Where is logic in that?

Two facts:
- you use SPF for own domains
- your shool's Zimbra installation scores mails from your domains as spam

Based on above facts how have you come to conclusion that SPF doesn't work in general? The fact that your school's Zimbra scores your mail as spam is just a single cases and most probably not related to SPF in general.

Have you looked at headers of these message marked as spam? Have you contacted the postmaster?

Some spam filters score on SPF. So not having SPF increases chance of false positives for your legitimate mail when you don't have SPF. And since SPF is free and painless to implement (just few DNS records) I don't see any reason not to use it. Also not like it is something that much significant either.

I think address space limitation is not an issue here. If I correctly understand this vulnerability means that for example some user has cached session cookies for intranet site like http://10.0.0.1/intranet - then if he connects to other network (that I control) via VPN I can forge http://10.0.0.1/intranet site in my network trick the browser by injecting JavaScript code and read this users session cookies? Do I understand this correctly?

Well if I do then SSL/TLS certificates and cryptography in general are the means to authenticate someones (or some servers) indentity.

So my question is: if sites in my intranet use proper PKI and SSL/TLS mechanisms am I still voulnerable to this flaw?

Srly - great. :)

Well you don't clearly state what you wish to accomplish nor how much money you have so it is hard to answer. But maybe such setup will be OK.

Build yourself custom PCs.

Storage server:
- good and big enclosure which can fit large ammount of drives
- moderate 64bit AMD processor (really any - you will not be doing any serious processing on storage server)
- any ammount of RAM (really 1 or 2 gigs will be enough)
- mobo with good SATA AHCI support (for RAID) and NIC (any - for management) onboard
- one 1Gb PCI-* NIC with two ports
- 6x SATA2 NCQ HDD (any size you need) dedicated for working in RAID - software based (dmraid) RAID1+0 array configuration

Virtualization servers (2 or more):
- you need the virtualization servers to have the same config
- any decent enclosure you can get
- the fastest 64bit AMD processor you can get preferably tri or quad core (it will do the processing for guests) with VT extensions
- as much RAM as you can get/fit into the machine
- mobo with VT support, one (any - for management) NIC onboard
- one 1Gb PCI-* NIC with two ports
- one moderate SATA disk for local storage (you will be using it just to boot the hypervisor) or disk-on-chip module

Network switch and cables:
- any managed 1Gb switch with VLAN and EtherChannel support, HP are quite good and not as expensive as Cisco
- good CAT6 FTP patchcords

General notes for hardware:
- make sure all of the PC hardware is *well* supported by Linux since you will be using Linux :)
- if you can get better (quality wise) components, good enclosures, power supplies, drives etc. - since it is a semi server setup you don't like it to fail for some stupid reason

Network setup:
- make two VLANS - one for storage, other for management
- plug onboard NICs into management VLAN
- plug HBA NICs into storage VLAN
- configure ports for EtherChannel and use bonding on your machines for greater throughput

Software used:
- for storage server just use Linux
- for virtualization servers use Citrix XenServer5 (it is free, has nice management options, supports shared storage and live motion) or vanilla Xen on Linux, don't bother with VMWare Server, VMware ESX and Microsoft solutions are expensive

Storage server setup:
- install any Linux distro you like (CentOS would not be a bad choice)
- use 64bit version
- use dmraid for RAID and LVM for volume management
- share your storage via iSCSI (iSCSI Enterprise Target is in my opinion best choice)

Virtualization servers setup:
- install XenServer5 (or any distro with Xen - CentOS won't be bad)
- use interface bonding
- dont use local storage for VMs - use storage network instead

Well here it is. Quite powerfull and cheap virtualization solution for you.

Off-shelf NAS device will be not only slow but also full of various bogus bugs with which you need to wait for vendor to issue firmware update...

Just build it yourself - build a PC. You have plenty of options:

1. If you have a rack somewher buy a low end rack 2U rack server with enclosures for SATA disks and some decent RAID controller.

Or:

2. Build yourself a PC in tower enclosure. Get some Core 2 Duo mobo (cheapest), medicore ammount of RAM - SMB and NFS and AppleTalk servers with Linux operating system will eat up something like 80MB for the system and 10MB per client computer - go figure, the rest of RAM is for I/O buffers. Stuff as much as you can get SATA disks into that (like 4x 1TB). Setup it with software RAID. And you are done with it. Probably it will be much cheaper than decent NAS box (so called SoHo boxes are no worth even looking at).

Do so and you have a decent storage that is more efficent that your network.

You said about network efficency? Well - this has nothing to do with NAS box. You can have the best performing NAS box - but if your network is weak - well here goes your efficency.

So as for network buy managable switch that can cope with Linux channel bonding - with that you can bond N ethernet channels and get network transfers somewhat lower than N*interface speed.