Re: [exim] automatically blacklisting clients that fail SMTP

On 14 Jun 2011, at 16:43, Bill Hayles wrote:

>>
>> SPF lets a domain owner say which IP addresses their email is expected to
>> originate from. It might be nice to also allow IP address owners to
>> specify which domains are expected to originate from their IP addresses.
>> For example, an ISP might permit a small company to use port 25, but
>> publish a set of DNS records that let the world know that the email
>> originating from those IP addresses is going to (mostly) use a particular
>> set of sender domains. I don't know whether that's easily achievable
>> technically, but it would be nice to be able to check with the IP address
>> owner as well as the domain owner.
>
> It's an interesting idea, and one I have no problem with in theory. In fact
> I think it would be much easier for me than it would for a hosting service
> that has new domains added daily, if not more frequently.
>
> I can see Telefonica looking on this as a way of extracting more money from
> their fixed IP account customers.
>
> The problem comes in that 95% (maybe more) of mail originating from
> 80.35.22.107 will have a sender@???. However, some of my account
> holders have more than one e-mail address and may wish to send via my server
> using that address. Perfectly OK, as everybody (even me!) has to
> authenticate via ESMTP to send to anywhere other than local domains. Your
> proposal would make that difficult, if not impossible.


Well, that depends on how the listings are used. You might, for example, allow some rate-limited mail through that didn't match. These issues are the same as for SPF, actually.

But, the sender *should* be using authenticated SMTP to send mail, and should be authenticating at the domain in their sender address. I know the world isn't like that at the moment, but it would be if security had been an issue when SMTP was invented, and we ought to be encouraging users to do that.

--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148