>...
>List Mail User a écrit :
>
>> You're a lot more polite than I am. I prefer:
>>
>>my_domain.tld 550 You're lying - Trying to use my host
>>.my_domain.tld 550 You're lying - Trying to use my host
>>
>>
>I don't wanna risk being sued/beaten by some angry guy:)
>
Its very hard to make any case where using one of my domains
or hosts (or IP addresses) as the HELO/EHLO argument is valid; It is
probably not possible, but I'm willing to consider that for some site's
configurations it might be. The number of spam/ratware machines that
attempt this approaches the number with DUL or no rDNS IPs (also a
luxury in which I feel free to indulge my site, but one that clearly
not everybody can use), though most often these groups overlap and
the same machines that attempt to use my own addresses are DUL boxes
and/or have no rDNS.
>> It is also good to use similar checks for the senders as well
>>as the HELO - i.e.
>>
>>[EMAIL PROTECTED] 550 You are a liar - Sender is not you!
>>[EMAIL PROTECTED] 550 You are a liar - Sender is not you!
>>
>>
>the issue is that this breaks forwarding, so not everybody wants to do it.
>
Um, I forward from other locations' mail servers to accounts
at my site all the time - Just the forwarder should use the email
account being forwarded from as the sender or the original sender.
As for the case of a local user sending mail out to a foreign email
account and having it forwarded back, it is just not allowed. I do
have the luxury of only having a few dozen users (though a couple of
hundred accounts), all of whom I know very well, and on a typical day
less than 12 besides myself receive email (i.e. a quite small site).
But forwarding out and back without sender rewriting is commonly
disallowed - try it on most "freemail" accounts and watch it get
refused. Also if the original sender has published SPF, you have
to do the "re-write" dance already (since SPF doesn't allow arbitrary
forwarding without rewriting the sender unless you're willing to
count allowing softfail and/or "~all" cases).
Again, the amount of ratware that forges mainly role accounts
or sets the sender and recipient to the same value is a very large
portion or the email I refuse each day (and the trickier/smarter ones
set the sender to a role account from a different domain than the
recipient's, but still one of mine:( ).
>If you really want that, why not also protect others against that and
>set SPF records for your domain (and use SPF).
>
I do for most but not all domains (many are actually "receive-only"
domains, so forwarding is not an issue), and the SPF ends in "-all", not
any wishy-washy "~all". Unfortunately not everybody (i.e. every site)
which I allow to relay for/to me strictly enforces SPF (they do all either
enforce it, or add headers, so I can and do refuse to accept relayed mail
which has been labeled as failing SPF - "hard" fail, not "soft" fail).
I still end up with cases where an email has been refused either for SPF
or forging a local account's ID for the sender (think of the MAILER-DAEMON
for the silliest case) and then the sending site, which is some usually
poorly run ISP or a company operating an open relay sends a DSN to my
forged account about the refused mail (yes I get often see DSNs sent to
[EMAIL PROTECTED] in my log files, as ludicious as that might
be - of course, they are refused since no outgoing mail is ever labeled
with a sender of MAILER-DAEMON and the MTA sending outbound mail disallows
forwarding of that or most mail originated by many role accounts - i.e.
many role accounts are also "receive-only", basically any not required
by RFCs or published in registration, DNS or other public records).
>> Of course this is much simpler (fewer special cases) when you use
>>separate machines/MTAs for incoming and outgoing mail or if your network
>>is (relatively) small.
>>
>>
>or multiple instances on same box. but of course, multiple boxes are
>better.
>
Effectively the same for this argument, but separate boxes (even
virtual machines) allow the use of different policies (e.g. my incoming
machines are prevented by firewalls from sending any mail out, or using
nearly any other service either other than relaying to the machine which
does delivery to user accounts). The same effect could be created by
binding to different IPs and using firewall rules, but binding to only
different ports would not be as effective (read as "strict") for this.
That is why you can see by examining the headers that this message will
have been sent using sendmail, but if you telnet to any on-site 'MX'
for any of my domains, you'll see Postfix running on all incoming servers;
You'll also see a very strict "220" message there - probably enough to
prevent anyone from suing me (successfully) because they are called a
"liar", but IANAL, and people can and will sue over nearly anything.
Paul Shupak
[EMAIL PROTECTED]
