Subject: Re: Multiple smarthosts for SMTP (sending from different accounts)
To: Brian de Alwis <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 01/31/2002 15:37:30
In message <20020131120330.C27501@slab.gascol.cs.ubc.ca>, Brian de Alwis writes
>On 2002.01.29 19:53:17 -0500, Steven M. Bellovin wrote:
>> I think you're ok with what you're doing. Anti-relay provisions don't
>> make decisions based on source address -- that's too easily spoofed --
>> but on where the mail arrived.
>Well I gave it a try (I use an almost identical set-up to yourself),
>and it did work. Which is great.
>But I find this a bit puzzling -- I thought anti-relay meant that it
>would only relay for e-mail to or from someone within its relaying
>domains. I.e. smtp.cs.ubc.ca would only relay for e-mail to or from
>addresses of the form <*@*.cs.ubc.ca>. So they instead check that
>the machine sending the e-mail is within the domain? But then how
>does e-mail sent *to* people within cs.ubc.ca from outside get accepted?
I oversimplified: it uses domain names for destination addresses, but
IP address for origination. Someone is an insider if they are (a) on
the right network(s), which is (presumably) under the control of the
administrator, or (b) receiving mail in that domain, which is
definitely under administrative control. You can't use domain name for
source-checking, or the spammers will send all their mail as being from
email@example.com or what have you. Heck, they'd just send it as being
from root, and let the sending site fill in its domain name.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com