[Mimedefang] rejecting on helo,drive-by-relay,forged_sender,

[John A. Stewart]

WBrown at e1b.org writes:
> 
> mimedefang-bounces at lists.roaringpenguin.com wrote on 01/16/2004 12:30:33 
> PM:
> > I wonder if this can take off, in the face of so many people who
> > have grown accustomed to sending legit mail with a sender address
> > that has no relation to the account and domain they are using to
> > send the mail.  Like my columbia.edu address when I send from my
> > home ISP's smtp server.  Like my vanity domain address when
> > I send from the ISP that provides connectivity to the hotel room
> > I am in today.  Not that I think this widespread "forging" of
> > sender addresses is good.  But it is widespread.
> 
> As it's been said elsewhere, it won't take off until some of the biggies 
> adopt it - AOL, Yahoo, MSN.  Then it might catch on.
> 
> As for your vanity domain, you should be in control of the DNS entries and 
> you would add your ISP's mail server.  For your Columbia.edu address, you 
> would probably need to find a way to deliver that from/through a permitted 
> sender.  That would probably require SMTP after POP authentication, or VPN 
> into a trusted network.

We provide a POP/IMAP before SMTP capability on our Solaris/Sendmail mail
server.  It's a hack and if a user tries to send a message after the 
authentication is deemed to have timed out it fails.  A better solution is
for the mail server (and of course the client) to support SMTP authentication.
Allowing authenticated connections (only) on an alternate port is also a good
idea because some service providers force their customers to send mail
via their own mail server by blocking outgoing connections to port 25.
VPN is overkill in my view.  I'd rather use SSL based services for secure
remote access.

-- 
John Stewart -- Computing and Communications Services, Carleton University
Internet: jstewart at ccs.carleton.ca                       613-520-2600x3707
"measure twice, cut once"