Chris-Linfoot.net

1. Mikael18/03/2005 13:44:20

(unless you actually expect Internet email to turn up at your inbound gateway claiming to be from your domain and if so, why?

Not sure if its common today but this used to screw up some subscriptions to mailing lists, ie your own post or other users post from your on domain was blocked since the mailing list used the original sender as Mail Wrom:

2. Chris Linfoot18/03/2005 13:54:25

As this sort of mailing list behaviour is effectively outlawed by SPF anyway, most reputable mailing list systems no longer spoof the sender address in this way.

Aside: FormMail.pl - I recently implemented this on a web site I built for a friend. FormMail.pl uses a local (Unix) mailer executable to send an SMTP email and will by default use as the envelope sender address the email address input by the person on the form. This is probably not such a great idea for the same reasons as above.

The host whose server hosts this web site knows this and has implemented support for FormMail in such a way that, regardless of the email address input by the person filling in the form, the envelope address used by the email generated by the form is the local owner of the web site. Not only does this not break SPF, it actually supports it because the domain of that host's web server has valid a SPF record which permits the web server to send email on its behalf.

As the recipient address for my forms is my Gmail account, I can see clearly in the Gmail SPF header an SPF pass (web server is a permitted sender for web server's domain). Nice.

3. Scott Iver18/03/2005 14:48:29

I've gotten emails from Dell "sent by" ME .
Apparently dell thinks it's perfectly OK to send you and email from their system, and claim to be you. I have the email from their support site still in my inbox, it really shocked me to see such a large and well known company doing something like this.

Received: from ausc60pc101.us.dell.com ([143.166.XXX.XXX])
by notes.domainexample.com (Lotus Domino Release 6.5.3FP1)
with ESMTP id 2005031609050226-458 ;
Wed, 16 Mar 2005 09:05:02 -0600
Received: from [server].us.dell.com (HELO AUSOLAXXXXXX) (10.166.XXX.XXX)
by [server].us.dell.com with SMTP; 16 Mar 2005 09:04:55 -0600
X-IronPort-AV: i="3.90,168,1107756000";
d="scan'208"; a="236433220:sNHT20391192"
From: <scott.iver at [mydomain.com]>
To: "scott.iver at [mydomain.com]

Hmmm....

4. Chris Linfoot18/03/2005 15:15:07

How's that work then? You sign up and ask a question at the support site and then... Do enlighten me.

Let's be clear - the amount of malware alone (forget spam) that this measure has kept out of our systems here in the past three months runs into tens of thousands of items.

I'd be prepared to forgo the odd email from Dell to pay for that benefit.

5. Scott Iver18/03/2005 15:19:51

Chris,

I completly agree, I was just pointing out that Dell does it...

Yep, sign up at Support.dell.com, ask a question, get an email response from their servers from you to you.

If it weren't so sad it would be funny...

Anyway, we will be implementing this in the future, but my current config to allow my firewalls to email me alerts prevents it for the moment, I just have to figure out how I'm going to set them up...

6. Chris Linfoot18/03/2005 15:25:06

Have you got another Domino server you can use?

We have one inside the secure zone of our network which will accept relays from a small number of internal systems (identified by IP) and send email from anyone to anyone. This server is not accessible by any outside (or even any DMZ system other than by NRPC on TCP1352) and will only relay for a small number of permitted internal systems.

Works very well.

7. Eric Parsons18/03/2005 15:28:45
Homepage: http://www.startingblockcomputing.com

While I whole heartedly agree, http://startingblockcomputing.com/ipw-web/b2/index.php?m=200410#30 I have to say we cannot do this. Several applications on the web, uncontrolled by our domain, send email on our behalf. Customer service nightmare as "our" notices are rejected at our gateway.

Is it right? Probably not, but what's an admin to do???.

8. Scott Iver18/03/2005 15:35:01

Chris, great idea, should have thought of that! That's why you get paid the big bucks right?

I don't have another domino box right now, but I have a few spare desktops that would run a server just to do internal relay.

Thanks for the idea!

9. Chris Linfoot18/03/2005 15:57:20

@Eric:

"Several applications on the web, uncontrolled by our domain, send email on our behalf."

Did you give them permission? Can you tell them to stop? Sooner or later they'll have to anyway so it may as well be now.

10. Eric Parsons18/03/2005 23:00:00
Homepage: http://startingblockcomputing.com

@Chris

Alas, but if I could....

(And No, No, and "We'll cross that bridge IF we get to it...." (them, not me) to answer.) (Don't happen to know any Brits that could bring a bat with them to our next meeting? )

Unable to post a comment? Please read this for a possible explanation...