Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] Apparently the practice was prevalent
From: Martin Mačok (martin.macokunderground.cz)
Date: Wed Feb 11 2004 - 06:17:00 CST
On Wed, Feb 11, 2004 at 10:23:32AM -0000, John.Aireyrnib.org.uk wrote:
> > > In fact, RFC 2822 which obsoletes RFC 822 doesn't even mention
> > > relays.
> > Of course. It also doesn't mention space ships. It's just about
> > something else. It has not anything to do with "email relaying".
> What do space ships have to do with this discussion? There's no
> mention of them in RFC 822, so this is hardly relevant.
RFC 822 has nothing to do with SMTP, relaying nor space ships. That is
what those things have in common.
> > The right one is RFC 2821. See the quote of "Relaying" part from
> > my previous post.
> 2821 supersedes 821, which also implies you should have open relays.
Again, not true. See section "Relaying" in RFC 2821 (quoted in one of my
Next time, please, quote the text from the RFC you are referring to.
> It states that you should have EXPN enabled.
7.3 VRFY, EXPN, and Security
As discussed in section 3.5, individual sites may want to disable
either or both of VRFY or EXPN for security reasons.
> > > Is there any RFC that specifies that open relays are a bad idea?
> > Do not expect that there is an RFC for every bad idea around ...
> Which basically means that anything not strictly allowed isn't.
No, I don't think so.
> No you can't. I also found RFC 2505 after sending my mail, however it still
> mentions nothing about open relays.
2.1. Restricting unauthorized Mail Relay usage
Instead, the MTA MUST be able to authorize Mail Relay usage based on
a combination of:
o "RCPT To:" address (domain).
o SMTP_Caller FQDN hostname.
o SMTP_Caller IP address.
The suggested algorithm is:
a) If "RCPT To:" is one of "our" domains, local or a domain that
we accept to forward to (alternate MX), then accept to Relay.
b) If SMTP_Caller is authorized, either its IP.src or its FQDN
(depending on if you trust the DNS), then accept to Relay.
c) Else refuse to Relay.
In other words, "do not have open relays".
Full-Disclosure - We believe in it.