[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] NULL "Mail From:<>" headers...

To: Amin Tora <AminT@icn.com>
Subject: RE: [FW1] NULL "Mail From:<>" headers...
From: Paul D. Robertson <proberts@clark.net>
Date: Thu, 1 Apr 1999 09:01:16 -0500 (EST)
Cc: "FW-1-MailingList (E-mail)" <fw-1-mailinglist@lists.us.checkpoint.com>

On Wed, 31 Mar 1999, Amin Tora wrote:

> Alrighty people... here is what ORBS has to say about denying NULL From:
> fields:
> 
>  ==start excerpt==
> > This directly states that I should not implement step three of
> > your "checks" against my SMTP gateway (eliminating the null
> > email from), as it can cause more problems than it solves for
> > our users.
> 
> Not quite. All the SMTP checks should be aimed at preventing
> relaying, not to reject senders outright. Even an external null
> sender has no reason to relay via your server to another server
> unrelated to your operation and should be denied access if this is
> attempted.
>  ==end excerpt==
> 
> Basically, they want you to deny any mail with null From: fields relaying
> via your SMTP server to a domain not belonging to you.  However, if the mail
> with the null From: field is directed to your domain, then you can still
> allow it.
> 
> My question here is, by following the above recommended deny and allow
> scenario, will a secure SMTP gateway be "violating" the RFC ?

This is fine.  Denying 3rd party relaying is perfectly acceptable, no matter 
what the from address (null, bozo@theclown.org, 
president@whitehouse.gov, proberts@clark.net....).  Relaying in SMTP is 
based on who the message is to, not who it's from, so I'm not sure that 
you're not taking the long way around this?  

> Next question that remains unanswered is: 
> How do I check for the null From: fields..  if I am to implement the above
> deny and allow rules...??  
> 
> I tried  *@*  and it doesn't work!... 

Shouldn't you be checking the rcpt to:<> field(s) to find out if it is a 
local user, and denying the mail if it isn't?  That would solve all cases of 
relay abuse, place no burden on anyone not trying to relay mail to third 
parties, and keep everyone happy.  

Don't forget that SMTP allows multiple RCPT TO:<>'s in a single 
conversation when you're testing.  Any RCPT TO: that isn't in your domain 
should be rejected.  Rejecting with a 4xx error will make it possible to 
live through DNS failures, with a 5xx will make most of the spammers go away.

Also, don't forget that mail should be accepted to the canonical address 
of the mail exchanger record in square brackets.  So if my.mail.gateway 
has an IP address of 10.0.0.1, then I should accept mail to 
<user>@my.mail.gateway, <user>@[10.0.0.1], and any other instances 
necessary.  At the very least, you should do this for <user> == 
postmaster.  It's very frustrating to try to report brokeness to a site 
where you can't get mail to the person who should be able to fix it 
because their gateway is rejecting mail due to a configuration problem, 
*especially* if it's a DNS problem and all the contacts have addresses in 
the same domain.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts@clark.net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] NT admin traffic through Firewall
Next by Date: [FW1] Multiple Leaselines -Reply
Prev by thread: Re: [FW1] NULL "Mail From:<>" headers...
Next by thread: RE: [FW1] NULL "Mail From:<>" headers...
Index(es):
- Date
- Thread