it. The main question still continues, should I put both MTAs or just the Internet facing one? Thanks in advance, Sent from my iPhone On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu<mailto:zhalassy@loginet.hu>> wrote: > Hello! > > Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. > > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: >> I've a question about the SPF setup in my domain. >> >> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. >> >> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. >> >> The question is: which SPF TXT string I should use? >> >> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. >> >> I was considering: vspf=1 mx -all >> >> But this does not include the Exchange, and I don't know if it's right or not. > > [-- Attachment #2: Type: text/html, Size: 3687 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-25 16:30 ` Vinícius Ferrão @ 2013-04-25 16:45 ` Robert Bridge 2013-04-25 16:53 ` Pandu Poluan 1 sibling, 0 replies; 7+ messages in thread From: Robert Bridge @ 2013-04-25 16:45 UTC (permalink / raw To: gentoo-server [-- Attachment #1: Type: text/plain, Size: 3091 bytes --] The only servers that need inclusion in the SPF declaration are servers that will be passing email out of your domain. Other internal servers don't matter, as they never connect to anyone elses email servers. On 25 April 2013 17:30, Vinícius Ferrão <viniciusferrao@if.ufrj.br> wrote: > Hello Robert, > > The internal MTA has an Internet facing address since we have a plenty > of them we just use it. > > Ordinary users connect through this internal MTA to send/receive mail. > But everything that goes outside of the domain goes through the Postfix > server. So I'm just uncertain about this configuration. Since the message > originates in the internal MTA and the its relayed to the Postfix server... > > So I just need to know if the SPF record should include the internal MTA > too, since the postfix server is already in the SPF declaration. > > Thanks in advance, > > Sent from my iPhone > > On 25/04/2013, at 13:03, "Robert Bridge" <robert@robbieab.com> wrote: > > Just the internet facing one, as I understand it. Nothing else should > ever see the internal MTA, and it may not even have a routable IP address! > > > On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@if.ufrj.br> wrote: > >> Hello Halassy, thanks for your reply. >> >> I'm aware of the syntax, I just mistyped it. >> >> The main question still continues, should I put both MTAs or just the >> Internet facing one? >> >> Thanks in advance, >> >> Sent from my iPhone >> >> On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu> wrote: >> >> > Hello! >> > >> > Using MX in SPF record is a simple way to describe trivial two-way >> setups, that is, MX will also send the mails, not just receive them. If you >> have a non-trivial setup, you can use, for example IP addresses, like ip6: >> and ip4:. Add every address which from a mail could possibly leave your >> organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not >> what you wrote. >> > >> > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: >> >> I've a question about the SPF setup in my domain. >> >> >> >> We have two MTAs: an exchange server that does not use SMTP to relay >> messages to the Internet and a Postfix Mail Gateway on the border to send >> and receive messages to/from the internet. >> >> >> >> The clients connect on the Exchange Server to relay messages to the >> external world. So an SMTP connection would start in the Exchange, then it >> relays to the Postfix server and then to the Internet. On the other hand >> when a message come from the Internet it first arrives in the Postfix >> server and after the processing it's handled to the Exchange server. >> >> >> >> The question is: which SPF TXT string I should use? >> >> >> >> The Postfix server is my only MX. And I don't know if I should include >> the Exchange Server name in the SPF rules. >> >> >> >> I was considering: vspf=1 mx -all >> >> >> >> But this does not include the Exchange, and I don't know if it's right >> or not. >> > >> > >> >> > [-- Attachment #2: Type: text/html, Size: 4294 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-server] SPF Record with Multiple Servers 2013-04-25 16:30 ` Vinícius Ferrão 2013-04-25 16:45 ` Robert Bridge @ 2013-04-25 16:53 ` Pandu Poluan 1 sibling, 0 replies; 7+ messages in thread From: Pandu Poluan @ 2013-04-25 16:53 UTC (permalink / raw To: gentoo-server [-- Attachment #1: Type: text/plain, Size: 3957 bytes --] On Apr 25, 2013 11:31 PM, "Vinícius Ferrão" <viniciusferrao@if.ufrj.br> wrote: > > Hello Robert, > > The internal MTA has an Internet facing address since we have a plenty of them we just use it. > > Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server... > > So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration. > > Thanks in advance, > > Sent from my iPhone > > On 25/04/2013, at 13:03, "Robert Bridge" <robert@robbieab.com> wrote: > >> Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address! >> >> >> On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@if.ufrj.br> wrote: >>> >>> Hello Halassy, thanks for your reply. >>> >>> I'm aware of the syntax, I just mistyped it. >>> >>> The main question still continues, should I put both MTAs or just the Internet facing one? >>> >>> Thanks in advance, >>> >>> Sent from my iPhone >>> >>> On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu> wrote: >>> >>> > Hello! >>> > >>> > Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote. >>> > >>> > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta: >>> >> I've a question about the SPF setup in my domain. >>> >> >>> >> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet. >>> >> >>> >> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server. >>> >> >>> >> The question is: which SPF TXT string I should use? >>> >> >>> >> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules. >>> >> >>> >> I was considering: vspf=1 mx -all >>> >> >>> >> But this does not include the Exchange, and I don't know if it's right or not. >>> > >>> > >>> >> Please do not top post; its frowned upon in this list. Now to answer your last question: No need. An SPF record should contain *only* the email server(s) that actually talks to another domain's email server. Since the Exchange server and the Postfix server are in the same domain, and since *only* the Postfix server actually talks to mail servers of *other* domains, you only need to specify the Postfix server in the SPF record. The situation gets complicated, though if you (1) re-relay your email (e.g., through your ISP's mail relay), or (2) use Gmail to act as an "on behalf of" mail server, or (3) both. Just for an example, here's the SPF Record for my previous office: "v=spf1 ip4:174.120.70.145 ip4:174.120.70.155 ip4:49.128.177.72 a mx ip4:49.128.177.71 a:rockefeller.post.co.id a:carnegie.post.co.id include:_ spf.google.com -all" The set of IP addresses are the ISP's mail relay servers; the a: fields are the IP addresses of our cloud servers, and some of us use Gmail as a stand-in for corporate email when we're outside the office. Rgds, -- [-- Attachment #2: Type: text/html, Size: 5121 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-04-25 16:53 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-04-24 23:32 [gentoo-server] SPF Record with Multiple Servers Vinícius Ferrão 2013-04-25 8:13 ` Halassy Zoltán 2013-04-25 15:57 ` Vinícius Ferrão 2013-04-25 16:02 ` Robert Bridge 2013-04-25 16:30 ` Vinícius Ferrão 2013-04-25 16:45 ` Robert Bridge 2013-04-25 16:53 ` Pandu Poluan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox