Richard Welty wrote:
> On Wed, 26 May 2004 15:54:55 +0100 David Woodhouse <dwmw2@???> wrote:
>
>>True :) But to a large extent we can manage to reject mail from those
>>particular nutters with much less hassle:
>
>
>> deny condition=if {match {${lookup dnsdb{txt=$sender_address_domain}{$value}{}}}{v=spf1.*-all}} {1}}
>> message=Only stupid people have SPF records containing '-all'
>
>
> this is a little much.
>
> i have a domain, digest.net, whose sole purpose is to host mailing lists.
> there are no users, only electronic mailing lists. no mail with the domain
> @digest.net is legitimate unless it originates from 192.94.170.0/24
>
> why is -all not appropriate here?
I'm confused there as well. My understanding was that the -all tag meant
"and that's all!", i.e., if I advertise two allowed hosts (my outbound
mail gateways) and say -all, I'm saying ONLY those two are allowable. I
do not and will not allow users to send direct-to-mx mail from any
internal host, nor are they allowed to use their work email addresses
from home or on the road unless they are VPNed in or using the web mail
interface we provide - both of which will again use the proper two
advertised addresses.
So what am I missing?
