On Fri, 19 Mar 2004, Eric Rutherford wrote:
> does anyone know how to prevent this? its like spoofing but even more
> convincing because it comes from the real server. is there a way to
> make sure the name they are sending with is the same as the username
> they authenticated with?
The name they authenticated with can be saved in $authenticated_id (your
config seems to do this). So you can check at ACL time:
deny message "You must send as the id you authenticate with"
authenticated = *
condition = ${if eq {$authenticated_id}{$sender_address_local_part}\
{no}{yes}}
This is off the top of my head, and untested.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
