ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Can you ever reject mail based on RFC2821 MAIL FROM?

2004-04-26 12:14:50
from [Harry Katz] [Permanent Link] 

 


-----Original Message-----
From: Pete Resnick [mailto:presnick(_at_)qualcomm(_dot_)com] 
Sent: Saturday, April 24, 2004 4:52 PM
To: Harry Katz
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: Re: Can you ever reject mail based on RFC2821 MAIL FROM?

On 4/24/04 at 12:05 AM -0700, Harry Katz wrote:


Greg Connor [mailto:gconnor(_at_)nekodojo(_dot_)org] wrote:


In general, an MTA should either be an agent for the sender, or an 
agent for the receiver. Third-party MTAs don't get involved 

just on a 

whim; either the sender or the receiver asked for them to 

be involved. 

If a receiver wants to receive forwarded mail, the 

forwarder needs to 

comply, or they need to make an exception for that forwarder.


But as I noted above, the receiver can't make an exception (i.e. 
whitelist) because the forwarder doesn't appear in the MAIL FROM. 
So that means all forwarders have to rewrite.


No. The receiver must whitelist based either on the IP 
address of the forwarder or on the HELO domain. This does 
mean that you can't just set up a .forward to a receiving 
system that implements MARID checking without the admin of 
that system doing such a whitelist entry.

In the future, you could use the ORCPT parameter as the check 
if folks would implement it for forwarding.

To go back to your original question, yes, you can reject 
mail based on 2821 so long as you are willing to tell your 
users "You can't forward to here unless you tell me from 
where you're forwarding."


That's a reasonable position if you're asking users to tell you the
email addresses from where they're forwarding.  It's not reasonable if
you're asking end users to supply the IP address or HELO domain of the
forwarder's MTA.  It's also not reasonable if you're asking the
receiver's MTA administrator to find and maintain that information --
that won't scale.  

If the forwarder is not doing MAIL FROM rewriting, then even with
whitelisting you can't reject based on 2821 because the forwarded
address doesn't appear in MAIL FROM, only the original sender's address.


If the forwarder IS doing MAIL FROM rewriting, what precisely is it that
the receiving user is supposed to whitelist?  The rewritten address
containing a randomly inserted cookie?  The forwarder's entire domain?  

Whitelisting does not work for MAIL FROM in either case!  

I really wish it were possible to reject reliably on a spoof check of
MAIL FROM, but it just isn't folks.  It just isn't.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Can you ever reject mail based on RFC2821 MAIL FROM?, Gordon Fecyk
Next by Date:  RE: Can you ever reject mail based on RFC2821 MAIL FROM?, Hallam-Baker, Phillip
Previous by Thread:  RE: Can you ever reject mail based on RFC2821 MAIL FROM?, Gordon Fecyk
Next by Thread:  RE: Can you ever reject mail based on RFC2821 MAIL FROM?, Greg Connor
Indexes:  [Date] [Thread] [Top] [All Lists]