[ On Wed, March 13, 1996 at 14:18:00 (+0000), Philip Hazel wrote: ]
> Subject: Re: several messages
>
> On Wed, 13 Mar 1996, John Henders wrote:
> >
> > Why can't this be stopped, though? If <any address in the world> is not
> > a local address, or part of a list of domains we want to accept and
> > forward mail to, I don't see it as that difficult a test, and I can't
>
> In that case you are effectively not doing any check on MAIL FROM. That
> is an obvious possibility.
I suppose. What you really need to do, from a trusted path P.O.V., is
to first authenticate that the MAIL FROM agrees with the incoming
connection (perhaps according to some general matching rules), and then
authorise (or deny) the MAIL FROM address (again perhaps according to
some general matching rules)).
I wonder if lib_tcpwrap could be of any help in here. It would at least
allow you to specify overall rules about who could connect to your mail
server (i.e. you could deny internal machines that are not allowed to
send mail).
> Not always. Netscape sends mail by connecting to 127.0.0.1, I discovered
> the other day.
You'd have to have some rather bizzare security requirements to need to
deny connections from the local host.
[[ I'm assuming your router is dropping any packets that appear on the
external interface but have a source address within an internal network. ]]
--
Greg A. Woods
+1 416 443-1734 VE3TCP robohack!woods
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
