Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
387 views
in Technique[技术] by (71.8m points)

protocols - how to determine who sent request to my smtp server: mail-client (such as outlook) or other smtp servers

I am developing smtp server and there is a question i don't understand about smtp handshake.

#1. mail client (outlook) -> My SMTP Server EHLO - AUTH - FROM - TO - DATA - QUIT It is smtp relay request. My smtp server takes the request and delivers the mail to other mail server.

#2. Other SMTP Server -> My SMTP Server EHLO - FROM - TO - DATA - QUIT I understood smtp flow between SMTP servers as follows. AUTH command is not necessary in this case, because AUTH command is for authentication for client to send request relay to smtp server.

#1, #2 are the flow of SMTP that i understand. What I'm curious about is how does my smtp server determine whether this request is from a client or a server. I want to decide whether to do the AUTH command through it.

If my thoughts are wrong, don't laugh too much and i ask for a kind explanation. Thank you.

question from:https://stackoverflow.com/questions/65856666/how-to-determine-who-sent-request-to-my-smtp-server-mail-client-such-as-outloo

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The usual modern solution is to separate SMTP submission from regular SMTP transmission traffic, and require authentication for the former, but not the latter.

The latter should only accept inbound traffic for domains you are MXing for, and run on port 25.

Regular users should be blocked from using port 25 (your ISP or corporate firewall probably already does this) and use port 587 for message submission. (Some legacy systems still use 465, but you should not.)

In actual practice, you would check at MAIL FROM whether the sender is internal, in which case reject if they are not authenticated; and otherwise, check in RCPT TO if all recipients are internal, and reject the ones which are not.

See RFC 6409 for the SMTP submission spec, and RFC 8314 for related security recommendations.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...