Re: [Exim] SMTP Auth doesn't prevent users from sending as o…

Top Page
Delete this message
Reply to this message
Author: Everton da Silva Marques
Date:  
To: exim-users
Subject: Re: [Exim] SMTP Auth doesn't prevent users from sending as other users
On Fri, Mar 19, 2004 at 11:25:13AM +0000, Philip Hazel wrote:
> On Fri, 19 Mar 2004, Eric Rutherford wrote:
>
> > does anyone know how to prevent this? its like spoofing but even more
> > convincing because it comes from the real server. is there a way to
> > make sure the name they are sending with is the same as the username
> > they authenticated with?
>
> The name they authenticated with can be saved in $authenticated_id (your
> config seems to do this). So you can check at ACL time:
>
>   deny  message "You must send as the id you authenticate with"
>         authenticated = *
>         condition = ${if eq {$authenticated_id}{$sender_address_local_part}\
>                     {no}{yes}}


I've been using:

  accept  senders        = :
  accept  !authenticated = *
  accept  condition      = ${if eqi {$authenticated_id} {$sender_address} {1} {0}}
  deny    message        = bad sender
          log_message    = bad sender (auth_id=$authenticated_id mismatches sender=$sender_address)


Virtual hosting demands $sender_address, 'eqi' prevents case mismatches.

Suggestions for improvements are welcome. :)