On 2018-02-17 01:11, Daniele Duca wrote:
On 17/02/2018 00:41, John Hardin wrote:
Not necessarily safe. If your MTA receives a message without a
Message-ID, it is supposed to generate one. And if it does so, it will
probably do so using your (recipient) domain...
Isn't MID creation responsability of the MUA and not the MTA? If every
MTA would generate a MID when not found in inbound emails rules like
SA's MISSING_MID would be useless.
MID creation should be done by the MUA, and if missing, should be added
by the MSA. Think of it as a belt-and-suspenders approach. This is also
why such rules are useful, spambots are often garbage and skip important
steps that any properly designed software would do.
(Lowercase should, read the RFCs if you want literal SHOULD/etc from the
specs).
A receiving MTA shouldn't add a Message-ID, but it does happen,
particularly in infrastructures that need a Message-ID internally.
Also keep forwarding in mind, I might choose to accept an inbound
message without a Message-ID but I won't forward it on without adding a
Message-ID, so in this case the final receiving MTA will see a
Message-ID that is unrelated to the original message in any way.
In an ideal world, it's just a random string (with a bit of formatting
requirements), but in reality it obviously has some value as different
senders (and types of senders) will leave a fingerprint behind which may
be useful for categorization.