On 2021.11.09. 18:59, Jaroslaw Rafa wrote:
Dnia 9.11.2021 o godz. 10:13:08 Bill Cole pisze:
NOTHING should be allowing SMTP relay based on IP
addresses in 2021, even inside RFC1918 networks. Anything sending
mail that can't do proper authentication at initial submission is
unfit for sending mail at all. Whatever legitimate mail actually
travels via your "relay" and then to "LOCAL_MDA" probably should be
skipping the relay altogether and talking directly to LOCAL_MDA with
authentication.
That is a bit exaggerated IMHO.
Think for example about various embedded devices sending alerts via e-mail,
that are just not capable of authentication (nor often even encryption) and
you can't do anything with it... Many of them are years old, but they still
do their job well (their main job, sending mails is only one of their
secondary functions and not the most important one) and there's no reason to
replace them (or sometimes there isn't even anything to replace them with).
The concept of trusted hosts/networks has a reason behind it and cannot be
abandoned so simply...
Agree. And from typical day of ISP with business clients, I can say that
there are more problems from stollen(by malware) credentials, than from
trusted client networks without any other AUTH.
--
KSB
