From: brnstnd@nyu.edu (Dan Bernstein) Newsgroups: alt.security Subject: Re: SMTP Tracing Message-ID: <12325.May320.34.0092@virtualnews.nyu.edu> Date: 3 May 92 20:34:00 GMT References: <1992May2.220211.3756@willamette.edu> <2241@ra.nrl.navy.mil> Organization: IR Lines: 30 There's no point in arguing about the virtues of RFC 931---the protocol is so simple that even a network newbie can easily understand what it does. Any sysadmin reading this article can pick up Peter Eriksson's RFC 931 server from ftp.lysator.liu.se:pub/ident/pidentd-1.5.tar.Z and install it in *five minutes* on any of the supported systems. To add RFC 931 support to the latest IDA sendmail takes another ten minutes at most, provided you have sendmail source: just grab the sendmail patch and libauth* from the same directory. Then add $F any way you like to your HReceived line in sendmail.cf. (You can pick up sendmail source from any large archive site.) Result: The attack described at the start of this thread will be stymied. Anyone connecting from an RFC931-serving machine to an RFC931-cognizant sendmail will find his username added to the header. To forge that username would require breaking TCP or breaking security on one of the machines---a far more daunting task than simply feeding false messages to sendmail via SMTP. (And if you've got people doing that then you have much more serious problems than mail forgery.) This solves the problem. End of story. Atkinson writes: > The real answer is to add authentication to email. Privacy-Enhanced > Mail (PEM) does this. That's nice. Right now PEM is vaporware. I prefer existing solutions. Come back when you can actually point to a *working* example of PEM. ---Dan