[Mailman-Developers] Anyone tried the DMARC mail address translucent forwarder hack?
Stephen J. Turnbull
stephen at xemacs.org
Sat May 17 09:44:08 CEST 2014
John Levine writes:
> You just need one DNS entry, for *.remail.lists.org. Believe it or
> not, that's legal, valid, standard, etc.
Legal, valid, and useful, yes. However, it's generally considered a
poor practice because it means that all of those domains exist, which
makes it hard to debug misrouted connections.
In this case it's sufficiently useful that it's worth considering.
> You could do that, but the syntax details aren't all that important.
Indeed.
> One is that if you do this in a naive way, you have a wide open
> relay for bad guys to use. You'd have to manage it, probably with
> a combination of only allowing mail to addresses you've rewritten,
> rate limiting, and spam filtering.
Yes. This is true regardless of the syntax used, of course. You also
need to be sure that such addresses that are not in "From" get
rewritten to original form (subject to the same checks), and so on
both in distributed posts and in your archives.
> The other is that if you do this very much, the rewritten addresses
> will find their way into people's address books, and now you're stuck
> being a semi-public mail forwarder forever.
Also into archives of mailing lists and the like.
I hope anybody thinking about doing this takes the above warnings to
heart, especially about the potential for abuse as an open relay.
More information about the Mailman-Developers
mailing list