[unisog] Rejecting incoming mail with from addresses in your own domain.

Russell Fulton r.fulton at auckland.ac.nz
Tue Jul 22 03:29:47 GMT 2003

On Tue, 2003-07-22 at 14:23, Peter Van Epp wrote:

> 	Us too. However if Russell (or anyone else) has a way of wrapping 
> arbitrary mail clients in SSL across all clients (Macs of all vintages, DOS,
> Unix boxes of all kinds, Windows) without creating a support nightmare I'd
> certainly see if my mail folks lynch me for suggesting it :-).

We are in a slightly better position on this one since, currently, we
don't allow relaying from off campus through our servers.  So this is
being brought in as a new service that will allow users to who can use
authentication to relay through our servers.  We are not pretending that
it is universal solution.

I doubt if there are many users who are using our smtp servers from off
campus since they can only send mail to on campus domains.

A bigger worry is the one Pete Hickey raised, i.e. that of people who
are sending mail from home through their ISP's MTA with From addresses
in our domain.  I'll troll our logs to see how much of this there is.

We may simply say that they can no longer do this (iof there are not too
many) and if they want replies to come back to their university account
then they can use the replyto headers to achieve this.

Like all security measures this one has costs and benefits and we have
to weigh the two up to see if they are worthwhile pursuing.

The worst problem that may well sink this idea is the one raised by
Matthew West about mail from lists (other also pointed this out off list
too).  I don't see any effective answers to this.  One *could* add a
header to all outgoing mail which consisted of a digital signature of a
known 'secret string concatenated with the From: and Date: headers' and
check it when it came back but this would be costly and would only work
if the mail list software left the original headers intact.  
Note, I'm not suggesting that this should be done, I think it is too
costly in terms of performance and complexity.

Cheers and thanks to those who responded.


Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the unisog mailing list