spf-discuss
[Top] [All Lists]

Backup MX + SPF?

2004-06-04 03:09:14
Hi all,

I'm pretty new to SPF (about to deploy), but I couldn't find anything in the
archives or on the website that explains how I'm supposed to handle backup MXes
in the context of SPF. I'm sure I'm missing something obvious, but if I'm not,
SPF is undeployable...

For this example, let's suppose I have my primary MX and my backup MX called
mx.example.com and mx2.example.com respectively. SPF is configured on both
machines.

So, 10.0.0.1 connects with mail for root(_at_)example(_dot_)com with an 
envelope from of
foobar.com, whose SPF record shows that only the IP address 10.0.0.1 is allowed
to send mail for foobar.com. I accept the mail, and we all go woo-yay.

Now, suppose something takes my primary MX out of action. 10.0.0.1 has another
mail for me and sends it to the backup, mx2.example.com, which again checks the
SPF records, permits the mail from foobar.com and queues it. The mail is now
checked as originating from 10.0.0.1 and is legit.

My primary comes back up, mx2 spots it and starts sending queued up e-mail.
Except now mx.example.com is effectively receiving e-mail from mx2.example.com
that is ONLY permitted from 10.0.0.1 and is forbidden from being received from
anywhere else and so should fail right?

The only way I can see of getting around this is to implicitly trust
mx2.example.com and do not do any SPF checking at all from this server. This
has several major problems:

- I have to update my mail config every time I change the MX for a zone,
sometimes at a customer's request

- I have to implicitly trust third-party MXes and blindly allow any mail from
them, which kind of negates the point of SPF

- Some of these backup MX boxes are operated by companies offering backup MX to
hundreds if not thousands, of domains. They become a target for
hackers/spammers

- My customer's outbound e-mail may get caught up into a backup MX "hole" and
get rejected because the admin at the other end forgot to update his mail
config to handle this

Appreciate any thoughts, especially if I'm being a moron and have missed
something out here...

-- 
Paul Robinson
http://www.iconoplex.co.uk/
    
    "God doesn't play dice." - Einstein


<Prev in Thread] Current Thread [Next in Thread>