Jason Pyeron wrote:
>>>>
>> You could just firewall port 25 on the spam-checking MX
>
> They are outsourced to google, we cannot control that.
You must have a firewall that you control on your side where these connections
have to pass.
>> relays from the trusted networks and add a high-numbered MX
>> record for the target you want them to hit instead. As long
>
> Adding mail.pdinc.us to the list would beg spammers to skip our spam gateway
> service.
That's fine, as they would be unable to connect if you leave it a private address.
> And I think adding the non routable Ips assigned to the intranet mail.pdinc.us
> server to public MX records might be a bit of bad form and add a point of
> failure when the ip address changes.
It's a bit of bad form to use NAT and private addresses at all because the
internet really wasn't designed to be segmented, but everyone does it. Or you
could use a public address in a DMZ where it is firewalled from everything but
internal connections and perhaps things relayed by the external spam service.
The point of being able to provide multiple MX records is that things keep
working even if some of them aren't reachable.
--
Les Mikesell
lesmikesell at gmail.com