<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    So, it turns out you're entirely correct. I actually checked it
    using nc before I sent that email and the relay agent wants a CRLF
    like you sent with telnet, not a CR like I sent with nc to process
    the period <gently places foot in mouth><br>
    <br>
    The action I expected was for the relay agent to accept ingress SMTP
    from external domains to the local domain, but to expect
    authentication for the local domain (even where the recipient is
    local.)<br>
    <br>
    The reason for that expectation is as per the obvious spam
    implication and, as you suspect, Google delivered it to spam. If
    what you're suggesting is correct and basically all servers will
    allow unauthenticated relay from localdomain to localdomain that's
    an issue... and a great reason to implement SPF.<br>
    <br>
    <br>
    <br>
    T.<br>
    <br>
    <div class="moz-cite-prefix">On 1/03/13 6:23 PM, Scott Howard wrote:<br>
    </div>
    <blockquote
cite="mid:CACnPsNVJLdtTYfxqEEBbhsOjwLizBLQee9Fv5BGD1FNG92J6RQ@mail.gmail.com"
      type="cite">OK.
      <div><br>
      </div>
      <div>
        <div>scott@zaphod:~$ telnet <a moz-do-not-send="true"
            href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>
          25</div>
        <div>Trying 2607:f8b0:4001:c02::1a...</div>
        <div>Connected to <a moz-do-not-send="true"
            href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>.</div>
        <div>Escape character is '^]'.</div>
        <div>220 <a moz-do-not-send="true" href="http://mx.google.com">mx.google.com</a>
          ESMTP pd3si8526298icb.35 - gsmtp</div>
        <div>helo there</div>
        <div>250 <a moz-do-not-send="true" href="http://mx.google.com">mx.google.com</a>
          at your service</div>
        <div>mail from:<<a moz-do-not-send="true"
            href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
        <div>250 2.1.0 OK pd3si8526298icb.35 - gsmtp</div>
        <div>rcpt to:<<a moz-do-not-send="true"
            href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
        <div>250 2.1.5 OK pd3si8526298icb.35 - gsmtp</div>
        <div>data</div>
        <div>354  Go ahead pd3si8526298icb.35 - gsmtp</div>
        <div>Subject: Your mum...</div>
        <div><br>
        </div>
        <div>Is on the top of my things to do list.</div>
        <div>.</div>
        <div><b>250 2.0.0 OK 1362122528 pd3si8526298icb.35 - gsmtp</b></div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>(Probably went to your spam folder as I didn't bother with
          all of the normal headers, but that's not the point...)</div>
        <div><br>
        </div>
        <div>  Scott</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <br>
        <div class="gmail_quote">On Fri, Mar 1, 2013 at 8:24 AM, Tim
          March <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> <br>
              Yeah, that's awesome... Why don't you try and actually
              deliver some messages that way without authenticating and
              see if they get through.<br>
              <br>
              --- BEGIN PASTE ---<br>
              [null@sapsec01 ~]$ nc -vvv <a moz-do-not-send="true"
                href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a>
              25<br>
              Connection to <a moz-do-not-send="true"
                href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a>
              25 port [tcp/smtp] succeeded!<br>
              220 <a moz-do-not-send="true" href="http://mx.google.com"
                target="_blank">mx.google.com</a> ESMTP
              h9si11359631paz.63 - gsmtp<br>
              HELO <a moz-do-not-send="true"
                href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a><br>
              250 <a moz-do-not-send="true" href="http://mx.google.com"
                target="_blank">mx.google.com</a> at your service<br>
              MAIL FROM:<a moz-do-not-send="true"
                href="mailto:spam.lord@gmail.com" target="_blank"><spam.lord@gmail.com></a><br>
              250 2.1.0 OK h9si11359631paz.63 - gsmtp<br>
              RCPT TO:<a moz-do-not-send="true"
                href="mailto:march.tim@gmail.com" target="_blank"><march.tim@gmail.com></a><br>
              250 2.1.5 OK h9si11359631paz.63 - gsmtp<br>
              DATA<br>
              354  Go ahead h9si11359631paz.63 - gsmtp<br>
              From: Spam Lord <a moz-do-not-send="true"
