Alex van den Bogaerdt wrote on Sunday, January 14, 2007 6:31 PM -0600:
www.example.com. A 192.0.2.1
(or: www.example.com CNAME example.com.)
example.com. A 192.0.2.1
example.com. MX 0 192.0.2.2
The web server on 192.0.2.1, more specifically its insecure forms,
should not implicitly be allowed to send mail for "example.com".
The host named example.com is allowed to say "HELO example.com", no
problem. It's its name after all.
I think I see where the confusion may be coming from. The above zone
has an illegal MX record. You must use a hostname in the MX record for
which there is already an A record. It can't be an IP and it can't be a
CNAME. I'm guessing that what you're trying to do is to have the mail
server and web server use the same hostname with different IP's. That's
impossible because a hostname has to resolve to single IP. If you want
a separate IP for the mail server, then the setup might be:
example.com. A 192.0.2.1
www CNAME example.com.
mail.example.com. A 192.0.2.2
example.com. MX 0 mail.example.com.
This sets the MX for example.com to mail.example.com, which should HELO
as mail.example.com when it sends mail. Only the web server could
legitimately HELO as example.com, and you don't authorize it to send
mail.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735