Why no SMTP Auth?
Hi,
I tested another provider and found out, that it is possible to use SMTP Auth with own Domains. Which is kind of neat. Why does Fastmail not use SMTP Auth within it's service? It would be much more secure as I can be sure, that no one else is using my domain/alias to send mails from... What do you think about? |
Fastmail does use SMTP AUTH - it authenticates you as a user when using their submission servers, but it has nothing to do with what their servers will relay.
Fastmail will let you relay email purporting to be from other systems. I'm not sure whether this applies to other people's local addresses and hosted domains - I've never tried spoofing another user. |
Quote:
Quote:
Bill |
Quote:
It's convenient that FM allows people to send email from third-party domains, but it shouldn't allow anyone to send using someone else's address that hosted at FM. If they do it makes a mockery of SPF and DMARC. The likes of Google and Microsoft don't allow it, I would hope FM doesn't, but I've never tested it. |
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Surely it potentially affects all of us. I raised a ticket.
|
FM's reply:
We are aware of the potential for spoofing or rewriting of headers, and this is a limitation of email itself and not specific to Fastmail! Anybody can send emails using any Fastmail address. This is similar to someone going around sending postcards or snail mail to people but forging your postal address. The postal department will deliver the cards, but they really can't stop someone from doing this. We are in a similar situation here.. To address any instances of abuse we maintain the monitored address abuse@fastmail.com. We take any reports of phishing, spam or fraud very seriously. If a message is sent from the Fastmail SMTP servers, the full headers of a message will evidence the original sender in the form of an encrypted header, X-ME-Sender. This is a header which we can use to find the sending account for any email sent by a user, this is used when handling spam and email abuse. As this header is encrypted it is not possible for third parties to use this to find a sending account. Please let me know if you have any additional questions. My view: the encrypted header is good news, but of course the recipient of such a mail will not realise that the only way to find out who really sent the mail is to ask FM. And if they're not an FM customer the chances are they won't do that. I still don't see why they can't block misuse my one FM customer of another FM customer's address. |
But why not use these sender authentication?
Couldn’t it be possible to check, if the sender is legible to send from this domain (check if the account credentials have a domain which matches the sender)? It’s actually only a cross check within databases?! Check if User XX sending with password XX a mail from domain XY if this domain is within it‘s account. If not. It’s not allowed to send from that domain. |
Quote:
Quote:
Quote:
|
I replied again, more forcefully. The first-level support person said they'd passed the problem up the line. I'll let you know what the expert says.
|
Really interested in their feedback.
It would be so much better to have this auth method integrated. Don't want, that anybody else can send (without a problem) mails with my mail-addresses and domain names... That's a big issue! Other mail-providers do check, if the domain belongs to the sender. |
I've had a more encouraging reply:
"Yes, what you have noted is actually a known issue. However, the good news is that, its something we plan to address soon. We have a project in progress to restrict sending to be from verified addresses only. Since this is likely to interfere with some users legitimate workflows it has to be introduced very carefully. So, no timeline at the moment, but we are working on it." I replied saying that I thought that how useful this turns out to be (for example whether I could send mails 'from' an address I own, that's not an FM one) will depend on what they mean by "verified"... |
All times are GMT +9. The time now is 09:15 AM. |
Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy