Here's a weird one. I have some users on IMP (which is a web interface to
imap) and it connects to my exim 4.14 daemon via a local pipe to send
outgoing messages. IMP runs under Apache which is run as system user
"nobody" so that's what exim registers as making the connection. I couldn't
figure out how to allow IMP to set the message sender (other than making
"nobody" a trusted user, which I obviously didn't want to do) so I ended up
doing a header rewrite on the envelope sender. But that's not my question.
The issue is I want to make sure that local IMP users don't have a
super-easy time forging mail. As it is, I have an "acl_not_smtp" ACL that
checks the sending domain...
check_local:
accept senders = :
require sender_domains = +local_domains
accept
But that does nothing to verify the local_part of the sender. I know I
can't guarantee that they won't forge their address to "some other valid
local address," but I'd like to at least make sure the sending address *is*
a valid one. Ideally I'd like to do something like this...
check_local:
accept senders = :
require sender_domains = +local_domains
verify = sender
accept
That way I'd run the outgoing sender address through my routers in verify
mode just to make sure it's an address (alias, whatever) that can receive a
response. But "verify = ..." isn't valid in the "acl_not_smtp". How do
other people handle this? I imagine it would be a concern not just for IMP
users, but any mailer setup that sends mail locally via a pipe.
I guess the rewrite mentioned above is really just skirting the trusted user
concept. Is that what I'm doing differently from everyone else? It should
be either a trusted user --which should bypass the "verify=sender" check, or
it isn't --which can't change/rewrite the sender in the first place? What
about virtual users, like some configurations offered by courier-imap? They
just rely on courier to enforce a legitimate sender address?
--
Rick Ennis