                href="mailto:spam.lord@gmail.com" target="_blank"><spam.lord@gmail.com></a><br>
              To: [Tim March] <a moz-do-not-send="true"
                href="mailto:march.tim@gmail.com" target="_blank"><march.tim@gmail.com></a><br>
              Date: Fri, 01 Mar 2013 17:02:27 +1100<br>
              Subject: Your mum...<br>
              <br>
              Is on the top of my things to do list.<br>
              <br>
              <br>
              <br>
              .<br>
              *crickets*<br>
              ^C<br>
              [null@sapsec01 ~]$ <br>
              --- END PASTE ---<br>
              <br>
              <br>
              <br>
              T.<br>
              <br>
              <div>On 1/03/13 4:38 PM, Scott Howard wrote:<br>
              </div>
              <blockquote type="cite">On Fri, Mar 1, 2013 at 5:33 AM,
                Tim March <span dir="ltr"><<a moz-do-not-send="true"
                    href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>></span>
                wrote:<br>
                <div class="gmail_quote">
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div bgcolor="#FFFFFF" text="#000000">
                      <div>
                        <div>On 1/03/13 12:22 PM, Heinz N wrote:<br>
                        </div>
                        <blockquote type="cite">IMHO : If the ausnog
                          SMTP MTA relays for <a moz-do-not-send="true"
                            href="http://ausnog.net" target="_blank">ausnog.net</a>,
                          then the external spammer can pretend to be
                          FROM <a moz-do-not-send="true"
                            href="http://ausnog.net" target="_blank">ausnog.net</a>,
                          sending TO <a moz-do-not-send="true"
                            href="http://ausnog.net" target="_blank">ausnog.net</a>.
                          The SMTP agent will then relay with no
                          questions asked. No pwnage required. </blockquote>
                        <br>
                      </div>
                      This is a Bad Thing <span>™</span> from a
                      security perspective. Imagine the amount of spam
                      you'd get if Google allowed unauthenticated
                      localdomain relay for <a moz-do-not-send="true"
                        href="http://gmail.com" target="_blank">gmail.com</a>.<br>
                    </div>
                  </blockquote>
                  <div><br>
                  </div>
                  <div>Umm.. They do.  It's called "inbound email".</div>
                  <div><br>
                  </div>
                  <div>
                    <div>
                      <div> scott@zaphod:~$ telnet <a
                          moz-do-not-send="true"
                          href="http://gmail-smtp-in.l.google.com"
                          target="_blank">gmail-smtp-in.l.google.com</a>
                        25</div>
                      <div>Trying 2607:f8b0:4001:c02::1a...</div>
                      <div>Connected to <a moz-do-not-send="true"
                          href="http://gmail-smtp-in.l.google.com"
                          target="_blank">gmail-smtp-in.l.google.com</a>.</div>
                      <div>Escape character is '^]'.</div>
                      <div>220 <a moz-do-not-send="true"
                          href="http://mx.google.com" target="_blank">mx.google.com</a>
                        ESMTP pd3si9862485icb.71 - gsmtp</div>
                      <div>helo there</div>
                      <div>250 <a moz-do-not-send="true"
                          href="http://mx.google.com" target="_blank">mx.google.com</a>
                        at your service</div>
                      <div>mail from:<<a moz-do-not-send="true"
                          href="mailto:march.tim@gmail.com"
                          target="_blank">march.tim@gmail.com</a>></div>
                      <div>250 2.1.0 OK pd3si9862485icb.71 - gsmtp</div>
                      <div>rcpt to:<<a moz-do-not-send="true"
                          href="mailto:march.tim@gmail.com"
                          target="_blank">march.tim@gmail.com</a>></div>
                      <div>250 2.1.5 OK pd3si9862485icb.71 - gsmtp</div>
                    </div>
                  </div>
                  <div><br>
                  </div>
                  <div>  Scott</div>
                  <div><br>
                  </div>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>