Re: [gentoo-server] SPF Record with Multiple Servers

[Pandu Poluan <pandu@poluan.info>]

[-- Attachment #1: Type: text/plain, Size: 3957 bytes --]

On Apr 25, 2013 11:31 PM, "Vinícius Ferrão" <viniciusferrao@if.ufrj.br>
wrote:
>
> Hello Robert,
>
> The internal MTA has an Internet facing address since we have a plenty of
them we just use it.
>
> Ordinary users connect through this internal MTA to send/receive mail.
But everything that goes outside of the domain goes through the Postfix
server. So I'm just uncertain about this configuration. Since the message
originates in the internal MTA and the its relayed to the Postfix server...
>
> So I just need to know if the SPF record should include the internal MTA
too, since the postfix server is already in the SPF declaration.
>
> Thanks in advance,
>
> Sent from my iPhone
>
> On 25/04/2013, at 13:03, "Robert Bridge" <robert@robbieab.com> wrote:
>
>> Just the internet facing one, as I understand it. Nothing else should
ever see the internal MTA, and it may not even have a routable IP address!
>>
>>
>> On 25 April 2013 16:57, Vinícius Ferrão <viniciusferrao@if.ufrj.br>
wrote:
>>>
>>> Hello Halassy, thanks for your reply.
>>>
>>> I'm aware of the syntax, I just mistyped it.
>>>
>>> The main question still continues, should I put both MTAs or just the
Internet facing one?
>>>
>>> Thanks in advance,
>>>
>>> Sent from my iPhone
>>>
>>> On 25/04/2013, at 05:14, "Halassy Zoltán" <zhalassy@loginet.hu> wrote:
>>>
>>> > Hello!
>>> >
>>> > Using MX in SPF record is a simple way to describe trivial two-way
setups, that is, MX will also send the mails, not just receive them. If you
have a non-trivial setup, you can use, for example IP addresses, like ip6:
and ip4:. Add every address which from a mail could possibly leave your
organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not
what you wrote.
>>> >
>>> > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>>> >> I've a question about the SPF setup in my domain.
>>> >>
>>> >> We have two MTAs: an exchange server that does not use SMTP to relay
messages to the Internet and a Postfix Mail Gateway on the border to send
and receive messages to/from the internet.
>>> >>
>>> >> The clients connect on the Exchange Server to relay messages to the
external world. So an SMTP connection would start in the Exchange, then it
relays to the Postfix server and then to the Internet. On the other hand
when a message come from the Internet it first arrives in the Postfix
server and after the processing it's handled to the Exchange server.
>>> >>
>>> >> The question is: which SPF TXT string I should use?
>>> >>
>>> >> The Postfix server is my only MX. And I don't know if I should
include the Exchange Server name in the SPF rules.
>>> >>
>>> >> I was considering: vspf=1 mx -all
>>> >>
>>> >> But this does not include the Exchange, and I don't know if it's
right or not.
>>> >
>>> >
>>>
>>

Please do not top post; its frowned upon in this list.

Now to answer your last question: No need.

An SPF record should contain *only* the email server(s) that actually talks
to another domain's email server.

Since the Exchange server and the Postfix server are in the same domain,
and since *only* the Postfix server actually talks to mail servers of
*other* domains, you only need to specify the Postfix server in the SPF
record.

The situation gets complicated, though if you (1) re-relay your email
(e.g., through your ISP's mail relay), or (2) use Gmail to act as an "on
behalf of" mail server, or (3) both.

Just for an example, here's the SPF Record for my previous office:

"v=spf1 ip4:174.120.70.145 ip4:174.120.70.155 ip4:49.128.177.72 a mx
ip4:49.128.177.71 a:rockefeller.post.co.id a:carnegie.post.co.id include:_
spf.google.com -all"

The set of IP addresses are the ISP's mail relay servers; the a: fields are
the IP addresses of our cloud servers, and some of us use Gmail as a
stand-in for corporate email when we're outside the office.

Rgds,
--

[-- Attachment #2: Type: text/html, Size: 5121 bytes --]