Re: [exim] Blocking non-authenticated senders

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Jethro R Binks, Exim Users Mailing List
Subject: Re: [exim] Blocking non-authenticated senders


--On 23 February 2007 09:39:28 +0000 Jethro R Binks
<jethro.binks@???> wrote:

> On Thu, 22 Feb 2007, Ian Eiloart wrote:
>
>> --On 22 February 2007 12:26:02 +0000 Jethro R Binks
>> <jethro.binks@???> wrote:
>>
>> > On Wed, 21 Feb 2007, Peter Velan wrote:
>> >
>> > > -- One message was triggered from a news website, where one user
>> > > informed about an interesting article. The email-system of this
>> > > website placed the email-address of the informing guy in
>> > > envelope-from.
>> >
>> > The last time I thought about this setting, which would have been
>> > around 2000 or so, it was quite common for "greetings card" sites and
>> > similar to do this too. They were quite in-vogue at the time, I've no
>> > idea about now. As a general comment, there are probably many other
>> > cases that you haven't observed, so:
>> >
>> > > Conclusion: Its not worth the hassle!
>> >
>> > I agree with that conclusion, and one benefit of your investigation
>> > provides the Exim users archives with a more recent discussion on the
>> > matter.
>> >
>>
>> I disagree.
>
> OK, let me re-phrase a little! I was too brief in commending the
> conclusion.
>


<snip>

> For a corporate, or in some cases University, environment, the action of
> blocking non-authenticated mail from offsite with sender address from one
> of one's own domains is probably reasonable in many cases. However, it
> _will_ affect some mail, and whether that is acceptable will depend on
> local institutional policy, whether actual or perceived. No doubt also
> the organisational position on use of email for personal purposes will
> come into it too.
>
> For the typical small business or personal server, a block probably will
> have an impact on some users, and so its advantages should be weighed
> carefully with those disadvantages.
>
> Some sites will find it easier to implement than others, depending on the
> pentration of authenticated sending and so on, and the profile of user
> traffic.
>
> The main point I really wanted to make was that to the naive user, this
> is an obvious thing to do, however it turns out that there are several
> corner cases where you can, legitimately, receive mail from your own
> user email addresses from offsite. Now you can argue systems sending
> such mail are broken or shouldn't work that way or whatever, but they do
> exist, and your users might want that traffic. So, it is important that
> this discussion is aired every so often, so that new naive users can be
> appraised of the issues, and then make their own decision.
>
> Better now? :)
>
> Jethro.


That seems like a good summary of the situation. It's probably worth adding
that, in an ideal world, (A) no site would accept unauthenticated email
"from" its own domain. Furthermore, (B) no site would accept email from
another domain, where the IP address of the sender wasn't advertised as a
legitimate source. In that world, domain owners could be held responsible
for email sent "from" their domains.

But, that's straying from practical advice to politics.


--
Ian Eiloart
IT Services, University of Sussex