<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:<blockquote type="CITE"><pre>Greetings
i have an internal dns server it resolvs all my queries from the inside.
I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external.
i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside?
any insight suggestions and flames welcome
</pre></blockquote>Hi,<br><br>Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests?<br></div></blockquote><div><br></div><div>clamav is picking up from an old relay and I think it's lowering the score because of an spf check. 192.168.1.2 is my mail gateway internal interface.</div><div><br></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif; border-collapse: collapse; font-size: 14px; "><p style="margin-top: 0px; margin-bottom: 1em; "><tt style="margin-top: 0px; font-family: monospace; font-size: 12px; ">myfilter.mydomain.com]</tt> received a message from <tt style="margin-top: 0px; font-family: monospace; font-size: 12px; ">192.168.1.2</tt> that claimed an envelope sender address of <tt style="margin-top: 0px; font-family: monospace; font-size: 12px; "><a href="mailto:foo.money@dealstodaycheap.info">foo.money@dealstodaycheap.info</a></tt>.</p><div style="margin-top: 0px; margin-bottom: 0px; ">However, the domain <tt style="margin-top: 0px; font-family: monospace; font-size: 12px; "><a href="http://dealstodaycheap.info/">dealstodaycheap.info</a></tt> has declared using SPF that it does not send mail through <tt style="margin-top: 0px; font-family: monospace; font-size: 12px; ">192.168.1.1</tt>. That is why the message was rejected.</div><div style="margin-top: 0px; margin-bottom: 0px; "><br></div><div style="margin-top: 0px; margin-bottom: 0px; "><font class="Apple-style-span" face="Helvetica"><span class="Apple-style-span" style="border-collapse: separate; font-size: medium; ">i don't want my internal filter to lower scores just because that relay doesn't have an spf record, and I do not want to call the relay local. i want everything scanned from there.</span></font></div><div style="margin-top: 0px; margin-bottom: 0px; "><font class="Apple-style-span" face="Helvetica"><span class="Apple-style-span" style="border-collapse: separate; font-size: medium; ">I may also not be understanding What Spf record clamav is looking for. my relay or his relay or mydomain ? i best start with my domain.</span></font></div><div style="margin-top: 0px; margin-bottom: 0px; "><font class="Apple-style-span" face="Helvetica"><span class="Apple-style-span" style="border-collapse: separate; font-size: medium; "><br></span></font></div></span></div><br><blockquote type="cite"><div>If postfix (since its the MTA used in your post, youm likely are), use:<br>submission inet n - n - - smtpd<br> -o smtpd_sasl_auth_enable=yes<br> -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br> -o receive_override_options=no_milters<br><br>But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals).<br><br>Cheers<br>Noel<br><br></div></blockquote><br></div><div>thanks for the reply noel,</div><div>i saw that option on a web site and i thought it was a typo ( ~ ) vs ( - ) what is the difference.</div><div><br></div><div>-j</div><div><br></div><div><div>On Aug 2, 2010, at 10:23 PM, Noel Butler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div>
On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote:
<blockquote type="CITE">
<pre>Greetings
i have an internal dns server it resolvs all my queries from the inside.
I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external.
i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside?
any insight suggestions and flames welcome
</pre>
</blockquote>
Hi,<br>
<br>
Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests?<br>
If postfix (since its the MTA used in your post, youm likely are), use:<br>
submission inet n - n - - smtpd<br>
-o smtpd_sasl_auth_enable=yes<br>
-o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br>
-o receive_override_options=no_milters<br>
<br>
But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals).<br>
<br>
Cheers<br>
Noel<br>
<br>
<br>
</div>
</blockquote></div><br></body></html>