Alan, thanks for the updates.
On 11/28/2003 10:41 AM, Alan DeKok sent forth electrons to convey:
Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
Another suggestion for the Statement: it should go over WHY it does not
examine or verify the body From: field - which, IIRC, a post to this
list went over - there's a case or two where it's legitimate for it not
to match, yes? -e.g. legitimate relaying and forwarding?
And I forgot - of course MAIL FROM: <> needs to be mentioned as a
special case.
Yes. The document discusses forwarding. It doesn't discuss
legitimate relaying.
I find it interesting that in all of the discussions surrounding
RMX-style solutions, I don't recall anyone mentioning off-site MX
secondaries. So far as the primary MX is concerned, they're
authorized relays. But the secondary SHOULD also apply as much as
possible the same filtering schemes to the messages, otherwise
spammers can use it as an "open relay" to the primary.
At least one of the servers should; the primary could, as it should have
access to the envelope and source IP too, right?
Something like this is needed:
"Email submitted to a secondary MX for relay to the primary MX MUST
somehow have the LMAP policy of the domain it claims to be from queried
and applied." . If only the secondary receiving the email will have
enough information, then this could be said more simply.
Should this be added to one of the LMAP draft documents?
I just thought of another possible problem with LMAP. If a spammer
using direct-to-MX spamware sends email to me, from me, (as I'd bet they
regularly do) it may not be caught by LMAP.
The system (fastmail.fm) for my domain's MX is the system I use to send
mail too, so I need to put it on my LMAP record.
What are the remedies to this problem? Some thoughts:
1)Have the systems be different. For my situation, that could work*;
fastmail has lots of IPs, so incoming and outgoing can be different, and
only the outgoing would be in my domain's LMAP record. For folks with
one IP, it's a problem. Any ideas?
2)I authenticate and use SSL when I login to the SMTP server to send
mail. (It requires that I authenticate, and if my password is going over
the 'net, I require that it be encrypted.) Perhaps the LMAP part of the
server could be made aware of this, and allow email where from=to only
when there's authentication.
3)I could stop sending mail to myself, servers could require users not
do this, and users could be taught that they can't do this. Requires
end-user training. (Bad!)
*They are only sometimes different today - it's a mess: There is
incoming and outgoing mail at 66.111.4.60=mail.messagingengine.com and
66.111.4.20=smtp.us.messagingengine.com; I think my outgoing mail comes
from several IPs in 66.111.4.0/24, based on a lookup at senderbase.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg