John Hardin wrote:
On Thu, 12 Feb 2009, Ned Slider wrote:
John Hardin wrote:
On Wed, 11 Feb 2009, Ned Slider wrote:
> If every server used Postfix in it's default configuration then >
backscatter wouldn't exist.
Question: if a relay MTA accepts a forged-sender message for another
domain, attempts to deliver it, gets an SMTP 5xx hardfail for unknown
recipient, and attempts to deliver a DSN to the (forged) sender, do you
consider that backscatter?
Yes, that's backscatter.
Good question. Firstly no MTA should be set up to act as an open relay
by default
Agreed.
How often is relay filtering based solely on IP address or
authentication, though? How often is sender-address egress filtering
performed on authenticated SMTP sessions, vs. just saying "You're
authenticated? Yeah, we'll relay whatever you want!"
Agreed.
Note, I don't see a _lot_ of that type of backscatter, but I _do_ see it.
therefore any relay functions must have been specifically configured
by the mail admin. My understanding is that best practice should
always be to maintain a list of valid relay recipients for domains you
relay mail to
Huh? My mail server relays messages from my home network to the entire
world. I'm not talking about custom relays.
ITYM "relay _for_".
No, I did mean relay to :)
I was referring to relaying mail to a small number of known approved
domains whereas you are referring to relaying mail to _any_ domain for
authenticated users (by IP address, smtp auth or whatever).
I think I'm going to have to concede this point to you though on relays,
although one could argue that you don't really need to be relaying mail
from your home network through your mail server, you could just connect
to your mail server directly from your MUA. Having an additional
relaying MTA in the middle is what introduces the potential for problems
but life isn't always simple.
