Re: [exim] Blocking non-authenticated senders

Top Page
Delete this message
Reply to this message
Author: Jethro R Binks
Date:  
To: Exim Users Mailing List
Subject: Re: [exim] Blocking non-authenticated senders
On Thu, 22 Feb 2007, Ian Eiloart wrote:

> --On 22 February 2007 12:26:02 +0000 Jethro R Binks
> <jethro.binks@???> wrote:
>
> > On Wed, 21 Feb 2007, Peter Velan wrote:
> >
> > > -- One message was triggered from a news website, where one user
> > > informed about an interesting article. The email-system of this website
> > > placed the email-address of the informing guy in envelope-from.
> >
> > The last time I thought about this setting, which would have been around
> > 2000 or so, it was quite common for "greetings card" sites and similar to
> > do this too. They were quite in-vogue at the time, I've no idea about
> > now. As a general comment, there are probably many other cases that you
> > haven't observed, so:
> >
> > > Conclusion: Its not worth the hassle!
> >
> > I agree with that conclusion, and one benefit of your investigation
> > provides the Exim users archives with a more recent discussion on the
> > matter.
> >
>
> I disagree.


OK, let me re-phrase a little! I was too brief in commending the
conclusion.

For a corporate, or in some cases University, environment, the action of
blocking non-authenticated mail from offsite with sender address from one
of one's own domains is probably reasonable in many cases. However, it
_will_ affect some mail, and whether that is acceptable will depend on
local institutional policy, whether actual or perceived. No doubt also
the organisational position on use of email for personal purposes will
come into it too.

For the typical small business or personal server, a block probably will
have an impact on some users, and so its advantages should be weighed
carefully with those disadvantages.

Some sites will find it easier to implement than others, depending on the
pentration of authenticated sending and so on, and the profile of user
traffic.

The main point I really wanted to make was that to the naive user, this is
an obvious thing to do, however it turns out that there are several corner
cases where you can, legitimately, receive mail from your own user email
addresses from offsite. Now you can argue systems sending such mail are
broken or shouldn't work that way or whatever, but they do exist, and your
users might want that traffic. So, it is important that this discussion
is aired every so often, so that new naive users can be appraised of the
issues, and then make their own decision.

Better now? :)

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK