From: <Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu>
What is the BCP for allowing multiple RCPT TO
when the return path is NULL?
In general, since the message that's sent with the null
MAIL FROM generates the RCPT TO from the
inbound MAIL FROM, and there's only one of those, then
you can only get one outbound RCPT TO.
Right. So you wouldn't normally expect a second address to be accepted,
which adds weight to the a "random" address "open relay" test from a NULL
PATH. It could be, however, as Keith suggest, be operating in post smtp
mode. Our experience is, that this is a rare situation "today" because of
increase awareness. But when it does happen, it it either good or bad, and
the good is white listed to skip the CBV test. Bad systems don't complain
<g>
The problem of course, is that sometimes, things generate
bounces or pseudo-bounces from something other than the
inbound MAIL FROM (for instance, LSoft's Listserv sends a
lot of things that aren't technically DSNs, but *should* be
treated as "drop rather than bounce" - for example, the
automated cookies for subscription confirmation, etc. If they
get routed to an invalid mailbox, we want them to be dropped
on the floor, as the cookie will be expired via other means
anyhow..
Ok, but how does this change the system wide requirements and definition of
RFC 2821 Return Path and system flow expectations?
Shouldn't the listserver cookie agent use a NULL or "PostMaster" address per
specification if it does not desire to be burden with post-smtp initiated
bounces at the cookie receiver host?
I mean it, there are two options for "no bounce needed" requests:
Mail from: <> or <postmaster[(_at_)domain]>
Right?
Why should the rest of the compliant world be bothered by a broken list
server mail agent?
Of course, the problem is only exhibited if the receiver is performing post
smtp validation which already says he is operating in a vulnerable mode
anyway.
And I would venture to guess that your experience with the LSoft's Listserv
cookie agent is modeled on a RCPT based validation concept where it will
operate ideally. I don't know, but it should expect not to receive bounces
if it uses a non-null or non-postmaster return path. Right?
Don't most system use accept one recipient for a null return path?
I believe that most systems don't actually *verify* it has exactly one
RCPT TO, unless it's an aftermarket add-on.
Right, I've seen different results on different servers.
I have on my personal setup as a filtering rule:
Reject if MailFrom "<>" and TotalRcpt > 1
but it is not built-in.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com