lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: martin.macok at underground.cz (Martin Mačok)
Subject: Apparently the practice was prevalent

On Wed, Feb 11, 2004 at 10:23:32AM -0000, John.Airey@...b.org.uk wrote:

> > > In fact, RFC 2822 which obsoletes RFC 822 doesn't even mention
> > > relays.
> > 
> > Of course. It also doesn't mention space ships. It's just about
> > something else. It has not anything to do with "email relaying".
> > 
> What do space ships have to do with this discussion? There's no
> mention of them in RFC 822, so this is hardly relevant.

RFC 822 has nothing to do with SMTP, relaying nor space ships. That is
what those things have in common.

> > The right one is RFC 2821. See the quote of "Relaying" part from
> > my previous post.

> 2821 supersedes 821, which also implies you should have open relays.

Again, not true. See section "Relaying" in RFC 2821 (quoted in one of my
previous posts).

Next time, please, quote the text from the RFC you are referring to.

> It states that you should have EXPN enabled.

Really?

RFC 2821

7.3 VRFY, EXPN, and Security

   As discussed in section 3.5, individual sites may want to disable
   either or both of VRFY or EXPN for security reasons.

[..]

> > > Is there any RFC that specifies that open relays are a bad idea?
> > 
> > Do not expect that there is an RFC for every bad idea around ...
> > 
> Which basically means that anything not strictly allowed isn't.

No, I don't think so.

> No you can't. I also found RFC 2505 after sending my mail, however it still
> mentions nothing about open relays.

RFC 2505

2.1. Restricting unauthorized Mail Relay usage

[..]

   Instead, the MTA MUST be able to authorize Mail Relay usage based on
   a combination of:

   o   "RCPT To:" address (domain).
   o   SMTP_Caller FQDN hostname.
   o   SMTP_Caller IP address.

   The suggested algorithm is:

   a)  If "RCPT To:" is one of "our" domains, local or a domain that
       we accept to forward to (alternate MX), then accept to Relay.

   b)  If SMTP_Caller is authorized, either its IP.src or its FQDN
       (depending on if you trust the DNS), then accept to Relay.

   c)  Else refuse to Relay.

[..]

In other words, "do not have open relays".

Martin Ma?ok


Powered by blists - more mailing lists