Before getting started, this has been publicly disclosed by someone else a while ago. However, I still don't think it's necessary to name the organization to explain myself. My goal here is not only to give a proper argument to the provider, but also my own curiosity and research (on the workings of SMTP).
I use a mail provider (Provider A) which has thousands of organizations. This provider allows unauthenticated SMTP to other organizations so long as they're using them as a provider (within their ecosystem). Of course, you cannot send unauthenticated email to other providers. I have tried one of my other larger providers, Provider B, and I was unable to do this successfully. Provider A claims this behavior is by design, as some devices have simple or no authentication capabilities. Provider B has similar allowances but all of their methods require a form of authentication. Mechanisms such as SPF or spam filtering certainly are effective here, but unauthenticated SMTP seems like a core failing. "Open relay" is the first thing that comes to mind; however, is it really an open relay? As mentioned, I cannot send from Provider A to Provider B. The scope is limited to just this ecosystem. But is there an expectation on how limited that really is? Say for instance only Provider A and Provider B existed in all the world, and Provider B was 1% of all servers. Surely that would not be acceptable to most. It is my belief that unauthenticated SMTP best practice should only function when sending within the same domain (f...@domain.com --> b...@domain.com). Unless they're in an approved senders list, it does not matter whether the same server, company, ecosystem, and so forth. (Perhaps there is some unforeseen dependency in being a multi-organization mail provider, where this is required.) I have reviewed RFC 2821 but have not found anything concrete, just that it MAY accept or reject as it sees fit [3.7].
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
