[pmmail-list] PMMail and network security issue.

Rich pmmail-list@blueprintsoftwareworks.com
Mon, 23 Apr 2001 08:54:52 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Apr 2001 07:55:22 +0200, Stefan Kirch wrote:

>Hi Rich!
>
>I'm not sure, if I understood you correctly. You worry about the
>data, which is been shared between your email-client and your
>SMTP-Server, don't you?
>
>In the header of the emails themself, there are no informations 
>about computer-names or workgroup - despite of the "Received"-
>lines, which are inserted by the MTA.
>So it seems to me, as if there is only a security-problem between
>the email-client and the smtp-server, ok?

There _shouldn't_ be any information about the computer name or workgroup in the header, this I agree with 100%. 
It's PMMail that inserts this information using the 'helo' command. As I said, I believe Netscape uses the user name 
entered into the settings menu. I haven't seen another email client that uses the actual computer and workgroup 
names for the helo command. I've also noticed that what gets out of the server is entirely server dependant. Most 
people here don't show any "claiming to be" in the headers. I did a search through all the headers for "claiming to 
be" and only found two others.  If you look at this mail, you'll see in the header a "claiming to be 'me'" at the end of a 
"received" line. That is inserted by PMMail using the helo command. I changed it to read 'me' instead of the 
computer name. This apparently is not reported by most other servers...

>
>EVERY smtp-server knows your ip, if you make a connection to
>the server, if not, you are not able to make a connection. So,
>it doesn't matter, to send the ip-address in the helo-command,
>because the SMTP-server allready know this.
>Ok, the workgroup-name and the computer-name aren't necessary,
>so it would be a good idea, to NOT announce them with the
>helo-command.

It's not the IP address I'm worried about... Besides my dial-up server inserts the IP address no matter what I could 
send them...

>
>In my opinion, the best idea, to be as secure as possible, is
>to use every time a own smtp-server and "patch" this one,
>so that the smtp-server doesn't add important informations to
>the emails, e.g. we use qmail and made settings, that the first
>received line is "Received: from somewhere (user@somewhere)"
>instead of ip-adresses or usernames.
>
>I don't know, if it's possible for you, to install a own
>smtp-server but I think, this is the most secure way to avoid
>any problems!

I don't know if it's possible either? I actually nevcer thought of it. I 'dial up' to the internet and thought I couldn't do an 
SMTP server without a 'real' ip address? I'll have to look into this more closely. I use an OS/2 machine with NAT for 
the internet with a bunch od win machines connected through it...

Thanks...

Rich...


>
>  Steff
>
>- pmmail-list - The PMMail Dicussion List ---------------------------
>To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
>line of the message body being...
>UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
>
>

******************************************************************************
Practice Random Acts of Kindness and Senseless...Umm...Uhh....
  Oh - Heck...I never could remember all that "nice" stuff.
- -----------------------------{rich@bearlycomputing.com}------------------------------
******************************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: noconv

wj8DBQE65BgHBxPGE7kCCh0RAistAKDLorJN+77+HtGzJn9SW4WQAxTsKQCghmUv
lw15goFuRmgdulPHFH+UHr8=
=s3qy
-----END PGP SIGNATURE-----

- pmmail-list - The PMMail Dicussion List ---------------------------
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first 
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com