Re: Can we please refuse mail to the list from list addresses? - Mailing list pgsql-www

From Andrew Sullivan
Subject Re: Can we please refuse mail to the list from list addresses?
Date
Msg-id 20071129223558.GC8157@crankycanuck.ca
Whole thread Raw
In response to Re: Can we please refuse mail to the list from list addresses?  ("Marc G. Fournier" <scrappy@hub.org>)
Responses Re: Can we please refuse mail to the list from list addresses?  (Magnus Hagander <magnus@hagander.net>)
List pgsql-www
Hi all,

It appears that I caused a ruckus with my suggestion.  It hasn't helped that
I have, I think, encouraged a rather different discussion.  This message is
intended to disambiguate the various threads of this discussion, lay to rest
at least one, and to make a promise about others.

A.  What I asked for

What I actually asked for was that we reject mail From:
<listname@postgresql.org> destined for <listname@postgresql.org>.  I
suggested this, because the spammers have obviously figured out that they
can send mail with the From: and To: headers the same, and evade many spam
traps.  Since lists should _never_ send mail to themselves (it'd be a loop),
this is an obvious optimisation.  Marc says he can do this; I dunno whether
it's been done, but I think his suggestion should be implemented. 

B.  What else came out

As it turns out, this discussion raised several other issues.  I think they
are the following:

1.    SMTP Auth

Everyone agrees this should be and is happening, so we don't need to discuss
it more.

2.    SMTP Submit vs. "Classic" SMTP 

While it is possible to authenticate SMTP while relaying, there is a current
push in the Internet operator community to end the practice of MUA->MTA
submission on port 25.  The reasons for this are somewhat complicated.  I'd
like to propose that we not be distracted by this conversation while the
current release is happening.  Therefore, I propose that we postpone that
discussion until some time in January.

In order to allow people to prepare for any such discussion, there are some
sub-questions that arise:
a.  Do we allow email that is unauthenticated with SMTP Auth fromany domain to go to any list without moderation
(irrespectiveofsubscription)?b.  Do we allow email that is unauthenticated with SMTP Auth frompostgresql.org domains to
goto any list without moderation(irrespective of subscription)?c.  Do we reject email that is unauthenticated with SMTP
Authwith aTo: to the lists?d.  Do we regard email with a From: address in the postgresql.orgdomain that is
unauthenticated(by any server) to be legitimate (andtherefore in or out of spam-control attempts)?e.  Do we regard
emailwith a From: address in the postgresql.orgdomain that is not SMTP-Auth authenticated _at all_ to belegitimate?f.
Dowe regard email with a From: address in the postgresql.orgdomain that is not authenticated _at the postgresql.org
mailservers_to be legitimate?  (Consider SMTP Auth atnon-postgresql.org mail servers, such as hub.org
orcommandprompt.com.)g. Do we regard email with a From: address in the postgresql.orgdomain that is not authenticated
bythe postgresql.org submitservice at the time of MUA->MTA delivery to be legitimate?h.  What do our answers to the
abovemean for various email signingsystems (such as SPF and DKIM)?
 

Every one of the above may be answered in different ways, and the union of
them entails various listmail policies that we may or may not like.  Since
the possible set of policies is so large, I offer to put together a proposed
set of policies, with justifications, some time in January (after the
release is behind us); that ought to eliminate the number of options that
need to be included (I think some of the above questions have obvious
answers).

Is this ok with others?

A

-- 
Andrew Sullivan
Old sigs will return after re-constitution of blue smoke


pgsql-www by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: Can we please refuse mail to the list from list addresses?
Next
From: Magnus Hagander
Date:
Subject: Re: Can we please refuse mail to the list from list addresses?