Best Way to Control Relaying?

John Rudd jrudd at ucsc.edu
Tue May 16 18:53:08 IST 2006


On May 15, 2006, at 9:39 PM, Alex Neuman van der Hans wrote:

> Kai Schaetzl wrote:
>> Alex Neuman van der Hans wrote on Fri, 12 May 2006 13:19:33 -0500:
>>
>>
>>> What Kai means, more accurately, is that, to _your customers_, you 
>>> _are_ an open relay. This also means that to _viruses_ and _spyware_ 
>>> running on your customers' machines, you _are_ an open relay.
>>>
>>
>> No, what I meant was what I wrote. I may have misunderstood him, 
>> though. >From what he wrote it sounded like he was stopping relaying 
>> to others by blocking them in access.db.
>>
> Sorry if I misunderstood you, but in any case, he _is_ an open relay 
> to his customers, since they're not _required_ to authenticate 
> themselves.
>
> This is a problem we used to have in this country since all major 
> ISP's were "open relays" to their customers, which meant that internet 
> cafés and open wifi spots were being used as a base for spammers to 
> get to their victims through ISP's mail servers.


Uh, that's not what it means to be an "open relay".  An open relay is a 
relay which doesn't restrict who uses it.  Specifically, it is a relay 
that allows 3rd parties (ie. not the server's proper users (the 
customers), nor people sending to the proper users, but a third group 
which is neither proper users nor people sending to the proper users).  
If only his customers can relay through is sever, then it's not an open 
relay.  Therefore, being an "open relay to his customers" is a 
meaningless phrase.  It's like saying "it's a 2 way door if and only if 
you open it from the inside".  If you can only open it from the inside, 
it's not a 2 way door.


I can see arguments for requiring authentication (it's certainly a good 
goal, and should be a 'best practice'), but it's still perfectly normal 
and valid for a site to allow relaying for/by the network/hosts/users 
it is responsible for.  That doesn't make them an "open relay".  It 
makes them a "relay".  There's nothing wrong with being a "relay".



More information about the MailScanner mailing list