Peter Karsai wrote:
> it is not always straightforward to get your backup MX'es
> outbound IP addresses.
Yes, that could be tricky, but a stupid hobby admin could still
send test mails direct-to-backup-MX and watch the effect... ;-)
In reality it's not that bad, backup-MX services are not free,
and as soon as you pay there must be some kind of support ready
to answer clear questions.
A scheme based only on the HELO name without IP is dubious, that
would be the first thing I'd try as spammer. Okay, that would
be the name of the backup-MX, not your scenario with an extra
mailout between backup-MX and MX.
> multiple outbound servers, maybe on different subnets.
If it's too weird the admin could "unlist" his old primary MX
and use only the backup-MX to receive mail. The complete idea
of a backup-MX is old, for various reasons I think that it's
almost always FUBAR:
If the backup MX has no access on a list of valid addresses,
and the primary MX is forced to bounce invalid addresses, then
this set-up is harmful. Adding SPF at the primary MX doesn't
make it much better, unless the backup-MX also checks SPF and
rejects all FAILs.
> I expect several problems with admins who enable SPF testing
> without a correctly set up exception list (whitelist).
After I've seen somebody with 127.0.0.1 for his MX yesterday
on the spf-help list I also expect anything...
> This is hardly SPF's fault
...maybe the wizard should have a "minimal clue test", display
a valid FQDN and ask for the IP, and if the user doesn't get it
right he can't use the wizard. ;-)
Bye, Frank
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
> it is not always straightforward to get your backup MX'es
> outbound IP addresses.
Yes, that could be tricky, but a stupid hobby admin could still
send test mails direct-to-backup-MX and watch the effect... ;-)
In reality it's not that bad, backup-MX services are not free,
and as soon as you pay there must be some kind of support ready
to answer clear questions.
A scheme based only on the HELO name without IP is dubious, that
would be the first thing I'd try as spammer. Okay, that would
be the name of the backup-MX, not your scenario with an extra
mailout between backup-MX and MX.
> multiple outbound servers, maybe on different subnets.
If it's too weird the admin could "unlist" his old primary MX
and use only the backup-MX to receive mail. The complete idea
of a backup-MX is old, for various reasons I think that it's
almost always FUBAR:
If the backup MX has no access on a list of valid addresses,
and the primary MX is forced to bounce invalid addresses, then
this set-up is harmful. Adding SPF at the primary MX doesn't
make it much better, unless the backup-MX also checks SPF and
rejects all FAILs.
> I expect several problems with admins who enable SPF testing
> without a correctly set up exception list (whitelist).
After I've seen somebody with 127.0.0.1 for his MX yesterday
on the spf-help list I also expect anything...
> This is hardly SPF's fault
...maybe the wizard should have a "minimal clue test", display
a valid FQDN and ask for the IP, and if the user doesn't get it
right he can't use the wizard. ;-)
Bye, Frank
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com