Re: Forged senders with our domain
[EMAIL PROTECTED] wrote: I want to use qmail as smtp gateway. I have configured qmail to relay mail selectively from our mail servers. How? Are you using tcpserver? It seems to me little elegant to manage this away qmail's control files but it really works. Maybe I could apply Rask Ingemann Lambertsen's patch (to add control/relayclients and control/relaydomains files) but I don't know if it's recommended. tcpserver is the recommended way to control relaying. However I don't know how to manage forged senders with our own domain when it's received from Internet. If I include our domain in control/badmailfrom file, valid mail from our mail servers also is rejected. Otherwhise our users could receive mail that seems internal. DNS checking doesn't help because our domain is valid. I know that Internet Mail isn't authenticaded at all, withouth using digital signatures (PGP, S/MIME), but I think that accepting notorious forged mail is an error and even more if could be passed off as internal message. The problem, as you acknowledge, is that SMTP is fundamentally unsecure. The protocol has no authentication mechanism. Once you allow a connection to your server, you have no control over what is said in the conversation, this includes the identification of the sender. Read /var/qmail/doc/TEST.receive and try the SMTP server test. I'm not sure what to suggest. R. -- Robin Bowes - System Development Manager - Room 405A E.O.C., Overseas House, Quay St., Manchester, M3 3HN, UK. Tel: +44 161 838 8321 Fax: +44 161 835 1657
Re: Forged senders with our domain
The "lack", as it were, is in your thinking through the problem. There is no way, short of sender authentication, to tell whether an incoming message which has a sender address in your domain is legitimate or forged. Consider the case of a mailing list hosted at another site (the qmail list), as an example. Would you like to start rejecting incoming mail from the qmail list if the sender was yourself? -- Jeff Hayward On Tue, 27 Apr 1999 [EMAIL PROTECTED] wrote: I have found a lack in qmail's configuration options that I don't know how to solve. I want to use qmail as smtp gateway. I have configured qmail to relay mail selectively from our mail servers. It seems to me little elegant to manage this away qmail's control files but it really works. Maybe I could apply Rask Ingemann Lambertsen's patch (to add control/relayclients and control/relaydomains files) but I don't know if it's recommended. However I don't know how to manage forged senders with our own domain when it's received from Internet. If I include our domain in control/badmailfrom file, valid mail from our mail servers also is rejected. Otherwhise our users could receive mail that seems internal. DNS checking doesn't help because our domain is valid. I know that Internet Mail isn't authenticaded at all, withouth using digital signatures (PGP, S/MIME), but I think that accepting notorious forged mail is an error and even more if could be passed off as internal message. Thanks in advance for your help, David Jorrin. David Jorrin [EMAIL PROTECTED] "This chapter is about Laziness, Impatience and Hubris because this chapter is about good software design" Larry Wall, Tom Christiansen Randal L. Schwartz [Programming Perl] Get your free email from AltaVista at http://altavista.iname.com
Re: Forged senders with our domain
Original Article: http://www.egroups.com/list/djb-qmail/?start=27523 The "lack", as it were, is in your thinking through the problem. There is no way, short of sender authentication, to tell whether an incoming message which has a sender address in your domain is legitimate or forged. Consider the case of a mailing list hosted at another site (the qmail list), as an example. Would you like to start rejecting incoming mail from the qmail list if the sender was yourself? -- Jeff Hayward Thanks for your comments Jeff. Maybe I simplified too much my description. Former, I'm always refering to the envelope sender. The "From" header field often is different from the real recipient (eg. mail forwarding or alias). Second, it's clear that, in a general case, it's imposible to detect if the sender is forged because the users could connect from anywhere. However, I have pointed that I'am using qmail as a gateway between our mail servers, obligatory used by our users, and the Internet. So mail from our domain should be received only from these internal servers (known). Of course there are mailbox forwarding and mail lists. It seems to me that mail lists re-send the messages with their owner as sender. Am I right? However, it's true that mail forwarding often keeps the original sender in its deliveries. That means that an outgoing message can not go back through an external mailbox (I don't see any useful purpose). I think that it's a fair price for keeping forged internal messages outside. Therefore I think that kind of filtering would be useful. Nevertheless I don't want to teach how to program MTA's to anybody, really I am eternal learner, and it's posible that my suggestion would be absolutely illegal. I appreciate any clarification. David Jorrin Get your free email from AltaVista at http://altavista.iname.com
