Okay, basically, this is what I understand the issue to be that you're talking about, RBogan:
User A has an account at abc.com - firstname.lastname@example.org
User B has an account at xyz.com - email@example.com
User A can connect to abc.com and send mail to firstname.lastname@example.org
saying it is from email@example.com
User B can also connect to abc.com and send mail to firstname.lastname@example.org
saying it is from email@example.com
Because it is extremely unlikely that there is a legitimate reason for user B spoofing the from address, he is probably a spammer.
I agree with all that. So do those of us that have argued with you up until now. That's all fine and good, and we could have gotten to this point a lot sooner if you would have presented things rationally. What we do NOT agree with, is that this is a bug.
The way the SMTP protocol works, is that any server on the internet has the right to "deliver" mail for any user, regardless of whether that user's account actually resides on the server's domain. This builds a lot of redundancy into the e-mail system, allowing for many things, some good and some bad. One good thing is that it allows for cross-domain backup mail servers, for instance. One bad thing is that since it allows for the possibility of "convincing" a server to deliver mail for you even if you don't have an account on the server's domain, it can be abused.
The idea of closed relaying is supposed to address this. The way that it addresses it is very specific. In a nutshell, it restricts the original framework of the SMTP protocol a bit further, so that if all e-mail servers implemented it (which they all should), each e-mail server would only accept e-mails addressed TO users at their domain, unless the person trying to input the e-mail (whether it's a real person with an e-mail client, or an e-mail server who is relaying the message) has authenticated properly.
An e-mail to firstname.lastname@example.org
will be accepted by xyz.com only if the authentication passes. This could be one of several ways -- the host contacting xyz.com could be on an IP flagged as privileged for relaying (relaying through your ISP's mail server can be an example of this), the server xyz.com itself could be flagged as accepting relays for abc.com directly, or the mail could be "from" a user at xyz.com (local relay, not recommended because it can be spoofed although some servers do it).
On the other hand (contrast this with above), an e-mail to email@example.com
will be accepted by abc.com UNDER ALL CIRCUMSTANCES. It doesn't matter what host is trying to tell abc.com about the message. It doesn't matter what the "from" address on the e-mail is. It could be "from" firstname.lastname@example.org
or it could be "from" email@example.com
(as in the issue we're talking about) -- it doesn't matter.
The reason it doesn't matter is because CLOSED RELAYING IS NOT DESIGNED TO ADDRESS THIS ISSUE. It's not that MailEnable isn't designed to address it, thus it isn't a bug. Relaying says nothing at all about a server not accepting e-mails for a user AT THE SERVER'S DOMAIN under certain circumstances. The SMTP protocol, and the revised version of the protocol if you include proper relaying security, both stipulate that a server should ALWAYS accept e-mails for a user at its domain.
The reason it is stipulated this way, is because in the general case, xyz.com delivering a message to firstname.lastname@example.org
has to contact abc.com to do it, and has no way of authenticating to that server -- it's just trying to send a normal e-mail. Say from email@example.com
Now, what you have been whining about this whole thread, is a much more SPECIFIC case -- the case where the from and to address are both firstname.lastname@example.org
. As I stated above, in most cases this is probably spam, you're right. And the way you're trying to address it -- require authentication, so that such an e-mail can still be sent, but only by email@example.com
and by no one else, because he has to authenticate to do it -- is a very good approach, because it would eliminate the spam, but still allow the possibility of such an e-mail to happen if one of your users wanted to do it, send an e-mail to himself.
Very very good approach. (Notice how I mix praise in with my sarcastic insults? Sometimes being nice to people gets them to listen better to what you're trying to say my friend).
But in the end, this is a specific case that is NOT addressed by the smtp protocol, NOT addressed by the security of relaying, and NOT addressed by MailEnable. IT IS NOT A BUG. It is added security that you would like to implement or have implemented, because it happens that it would neatly address a problem you're facing. And I'm all for that. If you had presented it this way from the beginning, figured out a way to do it and shared it, all the posters in this thread would have probably said either "Wow thanks! I can really use that!" or at the very worst "We don't get much spam like that here so it's not that useful to be, but it's nice to know there's a solution if spammers start using tactics like that on my server!"
.... sigh, suddenly I'm very fearful that all the thought I put into trying to get past your attitude will have been wasted. Oh well, I tried. Does everybody else agree with me though? My essential point is that, Rbogan has a legitimate problem (no one disputed), the solution he talked about would be very useful to him and probably to others *somewhere* (no one disputed), and that it is not a bug in MailEnable or anything else, it's just something that was never meant to be addressed (this is where everyone was disputing with Rbogan, I think).
Frankly, it's just not an issue that has come up all that much before because most people don't face that problem. It's rather... inefficient, for a spammer to have to make the from address match the to address for everyone he tries to spam. Spammers try to target hundreds of thousands, even millions of e-mail addresses, and an attack like the one you described would pretty much have to be targeted specifically at your server, and I really don't know that it would accomplish all that much because he'd be severely limiting the number of recipients he could get to, versus say just spamming a million aol accounts or something.
It might be worthwhile if you've got thousands of accounts or more on your mail server, and it would be a helluva lot easier if he somehow obtained a username list from your mail server. All in all, though, I'm surprised it's that much of an issue to you that you've put all this effort into yelling at people about it. It's got to be even more trouble for the spammer than it is for you... someone must really have a grudge against your domain or something, lol.
Anyway, I've twisted the topic around just about every which way I can think of to try to get you to understand. If you don't by now, I give up.