On Tue, 06 Feb 2001 06:34:30 -0500,
"L.D. Best" <[EMAIL PROTECTED]> wrote:
>
> As I told someone else, this isn't exactly what was proposed but it is
> sorta. HUH??
>
> So far no one has been able to access & use from a pseudo-domain/pseudo
> user account? To date, all tries have been from valid domains by valid
> accounts on those domains. No try, to my knowledge, to come into port
> 25 & pretended to be me or [EMAIL PROTECTED] [as proposed in the
> message that started this whole discussion] has succeeded.
Correct. What may have been proposed will not work in almost all
cases.
> Anyone
> know precisely how a server checks on the validity of a sending address?
> Is it a DNS kinda thing, or is it a matter of polling the "originating"
> server to see if the account information is valid, or ???
I'm certainly no expert, but this is how I understand it.
First, it may help to forget about authentication for a minute
and look at how e-mail normally works.
Before accepting a message for delivery, the smtpserver knows
three things:
1. the IP number of the connecting host
2. the envelope from or mail_from
3. the envelope to or rctp_to
If the server is using one of the real-time blocklists (RBL, RSS,
ORBS, DUL) or a local blocklist, it will check to see if #1 is
listed and block/not block accordingly.
Next, many servers will block mail if the domain in #2 does not
resolve, or if the address/domain is on a local blacklist.
Finally, in order to prevent third-party relay, it will compare
#1 and #2. [!]
If any of theses tests fail, the mail will be blocked and bounced
by the connecting host.
So far so good. Now let's look at authentication.
In order to make it possible for users not connected to their ISP
(or email service) to use their ISP's (or email service's) smtserver
to send mail to external sites, some method(s) other than the one
described above [!] has to be used.
We have seen three *different* methods of authentication discussed
here:
1. the mail_from address
2. POP-before-SMTP
3. SMTP AUTH
#1 is not at all secure since anyone can put whatever they want
in the mail_from. As I mentioned elsewhere, crosswinds.net uses
this method, and as a result finds itself listed in ORBS, since
their mailserver is not really closed. This is probably the
"what has been proposed" that you are referring to. I don't
believe that there are too many sites that use this method.
While I don't know the inner workings of #2 and #3, I do know
that #2 works with DOS. All one has to do is POP before sending.
As far as #3 is concerned, it has been pointed out that there
are very few clients that support it, and so far, at least, it
seems that those servers that may be using it, also allow
POP-before-SMTP.
> The experimental will go on, I guess. I'm waiting for more info
> from the techie... :>
So, now I'm a techie. It wasn't that long ago that I didn't know
the difference between an open server and an open kitchen. :-)
Anyway, I hope some of this makes sense, and helps to put the
authentication business into perspective.
Howard E.
--
DOS TCP/IP * <URL:http://www.ncf.ca/~ag221/dosppp.html>
