> Original Article: http://www.egroups.com/list/djb-qmail/?start=27523
> The "lack", as it were, is in your thinking through the problem.
> There is no way, short of sender authentication, to tell whether an
> incoming message which has a sender address in your domain is
> legitimate or forged. Consider the case of a mailing list hosted at
> another site (the qmail list), as an example. Would you like to
> start rejecting incoming mail from the qmail list if the sender was
> yourself?
>
> -- Jeff Hayward
Thanks for your comments Jeff.
Maybe I simplified too much my description.
Former, I'm always refering to the envelope sender. The "From" header
field often is different from the real recipient (eg. mail forwarding
or alias).
Second, it's clear that, in a general case, it's imposible to detect
if the sender is forged because the users could connect from anywhere.
However, I have pointed that I'am using qmail as a gateway between our
mail servers, obligatory used by our users, and the Internet. So mail
from our domain should be received only from these internal servers
(known).
Of course there are mailbox forwarding and mail lists. It seems to me
that mail lists re-send the messages with their owner as sender. Am I
right?
However, it's true that mail forwarding often keeps the original
sender in its deliveries. That means that an outgoing message can not
go back through an external mailbox (I don't see any useful purpose).
I think that it's a fair price for keeping forged internal messages
outside.
Therefore I think that kind of filtering would be useful. Nevertheless
I don't want to teach how to program MTA's to anybody, really I am
eternal learner, and it's posible that my suggestion would be
absolutely illegal. I appreciate any clarification.
David Jorrin
----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com
