>> I have No Relay. >> >> Maybe my confusion is that I ass-u-med that someone sending messages was >> authenticated by IMail, even when sending to someone within the domain. >> >> I guess I'm further surprised that this can't be disallowed. >>
> It's just how SMTP works -- and why people are starting to get very > interested in SPF. With SPF, you can say something like "Anyone using a > @bookmans.com return address must send from an IP address listed > in the MX > record of bookmans.com", to help prevent this from happening. Not only > that, but it also helps prevent that ex-employee from using his > old address > to send mail to people elsewhere. > > See http://spf.pobox.com for more details. > Let me see if I have this right... Dale says he's setup for no relay. I believe that if you have no relay set then only users that authenticate can send mail through your server (to other domains). If you have relay for IP addresses set, then only those IPs can send through your server (to other domains) without authenticating (authentication is still allowed). In all cases, anyone can send mail addressed to your domain. If I'm right, then when you "fire" an employee, you delete his email account (or change its password) and they can no longer use your server to send email to the outside. The above employee can, however, send mail claiming he is still @yourdomain if he can find an SMTP server to use. This is the classic spoofed from address. I guess its easy enough to forget to change that information in your profile and if the new SMTP server doesn't check... If I understand SPF correctly, it prevents this last case. If you verify the from address, doesn't that also prevent this last case (at least for mail sent to your domain)? Regards, Brad To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
