>I will investigate further the option you
>suggested "Only allow connections from
>connections with the following IP Addresses"
>using the IP addresses of all the Domino
>Servers that will route mail to the SMTP
>Server then hopefully preventing users from
>relaying mail directly to the SMTP Server.
This looks like the best solution for you. Let us know how you got on.
As to the wider question of how to prevent clients that deliver mail to the server via SMTP from spoofing a different internal address... perhaps the best way to address this is to think about the information you have to work with.
Take a look at the data transferred in a standard SMTP message. Here's a basic example (using Exchange, but it would be very similar with Domino)
http://www.windowsitlibrary.com/Content/212/01/2.html
To accomplish your antispoofing, a server would need to match the MAIL FROM: header (and the FROM: line in the data) with some other info it had to identify the user.
What other info would you like the server to use? You could (perhaps) only accept SMTP mail from clients on an SSL port, but you'd still only be checking that the sender was some authorised user, not the same user as in the MAIL FROM: header.
Basically, this shows two things. SMTP was never intended to provide sender authentication, and therefore it's not a suitable protocol for your clients to use to talk to the mail server.
Of course, someone may have solutions to these problems, and I'd love to see them.
Good luck,
Rupert Clayton
London
Return to top
. . . . . . . . . . RE: Blocking spoofed messages from ... (~Anita Asafreez... 16.Jan.04)
Print this page
