Philip Hazel writes:
>
> How can you check that MAIL FROM agrees with the incoming connection? If
> I send mail to someone at your site who happens to have set up
> forwarding back to my machine (because s/he's visiting Cambridge and has a
> temporary account here) then I see MAIL FROM: <local address> emanating
> from your site.
>
> Anyway, a determined forger can always circumvent any checks you may
> want to do on MAIL FROM by using MAIL FROM: <>.
As you say, I can't see any way to assure that MAIL FROM agrees with the
incoming connection, but setting policy on what sites can connect to
your mailer and send mail to a non-local address is still useful.
>
> > You'd have to have some rather bizzare security requirements to need to
> > deny connections from the local host.
>
> Such as stopping students using Telnet to forge mail?
I thought about ways to stop this here as well, and there isn't any, as
you say. The only thing I've found useful for this is identd, and
clearly putting the ident user in the header. As well, exim already does
the right thing by greeting the user with the identd lookup and the real
IP they come from, as I would imagine a forger seeing this would seek
elsewhere for a less perceptive mailer to spoof. Liberal use of
Appearantly-from: headers should help to.
--
Artificial Intelligence stands no chance against Natural Stupidity.
GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*
