SPF Record with Multiple Servers

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

SPF Record with Multiple Servers

Vinícius Ferrão-2
Hi all,

I've a question about the SPF setup in my domain.

We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.

The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.

The question is: which SPF TXT string I should use?

The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.

I was considering: vspf=1 mx -all

But this does not include the Exchange, and I don't know if it's right or not.

Thanks in advance,

Sent from my iPhone
Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Halassy Zoltán
Hello!

Using MX in SPF record is a simple way to describe trivial two-way
setups, that is, MX will also send the mails, not just receive them. If
you have a non-trivial setup, you can use, for example IP addresses,
like ip6: and ip4:. Add every address which from a mail could possibly
leave your organization, and that's it, do not use MX. BTW, the syntax
is v=spf1, not what you wrote.

2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:

> I've a question about the SPF setup in my domain.
>
> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>
> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>
> The question is: which SPF TXT string I should use?
>
> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>
> I was considering: vspf=1 mx -all
>
> But this does not include the Exchange, and I don't know if it's right or not.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Vinícius Ferrão-2
Hello Halassy, thanks for your reply.

I'm aware of the syntax, I just mistyped it.

The main question still continues, should I put both MTAs or just the Internet facing one?

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 05:14, "Halassy Zoltán" <[hidden email]> wrote:

> Hello!
>
> Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote.
>
> 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>> I've a question about the SPF setup in my domain.
>>
>> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>>
>> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>>
>> The question is: which SPF TXT string I should use?
>>
>> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>>
>> I was considering: vspf=1 mx -all
>>
>> But this does not include the Exchange, and I don't know if it's right or not.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Robert Bridge
Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address!


On 25 April 2013 16:57, Vinícius Ferrão <[hidden email]> wrote:
Hello Halassy, thanks for your reply.

I'm aware of the syntax, I just mistyped it.

The main question still continues, should I put both MTAs or just the Internet facing one?

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 05:14, "Halassy Zoltán" <[hidden email]> wrote:

> Hello!
>
> Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote.
>
> 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>> I've a question about the SPF setup in my domain.
>>
>> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>>
>> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>>
>> The question is: which SPF TXT string I should use?
>>
>> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>>
>> I was considering: vspf=1 mx -all
>>
>> But this does not include the Exchange, and I don't know if it's right or not.
>
>


Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Vinícius Ferrão-2
Hello Robert,

The internal MTA has an Internet facing address since we have a plenty of them we just use it.

Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server...

So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration.

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 13:03, "Robert Bridge" <[hidden email]> wrote:

Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address!


On 25 April 2013 16:57, Vinícius Ferrão <[hidden email]> wrote:
Hello Halassy, thanks for your reply.

I'm aware of the syntax, I just mistyped it.

The main question still continues, should I put both MTAs or just the Internet facing one?

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 05:14, "Halassy Zoltán" <[hidden email]> wrote:

> Hello!
>
> Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote.
>
> 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>> I've a question about the SPF setup in my domain.
>>
>> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>>
>> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>>
>> The question is: which SPF TXT string I should use?
>>
>> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>>
>> I was considering: vspf=1 mx -all
>>
>> But this does not include the Exchange, and I don't know if it's right or not.
>
>


Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Robert Bridge
The only servers that need inclusion in the SPF declaration are servers that will be passing email out of your domain.

Other internal servers don't matter, as they never connect to anyone elses email servers.


On 25 April 2013 17:30, Vinícius Ferrão <[hidden email]> wrote:
Hello Robert,

The internal MTA has an Internet facing address since we have a plenty of them we just use it.

Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server...

So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration.

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 13:03, "Robert Bridge" <[hidden email]> wrote:

Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address!


On 25 April 2013 16:57, Vinícius Ferrão <[hidden email]> wrote:
Hello Halassy, thanks for your reply.

I'm aware of the syntax, I just mistyped it.

The main question still continues, should I put both MTAs or just the Internet facing one?

