[lug] email mystery

John Hernandez John.Hernandez at noaa.gov
Wed Feb 21 11:42:11 MST 2001

It seems to me that password authentication is not always reasonable.  Sendmail is an e-mail relay and delivery program which implements a store and forward architecture.  Sendmail's job, in my mind, is similar to that of an IP router.  It get messages (from a huge pool of potential sources) and sends them towards the addressee by passing them to another node (or sticking them into a local mail spool).

In the sense that it's part of Internet infrastructure, you can't expect everyone who needs to deliver via your sendmail server to authenticate by password.

The methods outlined by Kirk below are the best known tools to control SPAM.  They amount to strategic ACLs, strict header requirements, and relay authentication where appropriate (ie. dialup links with dynamic IP addressing).

"Holshouser, David" wrote:
> I'm new to administering my own system and how mail is configured in general
> but,
> it just seems strange that sendmail doesn't require a user to authenticate
> properly
> with username/passwd.
> Can someone explain why a concept so integral to security has been skipped
> completely with regards to mail.
> > -----Original Message-----
> > From: Kirk Rafferty [SMTP:kirk at fpcc.net]
> > Sent: Wednesday, February 21, 2001 9:09 AM
> > To:   lug at lug.boulder.co.us
> > Subject:      Re: [lug] email mystery
> >
> > On Wed, Feb 21, 2001 at 12:47:47AM -0700, D. Stimits wrote:
> > > With all the anti-spam laws starting to either show up or be discussed
> > > by various government bodies, it would seem that a law needs to be added
> > > that says commercial advertisement is deemed spam if such tricks are
> > >8<...
> >
> > Laws are hard to enforce with regards to SMTP spam.  In the case of this
> > spam, you'd have to try to enforce a US law in Japan.
> >
> > It would be much more effective to stop the flow of spam at the source.
> > Closing down relays is the first line of defense.  Refusing messages from
> > open relays is another step (which RSS and RBL address).  Another attempt
> > being made on the spam front is the adoption of RFC2476, Message
> > Submission
> > Agent.  You can find out how Sendmail is implementing it at
> > http://sendmail.net/rfc2476.shtml.  Here's a snippet:
> >
> > The goal? First, to prevent spammers and unauthorized
> > users from launching messages into your Internet mail
> > system by tightening up that first conversation between,
> > say, Eudora and sendmail. An MSA would require more
> > fully formed headers to make authentication and tracking
> > of the message possible. It may have extra error codes,
> > such as "message violates system policy." It may require
> > authentication (see RFC 2554) before talking to the
> > MUA.
> >
> > -k
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list