Re: [exim] Mail claims to be sent by my self

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Oliver von Bueren
Date:  
À: exim-users
Sujet: Re: [exim] Mail claims to be sent by my self
I disagree with many of your points.

>> The error in the configuration
>> is, that someone can send a message claiming to be from your local
>> domain without authentication through your server.
>>


> message comes back from a mailing list, Gmail sees the same Message-Id
> and discards "a duplicate", members get annoyed.
>

Message-ID Dupe detection has nothing to do with the addressing of a
message.
> Besides, the easiest and most convenient way to test for some mail problem
> is to send a letter to one's own external forwarder which relays the letter
> back to the owner of the forwarder. Forwarders on free mail services
> usually don't alter envelope-from. Some listservers too.
>

IMHO, an automated message which is sent with anything other than a
NULL-sender is a buggy set up. And if a mail service, which has a
forwarder option, sends the mail with an unaltered envelope-sender, I
don't think it's the best thing to do. I've no problem if they leave the
header lines with From:/To:/Reply-To: intact, but I opt for changing the
envelope-from to the address of the free mail account, as the mail does
not originate from the original sender but from the forwarding account.

If a list server aka mailing list sends on messages submitted to it
without altering the envelope-from it is broken. Or do you like to get
every bounce message back to your mail account because some of the
member addresses have a problem? I don't!
> Mail clients in some mobile phones have an option "copy to self"
> (Bcc to the same address as in From). I use it. Some mobile operators
> (mine included) closed port 25 and require to send through their relay.
> Some mail clients in mobile phones may lack an option to send
> to port other than 25 with authentication.
>

I've got a service for my mobile which uses the correct envelope-from of
this account, which basically is the mobile number @domain.com, and has
the chosen address in the From: header line.

> So, rejecting every message from your domain without authentication
> is a bad idea. But in practice usual antispam means (in rcpt ACL)
> fend off spam claiming to be from yourself as well as other kinds of spam.
>

I don't have a problem since years with that, don't have any complaints
from my users, both from the commercial side as well as the private users.

I think the question here comes down to what the meaning of the
envelope-from is. I see this as the address, which obviously must be
reachable by mail, and which is the originating account of the message.
The originating account of a message is on that domain, where the
message gets addressed.
Eg. if you send a message from abc.com to def.com, the envelope-sender
has to be abc.com. If the user at def.com decides to forward the address
to xyz.com, this creates a new message with new addressing elements,
originating at domain def.com and therefore should have def.com as
envelope-sender. You can leave abc.com in the From:-header of the
message, no problem with that. The servers for domain def.com don't have
any authority over abc.com, so it should not use that abc.com domain in
the technical addressing, meaning envelope.

BTW: The hole forwarding stuff fails anyway, as soon as you introduce
strict SPF and other similar techniques, if def.com starts sending
abc.com messages. So if you favour the forwarding without changing
envelope-from, don't use any of these techniques either, they are not
compatible by design.

But I think this is a case of opinions, which we don't seem to share.

And I know that a lot of services in the wild don't play nice.

Oliver