Dave Crocker <dcrocker(_at_)brandenburg(_dot_)com> wrote:
[John Leslie wrote:]
[Dave Crocker wrote:]
I am a simple user on an old-fashioned time-sharing machine. I run a
spamming smtp client on a machine run by a credible service that has
a good reputation.
Does not the above convention let me spam my own host?
Probably it does -- I hadn't though through it that far...
But what's the problem?
The sending SMTP client is localhost, meaning it's something under
your own control. (I would hope your machine has a good reputation...)
look back over my description. i'm just a user. it's not my machine.
Sorry, my ISP viewpoint got in the way: I meant the owner when I said
"your".
and i could imagine that it is also a way to get the machine to do
open relaying of the spam to elsewhere. (i'm stretching a bit, here,
but suspect it's feasible.)
I don't think this could do anything I'd define as open relaying,
but YMMV...
But, to tell truth, I think it's far easier to deal with that by
blocking localhost access to port 25...
Simpler solution: Don't build defaults into the spec, and especially
no default host id's or addresses.
I don't think any of this belongs in the _spec_ -- it strikes me as
an implementation detail.
I suspect there will be a number of implementations which need to
serve the full range of MTA configurations. Certainly in the configuration
we like to think of -- where submission is to a separate MSA -- this
kludge would not be appropriate. But in a simpleton configuration where
a single MTA must do all the functions, you may well need to bypass the
usual CSV checks for locally-submitted email.
This seemed, at first blush, like a reasonable way.
Does anything about this belong in Best Practices?
--
John Leslie <john(_at_)jlc(_dot_)net>