[DShield] SPF is fundamentally flawed

Tony Earnshaw tonye at billy.demon.nl
Fri Feb 20 14:56:55 GMT 2004


tor, 19.02.2004 kl. 23.45 skrev Bruce Lilly:

> > Is Postfix a poorly designed MTA?
> 
> The issue is actually a combination of MTA design and administrative
> configuration.  I can't say what the situation is with Postfix, but
> if you use it you can probably determine so; can it be configured to
> ignore validity of the recipient at the RCPT TO stage (e.g. by
> configuring it to act as an open relay)?

It comes "out of the box" as only allowing relaying from trusted domains
and refusing mail to non-existent local users. But whoever configures it
can easily make it into an open relay and have it accept mail for
anyone, anywhere.

> In both of Erik's examples, the MTAs involved appear to be versions
> of sendmail (not surprising since that's the most widely used MTA),
> and sendmail can be configured to ignore recipient address validity
> (though that's highly unusual); that is apparently how one of the
> servers in Erik's first example is configured.

Unfortunately you broke the thread and I can't find his original
posting.

Telnetting to port 25 on each of tudelft's 3 advertised mailservers
shows it's Postfix and his own internal server is Postfix. His mail
headers don't show anything else.

>   In Erik's second
> example, the specific MTA and its configuration isn't the issue;
> use of a transfer topology involving an intermediate relay will
> almost always result in a bounce on downstream failure.

A good Postfix mailadmin can configure his gateway server(s) to "know"
what users have mail accounts on his internal servers, so that bounces
to non-existent users will never occur (the gateway server will simply
refuse the mail on submission - that's not a bounce). Where the gateway
server is simply configured as a (fallback) relay for another server
somewhere else, the question of valid users doesn't arise and any
bounces would be generated directly back to the original sender
(presuming he exists) by the other server.

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list