Re: [Exim] SMTP Auth doesn't prevent users from sending as o…

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: Eric Rutherford
CC: exim-users
Assumpte: Re: [Exim] SMTP Auth doesn't prevent users from sending as other users
On Fri, 19 Mar 2004, Eric Rutherford wrote:

> does anyone know how to prevent this? its like spoofing but even more
> convincing because it comes from the real server. is there a way to
> make sure the name they are sending with is the same as the username
> they authenticated with?


The name they authenticated with can be saved in $authenticated_id (your
config seems to do this). So you can check at ACL time:

  deny  message "You must send as the id you authenticate with"
        authenticated = *
        condition = ${if eq {$authenticated_id}{$sender_address_local_part}\
                    {no}{yes}}


This is off the top of my head, and untested.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book