richl@penguin.uss.tek.com (Rick Lindsley) (09/30/86)
Has anybody thought of a good solution to this problem? One that I once implemented was to make smtp use a root port to send mail. Then if I telnet to 25, then, I can chat with a help command, or maybe vrfy an address, but as soon as I do mail from: I'll get an error. In our particular case, we had mixed mailers (not all used root ports) so I couldn't just refuse the message. What I did, though, was tack on a line: Comments: Message received over unauthenticated port. Unfortunately, the users howled that this *looked* bad, and made our company *look* bad. Apparently they'd rather have the hole present then "look bad", so when we converted to sendmail the "feature" of being able to telnet a forged message returned. Does anybody else see this as a solution, or if not a solution then perhaps a step towards one? I also think verification of a sitename on a helo command would be nice, to catch obvious liars. (Yes I once implemented that too, and caught flak for that too!) Rick