On Mon, Feb 02, 2004 at 12:20:15PM -0600, Shiloh Jennings wrote: [snip ... 'LRW' means 'LinuxRoadWarrior', far from home, own SMTP aboard] > The LRW would use SMTP AUTH to send email through his ISP's email server.
This is a non standard approach. But on second thought, we all know where the standard approach brought us to :-) Talking about the usual UN*X way of Mail i've got fetchmail/procmail/MUA/MTA on my local machine and only the POP3 mailbox has to be at some host permanently connected to the Net. I have to check whether mutt (for instance) is capeable of SMTP-auth ... > If port 25 is blocked, the other option would be port 587 as proposed by > SPF. This solution does not stop the LRW from sending email. Nobody is > avocating requiring home users to set up VPN tunnels. Home users use their [EMAIL PROTECTED] e-Mail address and 'smtp.home.isp' should know their IP so all is well. Whith or whithout RMX. The roaming user is the interesting one. > > Imagine the RMX sets of FreeMailers (GMX, HotMail et al) ... or do you > > plan to ban them anyway ? > > I don't need to imagine them. If they choose to publish their RMX sets in > their DNS, then my email servers will use that info when deciding whether or > not to accept the email. If they do not publish their RMX information, then > my email servers treat the email the same way it is treated today. Nobody > is avocating blocking free email services. So maybe I#ve got you wrong. Speaking of the perfect RMX world, I could _not_ do the following (which I do today sometimes): I've got a free mail acount at GMX. But rather then using their boring and slow web front end, I have configured a MUA (Mozilla Mail) to read an send mail as that user. POP3 server is 'pop.gmx.at' and SMTP host is 'smtp.my.isp', which is _not_ GMX. My ISP's SMTP accepts the mesages because they come from my host, which is in his IP range, _not_ because it is from his domain (which it is definitely not). If GMX had to deal with this situation via RMX they had to know from somewhere (/dev/crystal_ball perhaps ;-) ) if my IP 'belongs' to that e-Mail address ... so ho would they do that ? > > BTW: ever thought about your sending SMTP server signing mail headers from > > known senders (i.e. [EMAIL PROTECTED] from within the company LAN) digitally > ? [snip] > Post a URL that details this proposal. I'd be interested in reading about > anything that will help us reduce the spam burden. At a glance, this sounds > like something that would not work, because the spammers could simply forge > the sig. But maybe there is more to it than what you have already posted, > and I'd like to read the entire proposal before judging it. I have heard > similar proposals already where the sig data was copyrighted, so the domain > owner could sue the spamer for copyright infringement if the spammer pasted > the sig into any spam. Maybe the proposal you are talking about has > provisions like that in it. There is no URL to post, the idea occured to me once I recieved 45 mails an hour, claiming I sent some worm to some people behind some of those stupid virus defense systems that reply to the 'From:' field in the mail header, not knowing it is forged. I had posted the idea once in this list. I thought of signing the entire message then. But that would mean, the server takes responsibility for the content too, which is clearly impossible and also should not be done. What I propose is to let our company MTA sign the headers of messages coming out of our LAN and from an address within our domain, using a public-key/private-key system (GnuPG comes in mind). It could attach the signature as a seperate MIME part at the end of the message. So users need not read it (unless they like reading massage hashes). Other users or MTAs could verify the signature against the message header they recieve and check if it is valid. Forging the signature would only be possible having the private key of the server. (except for breaking the key, which would be very 'expensive' for a spammer just to get his mails through) Flaws of this concept are: Where to put the public key ? Webpages are a bad place to recieve them automatically, DNS text fields look better (like the keys for FreeSWAN's 'opportunistic encryption'). How could MTAs/MUAs check the sig whithout too much effort ? I mainly think of software adaptions needed. It is easy whith XMail, procmail, but ... Maybe ther is some RFC out there dealing whith a similar topic, I just did not check yet. But something tells me this will become more relevant in the future, so i will pursue the idea anyway ... regards, Goesta -- Wiener Hilfswerk - EDV 1072 Wien, Schottenfeldgasse 29 Tel: 512 36 61 DW 407 / Fax 512 36 61 33 - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
