Great Circle Associates Firewalls
(June 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SMTP mail spoofing
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Date: Wed, 22 Jun 1994 09:56:59 -0400
To: 0001000502 @ mcimail . com, Firewalls @ GreatCircle . COM 
>We would like to know if there is a good way to determine is someone is
>spoofing our mail gateway.  Is there a "secure" smtpd or other software
>available that will detect/reject connections from someone pretending to
>be someone else? > >db

As Brent Chapman says, there are no real 'secure' versions of sendmail
that came completely authenticate the sender.  The fact that often
(usually?) Internet E-Mail is routed through several SMTP relays
from source to destination usually makes this question moot anyway.

There are versions (or 'options' that can be turned on when compiling)
of sendmail that will only perform SMTP transactions with initiating
MTA peers on hosts that (1) have a valid PTR record and A record for
the hostname pointed to, and/or (2) have an identification daemon
running on them (ie. an RFC 931 or the later RFC 1413 standard implementation
such as pidentd or authd - you can get public domain ident daemons via
FTP from ftp.lysator.liu.se.  No flame wars about whether or not these
provide a real degree of authentication in the real world please!).

Myself, I'd regard these as more hassle than they are worth (for an
Internet mail gateway, not a private internal app) since you will
then cut off your host or site from receiving valid email from people
who are not configured (ie. via DNS or ident) properly.  Something I
learned a long time ago is that users who don't receive E-Mail that
has been sent to them get very upset... Remember the dictum :

	"Be strict in what you send, liberal in what you accept."

If you need E-Mail authentication over SMTP the necessary steps can be
performed by the users at each end (ie, the sender could use MD5 or PGP
or PEM with RSA 'keys' to create a credential or digital signature for
a message and the receiver would use a key to verify it).  It is not
very "user friendly" or transparent unless a mail user agent makes it
easy to do.

Anyone know of any Mail user interface programs which incorporate
authentication easily into the user interface so that it doesn't
have to be done externally and manually?.

					- Morrow
Indexed By Date Previous: Re: Security policy
From: Dan Schlitt <dan @ ees1a0 . engr . ccny . cuny . edu>
Next: Re: SMTP mail spoofing
From: Sean McLinden <sean+ @ andrew . cmu . edu>
Indexed By Thread Previous: Re: SMTP mail spoofing
From: doug @ seas . smu . edu (Doug Davis)
Next: Re: SMTP mail spoofing
From: snyderra @ dunx1 . ocs . drexel . edu (Bob Snyder)
Google
 
Search Internet Search www.greatcircle.com