Thanks in advance,

Sent from my iPhone

On 25/04/2013, at 05:14, "Halassy Zoltán" <[hidden email]> wrote:

> Hello!
>
> Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote.
>
> 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>> I've a question about the SPF setup in my domain.
>>
>> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>>
>> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>>
>> The question is: which SPF TXT string I should use?
>>
>> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>>
>> I was considering: vspf=1 mx -all
>>
>> But this does not include the Exchange, and I don't know if it's right or not.
>
>



Reply | Threaded
Open this post in threaded view
|

Re: SPF Record with Multiple Servers

Pandu Poluan
In reply to this post by Vinícius Ferrão-2


On Apr 25, 2013 11:31 PM, "Vinícius Ferrão" <[hidden email]> wrote:
>
> Hello Robert,
>
> The internal MTA has an Internet facing address since we have a plenty of them we just use it.
>
> Ordinary users connect through this internal MTA to send/receive mail. But everything that goes outside of the domain goes through the Postfix server. So I'm just uncertain about this configuration. Since the message originates in the internal MTA and the its relayed to the Postfix server...
>
> So I just need to know if the SPF record should include the internal MTA too, since the postfix server is already in the SPF declaration.
>
> Thanks in advance,
>
> Sent from my iPhone
>
> On 25/04/2013, at 13:03, "Robert Bridge" <[hidden email]> wrote:
>
>> Just the internet facing one, as I understand it. Nothing else should ever see the internal MTA, and it may not even have a routable IP address!
>>
>>
>> On 25 April 2013 16:57, Vinícius Ferrão <[hidden email]> wrote:
>>>
>>> Hello Halassy, thanks for your reply.
>>>
>>> I'm aware of the syntax, I just mistyped it.
>>>
>>> The main question still continues, should I put both MTAs or just the Internet facing one?
>>>
>>> Thanks in advance,
>>>
>>> Sent from my iPhone
>>>
>>> On 25/04/2013, at 05:14, "Halassy Zoltán" <[hidden email]> wrote:
>>>
>>> > Hello!
>>> >
>>> > Using MX in SPF record is a simple way to describe trivial two-way setups, that is, MX will also send the mails, not just receive them. If you have a non-trivial setup, you can use, for example IP addresses, like ip6: and ip4:. Add every address which from a mail could possibly leave your organization, and that's it, do not use MX. BTW, the syntax is v=spf1, not what you wrote.
>>> >
>>> > 2013-04-25 01:32 keltezéssel, Vinícius Ferrão írta:
>>> >> I've a question about the SPF setup in my domain.
>>> >>
>>> >> We have two MTAs: an exchange server that does not use SMTP to relay messages to the Internet and a Postfix Mail Gateway on the border to send and receive messages to/from the internet.
>>> >>
>>> >> The clients connect on the Exchange Server to relay messages to the external world. So an SMTP connection would start in the Exchange, then it relays to the Postfix server and then to the Internet. On the other hand when a message come from the Internet it first arrives in the Postfix server and after the processing it's handled to the Exchange server.
>>> >>
>>> >> The question is: which SPF TXT string I should use?
>>> >>
>>> >> The Postfix server is my only MX. And I don't know if I should include the Exchange Server name in the SPF rules.
>>> >>
>>> >> I was considering: vspf=1 mx -all
>>> >>
>>> >> But this does not include the Exchange, and I don't know if it's right or not.
>>> >
>>> >
>>>
>>

Please do not top post; its frowned upon in this list.

Now to answer your last question: No need.

An SPF record should contain *only* the email server(s) that actually talks to another domain's email server.

Since the Exchange server and the Postfix server are in the same domain, and since *only* the Postfix server actually talks to mail servers of *other* domains, you only need to specify the Postfix server in the SPF record.

The situation gets complicated, though if you (1) re-relay your email (e.g., through your ISP's mail relay), or (2) use Gmail to act as an "on behalf of" mail server, or (3) both.

Just for an example, here's the SPF Record for my previous office:

"v=spf1 ip4:174.120.70.145 ip4:174.120.70.155 ip4:49.128.177.72 a mx ip4:49.128.177.71 a:rockefeller.post.co.id a:carnegie.post.co.id include:_spf.google.com -all"

The set of IP addresses are the ISP's mail relay servers; the a: fields are the IP addresses of our cloud servers, and some of us use Gmail as a stand-in for corporate email when we're outside the office.

Rgds,
--