[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ml.org's dynamic DNS

On Tue, Mar 03, 1998 at 02:41:07PM +0000, Mark Baker wrote:

> On Tue, Mar 03, 1998 at 08:15:50AM -0500, Avery Pennarun wrote:
> > SMTP servers should not be validating the envelope-from (if by that, you
> > mean the MAIL FROM command in SMTP).
> Yes they should.
> > That would seriously confuse a lot of things.  As a total.net user, I
> > should be able to (and I can) send mail as if I were apenwarr@bond.net,
> > apenwarr@worldvisions.ca, apenwarr@debian.org, and
> > avery.pennarun@uwaterloo.ca.  I am all four.
> But all those are valid addresses, so you don't have to worry about them
> validating it.

Okay, I think one of us is misunderstanding the other...

When I said "SMTP servers should not be validating the envelope-from" I
meant that they should not be checking it against their "allow mail
forwarding" list.  

Now, if they want, they can try to find a good way to make sure that the
address _exists_, but there is no good way -- VRFY and EXPN are, if I
remember, optional features in SMTP, and most people have fingerd disabled
(not that I would recommend really using finger for this).

Another person posted a message demonstrating a "paranoid sendmail" that
really does only allow forwarding from FROM addresses inside the domain.  I
maintain that this is evil, because it doesn't let me do reasonable things.

To prevent spammers from forwarding spam via your site, it is sufficient to
simply not allow forwarding from IP addresses "outside" to anything but

Presumably, the MAIL FROM checking is a feeble attempt to make spammers
originating on the local site have to identify themselves, but in the same
way as the HELO command: if we know for sure what the information is,
there's no need to force it to be supplied correctly.  If we don't know what
the information is, we can't force it to be provided accurately.  I see no
situation where trying to enforce this is useful.

IMHO bright.net's mailer is broken.

Have fun,


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: