|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
7 Oct 2019, 06:03 PM | #1 |
Member
Join Date: Apr 2016
Posts: 79
|
Why no SMTP Auth?
Hi,
I tested another provider and found out, that it is possible to use SMTP Auth with own Domains. Which is kind of neat. Why does Fastmail not use SMTP Auth within it's service? It would be much more secure as I can be sure, that no one else is using my domain/alias to send mails from... What do you think about? |
8 Oct 2019, 10:26 AM | #2 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Fastmail does use SMTP AUTH - it authenticates you as a user when using their submission servers, but it has nothing to do with what their servers will relay.
Fastmail will let you relay email purporting to be from other systems. I'm not sure whether this applies to other people's local addresses and hosted domains - I've never tried spoofing another user. |
8 Oct 2019, 11:45 AM | #3 | ||
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,926
|
Quote:
Quote:
Bill |
||
9 Oct 2019, 03:21 AM | #4 | |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Quote:
It's convenient that FM allows people to send email from third-party domains, but it shouldn't allow anyone to send using someone else's address that hosted at FM. If they do it makes a mockery of SPF and DMARC. The likes of Google and Microsoft don't allow it, I would hope FM doesn't, but I've never tested it. |
|
9 Oct 2019, 12:19 PM | #5 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,090
|
I believe there can be legitimate reasons why one might want to send using a FastMail email address other than your own in the From field. However, the owner of the address ought to first authorise doing so.
|
10 Oct 2019, 05:14 AM | #6 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
It looks like they do allow it. I found an FM hosted domain in a mailing list and spoofed the address (both header and envelope) in an email to a gmail account of mine. It was received, as expected, with a DMARC pass.
|
10 Oct 2019, 09:13 PM | #7 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 484
|
That's not good - clearly FM could prevent that. Have you reported it?
|
14 Oct 2019, 06:57 AM | #8 |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
|
14 Oct 2019, 07:03 PM | #9 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 484
|
Surely it potentially affects all of us. I raised a ticket.
Last edited by JeremyNicoll : 14 Oct 2019 at 07:11 PM. |
15 Oct 2019, 07:19 PM | #10 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 484
|
FM's reply:
We are aware of the potential for spoofing or rewriting of headers, and this is a limitation of email itself and not specific to Fastmail! Anybody can send emails using any Fastmail address. This is similar to someone going around sending postcards or snail mail to people but forging your postal address. The postal department will deliver the cards, but they really can't stop someone from doing this. We are in a similar situation here.. To address any instances of abuse we maintain the monitored address abuse@fastmail.com. We take any reports of phishing, spam or fraud very seriously. If a message is sent from the Fastmail SMTP servers, the full headers of a message will evidence the original sender in the form of an encrypted header, X-ME-Sender. This is a header which we can use to find the sending account for any email sent by a user, this is used when handling spam and email abuse. As this header is encrypted it is not possible for third parties to use this to find a sending account. Please let me know if you have any additional questions. My view: the encrypted header is good news, but of course the recipient of such a mail will not realise that the only way to find out who really sent the mail is to ask FM. And if they're not an FM customer the chances are they won't do that. I still don't see why they can't block misuse my one FM customer of another FM customer's address. |
15 Oct 2019, 11:28 PM | #11 |
Member
Join Date: Apr 2016
Posts: 79
|
But why not use these sender authentication?
Couldn’t it be possible to check, if the sender is legible to send from this domain (check if the account credentials have a domain which matches the sender)? It’s actually only a cross check within databases?! Check if User XX sending with password XX a mail from domain XY if this domain is within it‘s account. If not. It’s not allowed to send from that domain. |
21 Oct 2019, 10:47 PM | #12 | |||
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Quote:
Quote:
Quote:
|
|||
22 Oct 2019, 06:48 PM | #13 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 484
|
I replied again, more forcefully. The first-level support person said they'd passed the problem up the line. I'll let you know what the expert says.
|
23 Oct 2019, 03:31 PM | #14 |
Member
Join Date: Apr 2016
Posts: 79
|
Really interested in their feedback.
It would be so much better to have this auth method integrated. Don't want, that anybody else can send (without a problem) mails with my mail-addresses and domain names... That's a big issue! Other mail-providers do check, if the domain belongs to the sender. |
24 Oct 2019, 04:31 AM | #15 |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 484
|
I've had a more encouraging reply:
"Yes, what you have noted is actually a known issue. However, the good news is that, its something we plan to address soon. We have a project in progress to restrict sending to be from verified addresses only. Since this is likely to interfere with some users legitimate workflows it has to be introduced very carefully. So, no timeline at the moment, but we are working on it." I replied saying that I thought that how useful this turns out to be (for example whether I could send mails 'from' an address I own, that's not an FM one) will depend on what they mean by "verified"... Last edited by JeremyNicoll : 24 Oct 2019 at 04:40 AM. |
Thread Tools | |
|
|