<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
So, it turns out you're entirely correct. I actually checked it
using nc before I sent that email and the relay agent wants a CRLF
like you sent with telnet, not a CR like I sent with nc to process
the period <gently places foot in mouth><br>
<br>
The action I expected was for the relay agent to accept ingress SMTP
from external domains to the local domain, but to expect
authentication for the local domain (even where the recipient is
local.)<br>
<br>
The reason for that expectation is as per the obvious spam
implication and, as you suspect, Google delivered it to spam. If
what you're suggesting is correct and basically all servers will
allow unauthenticated relay from localdomain to localdomain that's
an issue... and a great reason to implement SPF.<br>
<br>
<br>
<br>
T.<br>
<br>
<div class="moz-cite-prefix">On 1/03/13 6:23 PM, Scott Howard wrote:<br>
</div>
<blockquote
cite="mid:CACnPsNVJLdtTYfxqEEBbhsOjwLizBLQee9Fv5BGD1FNG92J6RQ@mail.gmail.com"
type="cite">OK.
<div><br>
</div>
<div>
<div>scott@zaphod:~$ telnet <a moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>
25</div>
<div>Trying 2607:f8b0:4001:c02::1a...</div>
<div>Connected to <a moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com">gmail-smtp-in.l.google.com</a>.</div>
<div>Escape character is '^]'.</div>
<div>220 <a moz-do-not-send="true" href="http://mx.google.com">mx.google.com</a>
ESMTP pd3si8526298icb.35 - gsmtp</div>
<div>helo there</div>
<div>250 <a moz-do-not-send="true" href="http://mx.google.com">mx.google.com</a>
at your service</div>
<div>mail from:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
<div>250 2.1.0 OK pd3si8526298icb.35 - gsmtp</div>
<div>rcpt to:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com">march.tim@gmail.com</a>></div>
<div>250 2.1.5 OK pd3si8526298icb.35 - gsmtp</div>
<div>data</div>
<div>354 Go ahead pd3si8526298icb.35 - gsmtp</div>
<div>Subject: Your mum...</div>
<div><br>
</div>
<div>Is on the top of my things to do list.</div>
<div>.</div>
<div><b>250 2.0.0 OK 1362122528 pd3si8526298icb.35 - gsmtp</b></div>
<div><br>
</div>
<div><br>
</div>
<div>(Probably went to your spam folder as I didn't bother with
all of the normal headers, but that's not the point...)</div>
<div><br>
</div>
<div> Scott</div>
<div><br>
</div>
<div><br>
</div>
<br>
<div class="gmail_quote">On Fri, Mar 1, 2013 at 8:24 AM, Tim
March <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
Yeah, that's awesome... Why don't you try and actually
deliver some messages that way without authenticating and
see if they get through.<br>
<br>
--- BEGIN PASTE ---<br>
[null@sapsec01 ~]$ nc -vvv <a moz-do-not-send="true"
href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a>
25<br>
Connection to <a moz-do-not-send="true"
href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a>
25 port [tcp/smtp] succeeded!<br>
220 <a moz-do-not-send="true" href="http://mx.google.com"
target="_blank">mx.google.com</a> ESMTP
h9si11359631paz.63 - gsmtp<br>
HELO <a moz-do-not-send="true"
href="http://aspmx.l.google.com" target="_blank">aspmx.l.google.com</a><br>
250 <a moz-do-not-send="true" href="http://mx.google.com"
target="_blank">mx.google.com</a> at your service<br>
MAIL FROM:<a moz-do-not-send="true"
href="mailto:spam.lord@gmail.com" target="_blank"><spam.lord@gmail.com></a><br>
250 2.1.0 OK h9si11359631paz.63 - gsmtp<br>
RCPT TO:<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com" target="_blank"><march.tim@gmail.com></a><br>
250 2.1.5 OK h9si11359631paz.63 - gsmtp<br>
DATA<br>
354 Go ahead h9si11359631paz.63 - gsmtp<br>
From: Spam Lord <a moz-do-not-send="true"
href="mailto:spam.lord@gmail.com" target="_blank"><spam.lord@gmail.com></a><br>
To: [Tim March] <a moz-do-not-send="true"
href="mailto:march.tim@gmail.com" target="_blank"><march.tim@gmail.com></a><br>
Date: Fri, 01 Mar 2013 17:02:27 +1100<br>
Subject: Your mum...<br>
<br>
Is on the top of my things to do list.<br>
<br>
<br>
<br>
.<br>
*crickets*<br>
^C<br>
[null@sapsec01 ~]$ <br>
--- END PASTE ---<br>
<br>
<br>
<br>
T.<br>
<br>
<div>On 1/03/13 4:38 PM, Scott Howard wrote:<br>
</div>
<blockquote type="cite">On Fri, Mar 1, 2013 at 5:33 AM,
Tim March <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com" target="_blank">march.tim@gmail.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 1/03/13 12:22 PM, Heinz N wrote:<br>
</div>
<blockquote type="cite">IMHO : If the ausnog
SMTP MTA relays for <a moz-do-not-send="true"
href="http://ausnog.net" target="_blank">ausnog.net</a>,
then the external spammer can pretend to be
FROM <a moz-do-not-send="true"
href="http://ausnog.net" target="_blank">ausnog.net</a>,
sending TO <a moz-do-not-send="true"
href="http://ausnog.net" target="_blank">ausnog.net</a>.
The SMTP agent will then relay with no
questions asked. No pwnage required. </blockquote>
<br>
</div>
This is a Bad Thing <span>™</span> from a
security perspective. Imagine the amount of spam
you'd get if Google allowed unauthenticated
localdomain relay for <a moz-do-not-send="true"
href="http://gmail.com" target="_blank">gmail.com</a>.<br>
</div>
</blockquote>
<div><br>
</div>
<div>Umm.. They do. It's called "inbound email".</div>
<div><br>
</div>
<div>
<div>
<div> scott@zaphod:~$ telnet <a
moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com"
target="_blank">gmail-smtp-in.l.google.com</a>
25</div>
<div>Trying 2607:f8b0:4001:c02::1a...</div>
<div>Connected to <a moz-do-not-send="true"
href="http://gmail-smtp-in.l.google.com"
target="_blank">gmail-smtp-in.l.google.com</a>.</div>
<div>Escape character is '^]'.</div>
<div>220 <a moz-do-not-send="true"
href="http://mx.google.com" target="_blank">mx.google.com</a>
ESMTP pd3si9862485icb.71 - gsmtp</div>
<div>helo there</div>
<div>250 <a moz-do-not-send="true"
href="http://mx.google.com" target="_blank">mx.google.com</a>
at your service</div>
<div>mail from:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com"
target="_blank">march.tim@gmail.com</a>></div>
<div>250 2.1.0 OK pd3si9862485icb.71 - gsmtp</div>
<div>rcpt to:<<a moz-do-not-send="true"
href="mailto:march.tim@gmail.com"
target="_blank">march.tim@gmail.com</a>></div>
<div>250 2.1.5 OK pd3si9862485icb.71 - gsmtp</div>
</div>
</div>
<div><br>
</div>
<div> Scott</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>