From: Pete Resnick [mailto:presnick(_at_)qualcomm(_dot_)com]
Sent: Saturday, April 24, 2004 4:52 PM
To: Harry Katz
Subject: Re: Can you ever reject mail based on RFC2821 MAIL FROM?
On 4/24/04 at 12:05 AM -0700, Harry Katz wrote:
Greg Connor [mailto:gconnor(_at_)nekodojo(_dot_)org] wrote:
In general, an MTA should either be an agent for the sender, or an
agent for the receiver. Third-party MTAs don't get involved
just on a
whim; either the sender or the receiver asked for them to
If a receiver wants to receive forwarded mail, the
forwarder needs to
comply, or they need to make an exception for that forwarder.
But as I noted above, the receiver can't make an exception (i.e.
whitelist) because the forwarder doesn't appear in the MAIL FROM.
So that means all forwarders have to rewrite.
No. The receiver must whitelist based either on the IP
address of the forwarder or on the HELO domain. This does
mean that you can't just set up a .forward to a receiving
system that implements MARID checking without the admin of
that system doing such a whitelist entry.
In the future, you could use the ORCPT parameter as the check
if folks would implement it for forwarding.
To go back to your original question, yes, you can reject
mail based on 2821 so long as you are willing to tell your
users "You can't forward to here unless you tell me from
where you're forwarding."
That's a reasonable position if you're asking users to tell you the
email addresses from where they're forwarding. It's not reasonable if
you're asking end users to supply the IP address or HELO domain of the
forwarder's MTA. It's also not reasonable if you're asking the
receiver's MTA administrator to find and maintain that information --
that won't scale.
If the forwarder is not doing MAIL FROM rewriting, then even with
whitelisting you can't reject based on 2821 because the forwarded
address doesn't appear in MAIL FROM, only the original sender's address.
If the forwarder IS doing MAIL FROM rewriting, what precisely is it that
the receiving user is supposed to whitelist? The rewritten address
containing a randomly inserted cookie? The forwarder's entire domain?
Whitelisting does not work for MAIL FROM in either case!
I really wish it were possible to reject reliably on a spoof check of
MAIL FROM, but it just isn't folks. It just isn't.