Paweł Leśniak a écrit : > W dniu 2009-03-03 18:41, Noel Jones pisze: >> Some legit "reminder" type services, some meeting notifications, and >> other legit mail might arrive with you as the sender. Maybe not best >> practices, but it's legit mail and such a policy will reject it. > Why would someone want to fake sender address? Is this really legit mail > when one has (envelope!) sender address spoofed? I've no idea why should > I get reminder from myself. If xyz is this service provider I want to > get reminder from s...@xyz. >
When you send us mail, you give your mailer (thunderbird, outlook, ...) the right to send the mail on behalf of you. now, If I click on a "send this to your friend" link, what is the difference? why shouldn't I be able to send as myself while clicking on a link hosted by another organisation. so if there were no spam, this practice would be ok. now, spam has killed a lot of functionality... so sending behalf of someone has become too complex. >> You can send yourself mail via eg. gmail or your home ISP with your >> postfix domain as sender address. Some people really do this. > And why would I do that? I do this. I don't care how I send mail. I use my "profile". I will not sends j...@free.fr when I post via my free.fr account, j...@somehotel.example when I send from a hotel, ... etc. > If my ISP would restrict to send only via their > SMTP server, I'd use webmail. feel free. now webmail is a lot less secure than MUA mail. so I still prefer MUA mail with SASL/TLS... > And I have no idea why would one allow > relaying via their SMTP server for everyone. And if not for everyone, > then ISP should do address rewriting for their users. No. if rewrite is needed, then something is fundamentally broken. work should be done at the source except if not possible. intermediary systems should not need a lot of resources. otherwise, every time you design a system, you need to cope with all intermediary systems that might be added some day. > That's it. And > that still doesn't change my point of view - broken configuration > doesn't always give you legit mail. This has nothing to do with broken configs. > If one still wants to use other SMTP server to send mail with spoofed > address, why just not add this SMTP server's IP to my_networks? > I don't see what mynetworks and IPs come to do with sender addresses. don't add unnecessary coupling. >> The "some amount" of legit mail you will reject is highly dependent on >> your users. Some sites will see quite a bit, others very little. Some >> people consider this a horrible idea, others a useful policy with an >> acceptable risk. You get to pick which side of the fence you live on. > I cant's see any risk anyways, not just in place. And it's possible that > zen BL will stop more "legit" mails (depends on what one means by "legit > mail", maybe there are people who read those "I'll give you $1billion" > mails). If I'm wrong, please point it out, let me learn. > I don't know how you define legit, but the way I see it, I haven't seen a zen FP, but I have seen cases when senders have been used from "different" networks.
