Hi Jesse,

> I'd like to insert an SMTP filter proxy between tcpserver and qmail
> (or, in my case: rblsmtpd) that reads a file or cdb containing
> all of the domains in my rcpthosts file, and REJECTS messages that are
> addressed FROM one of those domains UNLESS the RELAYCLIENT
> environment variable is set (which would mean that it's legitimate
> email from one of my customers).

Unlike rblsmtp, you'll have to let the SMTP session take place, because
you wouldn't have the envelope sender address.

Thus, you need a filter between qmail-smtpd and qmail-queue.

A generic filter is already available:

http://untroubled.org/qmail-qfilter/

It's easy to implement, and there are a some simple examples in the
source tarball that show how you'd be able to write a filter that fits
your needs in any programming language you want.

> The idea seems relatively simple, and I can't immediately think of any
> problems with it.

Let's say, I am [EMAIL PROTECTED] As I'm currently at home, I'm using
my local qmail server to relay mail to the outside. Though I don't use
the wingnet.net mail server, I have an identity called [EMAIL PROTECTED]
configured in my mail client.

If I send some mail to your server (that is expected to be configured in
the way you said), it would not accept a mail from me to
[EMAIL PROTECTED], because I'm using wingnet.net (one of your domains)
as my From address, but I haven't authorized myself to relay, because I
don't relay through your server - I simply send a mail to you.

> And Implementing it would greatly reduce
> spam with forged headers claiming to be from one of my customers.

No, even if you patch your mailserver, I'm still able to send out mail
appearing to be from [EMAIL PROTECTED] or [EMAIL PROTECTED] That's
simply not under your control.

Your idea has the following conclusions:

1) A wingnet.net user that isn't authorized to relay is able to send
mail to any local domain on your server, using any envelope sender
address he wants (but none from your domains!)

2) A wingnet.net user that is authorized to relay is able to send mail
to any user in the world, using any envelope sender address he wants.

3) An outside user is authorized to send mail to you as long as he
doesn't use one of your domains that are managed by your server.

4) You do not prohibit anybody in the world to send mail to anybody in
the world using one of your domains in his envelope sender address.

I think, your idea simply isn't the right approach to your problem,
which I still don't completely understand. Please describe more
appropriatly what type of messages from whom to who you want to
disallow.

Jonas


Reply via email to