13 May 2004, 4:46 UTCSPF-Received tagging
smtp-recv should tag all arriving email with SPF-Received.
If the mail is to an address (and only one address) which contains an equals sign followed by atleast one period, we use that domain for SPF checking.
Otherwise if the mail is from <>, then we assume FAIL if the to address wasn't encapsulated, and PASS if it was.
Otherwise we perform an SPF check on the MAIL FROM address.
13 May 2004, 4:03 UTCAddress rewriting
We want to re-write addresses and recognise rewritten addresses.
There are two situations where we want to re-write addresses.
- If we trust the source of a return address, we want to re-write it when sending the mail to be signed and
to look like it comes from us.
If it really comes from a local domain that we aren't the only MX for, then rewriting isn't appropriate. I probably need to refine 'local domain' into those that we control completely and those that we spool and forward mail for.
- When we are forwarding mail through the virus checker, we want to re-write the sender and recipient addresses. This rewriting should be different from the other rewriting and should be transparent to the rest of the mail system.
Recognising re-written address needs to happen for all incoming mail - the to address can always be encapsulated.
Also, we want to recognise special recipient address that are coming from forwarders. e.g. if the localpart contains an equals sign, then we check if the domain which follows that equals is a reliable source of the mail.
The rewriting of return-path should keep the original domain for local domains, and use cse.unsw.edu.au for all others.
In the first case we can use SES= to flag the address.
For others, SRS= seems better.
For virus re-writing, VRF and VRT for the virus from and to addresses.
If we get mail from a VRF and to a VRT, we accept it. If it is to a VRF and from <>, then it has to go to postmaster. Otherwise we reject it.
13 May 2004, 3:46 UTCAuthenticate incoming mail
All incoming mail that claims to be from a local address must, eventually, be authenticated. I.e we must have some trace of who sent it.
There are three ways to be authentic:
- Come from a local trusted machine that supports identd
- Come over SSL with a username and password
- Come over SSL with a certificate that we have signed
In general, any authenticated user may use any address. We need to be sure that more widely accessable users such as w3serv which runs our webmail service cannot be abused.
The first two options are already available. We need a system for handing out signed SSL certificates. The common name should be something like mailfrom:neilb@cse.unsw.edu.au. This still allows mail from any local address, but it identifies the source.
Once this is inplace and there are some FAQs that describe it, we need to start identifying people who aren't being authenticated and need to be. Some simple logging in the smtp receiver should achieve this easily.
When the log shows that sufficiently few people (preferably none) are not authenticated properly, we disable non-authenticated users for external addresses completely. For internal addresses we need to accept them but with an SPF tag indicating probable junk.