On Tue, 13 Jul 2004, Mark Lentczner wrote:
I have my secondary MXs configured to only forward mail through my
primary, and queue mail otherwise... That way, if my primary is down,
mail is held at my secondary until the primary comes back up. All mail
eventually flows through my spam/SPF/antivirus filters this way.
How do you get the mail through SPF this way? Does your secondary do
SRS? If not, you have a forwarding situation, and those fail SPF w/o
SRS or similar being done by the forwarder.
I tried something as a solution to this. I marked selected MTAs (including
secondary MXs) as having trustworthy Received headers. Then it is
just a matter of using the first Received header to obtain the IP
for use with SPF.
This worked, but required going to DATA phase to obtain the requisite
header when mail comes through the secondary. I thought that this would be
rare, since MTAs would send mail to the primary MX first. I was wrong.
Legitimate mail goes to the primary first. However, spammers almost always go
to a secondary MX first. This is so consistent that it forms the basis
of some effective anti-spam tools (where the secondary checks whether the
primary is up, and rejects incoming mail if it is).
So, all secondary MXes need to check SPF. After that, then further
spam processing can be centralized (making use of Received-SPF as needed),
with the secondaries serving as store and forward backups.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.