On 25/05/05, Bill Taroli <bill(_dot_)taroli(_at_)billsden(_dot_)org> wrote:
Constantine A. Murenin wrote:
I have a VPS server with IP-address 84.252.xxx.xx. [...]
example.ru has A records to the aforesaid
IP-address and MX records of example.ru. [...]
Each domain has A record to the
aforesaid IP, and it's own name for the MX record.
All of my personal outgoing emails are directed from [...] dynamic
IP-address,
right now 71.0.xx.xxx, and hostname nc-71-0-xx-xx.dyn.sprint-hsd.net.
I use the services of dyndns.org for my home server: there is an A
record from example.dyndns.org, [...] My sendmail server thinks
that its name is home.example.name, which is a CNAME to
example.dyndns.org. [...]
I need to create an SPF-record that will allow my VPS server and my
home sendmail server to be the only authorised servers that can send
the mail for all of my domains.
The question is:
[...] how do I set my home server to be authorised to send mail
for all of my domains?
[...] If possible, I would like not to tell the whole internet that my home
mail server's name is home.example.name, I would just like to tell
that it's under the example.name domain.
I haven't been flamed much lately, so I'll take a stab...
How about putting a TXT record into your various "example" zone files,
each specifying a SPF policy of "v=spf1 mx a:home.example.name ?all".
Once you're satisfied things are working well, "?all" might go to "~all"
or "-all"
I got it, thanks! The SPF syntax page is very difficult to find, and
the description of what the SPF's 'a' directive does is somewhat
unclear, at least to me. Something like "the hostname that is
specified by the SPF's 'a' directive is resolved, and the resulting
IP-addresses are tested against the client IP-address [of the MTA]".
The keywords being here are "hostname is resolved". :-)
As of today, the page <URL:http://spf.pobox.com/mechanisms.html#a> reads:
"All the A records for /domain/ are tested. If the client IP is found
among them, this mechanism matches."
After you know what I've said above, the page appear to be somewhat
more clear than before, but for it to appear clear, you must already
know of how it works. :-)
Some other suggestions:
"If the client IP is found among any of the A records of /domain/, the
mechanism matches."
Since you indicate that each of the various domains has an A record for
the VPS and specifies that host as it's MX, the "mx" should do -- though
I have seen a marked preference for "a:" even in this case. And since
your home system always has the same host name (via dyndns), the "a:"
(by name) should work there.
I don't believe, other than having a static IP address for the host in
question, that you can do anything about hiding the name of
home.example.com. I'm just curious why you'd want to do that... being as
I don't have any .com's. :-)
you went through the trouble of setting up dyndns and all. Isn't that
supposed to support the notion of being found? ;-)
Well, I don't want to tell everyone what is the structure of my
network. As of today, the hostname is only there for me to find myself
from a remote location. :-)
Is there a way to utilise the EHLO/HELO hostname, which is provided by
the MTA in the greetings part of smtp? I.e., I want to say that every
MTA that claims to have a hostname of format *.example.name, provided
that the domain resolves to the MTA's IP-address, is permitted to send
my mail. That is much more simple and straightforward, isn't it? :-)
And it does not reveal the structure of my network to strangers, does
it?
Cheers,
Constantine.