All incoming mail that claims to be from a local address must, eventually, be authenticated. I.e we must have some trace of who sent it.
There are three ways to be authentic:
- Come from a local trusted machine that supports identd
- Come over SSL with a username and password
- Come over SSL with a certificate that we have signed
In general, any authenticated user may use any address. We need to be sure that more widely accessable users such as w3serv which runs our webmail service cannot be abused.
The first two options are already available. We need a system for handing out signed SSL certificates. The common name should be something like mailfrom:neilb@cse.unsw.edu.au. This still allows mail from any local address, but it identifies the source.
Once this is inplace and there are some FAQs that describe it, we need to start identifying people who aren't being authenticated and need to be. Some simple logging in the smtp receiver should achieve this easily.
When the log shows that sufficiently few people (preferably none) are not authenticated properly, we disable non-authenticated users for external addresses completely. For internal addresses we need to accept them but with an SPF tag indicating probable junk.