Anti Spoofing Ruleset
glenn.steen at gmail.com
Thu Apr 19 16:29:36 IST 2007
On 18/04/07, Kevin Miller <Kevin_Miller at ci.juneau.ak.us> wrote:
> > Basically all i want to say is if the mail is from anyone at ourdomain
> > it has got to originate from our network or networks. Will RDJ do this
> for me ?
> Your best bet is to do that at the MTA level, not in MailScanner.
> Publish SPF records in your DNS defining which servers are authoritative
> to send your mail out. If you're running sendmail, look into the
> smf-spf milter. If you're running Postfix or another MTA, someone else
> can tell you how to integrate SPF with it, as I don't have any
> experience with them...
I do this in Postfix directly (not SPF)... Anyone pretending to be my
domain will get a big fat REJECT... Works since we don't allow
roadrunners to pretend they are us... They get to VPN (or similar)/OWA
if they need send official mail. I suppose you can do similar things
in most MTAs.
This disqualifies sites like greeting-card/resume/whatnot senders,
that regularly spoof your domain. It therefore needs be a
well-anchored policy decision.
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner