[Mimedefang] preventing allowed relays from acting as relays?

[Brian Landers]

> I'm not exactly sure what the rationale is behind what you're trying
> to do.  Maybe if you could explain that, we could come up 
> with something.

In a nutshell, we HAVE to trust mailrelay.example.com -- its whole
purpose in life is to accept messages from various servers and deliver
them to Exchange or to the Internet.  I want to be able to tell when
user Bob takes his server that we allow to use the mail relay and makes
IT a relay to let people get around our access restrictions.

Obviously, some of this is a policy issue, and we definitely tell 
people "don't do that," but I'd like a way to make it more difficult
(or if nothing else, to alert us when they DO start letting people
"relay chain" so we can go apply the clue-by-4).  

> If you try parsing Received: headers, the person who controls host
> X can simply tell his MTA not to add a Received: header.

A fair point.  However, most of the time, host X is a Win2k box running
Microsoft SMTP service, and I'm not sure if it's that smart.  ;-)

Thanks,
Brian


-- 
I used to be with 'it' but then they changed what 'it' was. Now 
what I'm with isn't 'it', and what's 'it' seems weird and scary 
to me.