Re: [Exim] SMTP Auth doesn't prevent users from sending as o…

Inizio della pagina
Delete this message
Reply to this message
Autore: Giuliano Gavazzi
Data:  
To: exim-users, Eric Rutherford
Oggetto: Re: [Exim] SMTP Auth doesn't prevent users from sending as other users
At 11:25 am +0000 2004/03/19, Philip Hazel wrote:
>On Fri, 19 Mar 2004, Eric Rutherford wrote:
>
>> does anyone know how to prevent this? its like spoofing but even more
>> convincing because it comes from the real server. is there a way to
>> make sure the name they are sending with is the same as the username
>> they authenticated with?
>
>The name they authenticated with can be saved in $authenticated_id (your
>config seems to do this). So you can check at ACL time:
>
>   deny  message "You must send as the id you authenticate with"
>         authenticated = *
>         condition = ${if eq {$authenticated_id}{$sender_address_local_part}\
>                     {no}{yes}}

>
>This is off the top of my head, and untested.


a more general solution would actually check the possibility that
$sender_address_local_part is an alias for $authenticated_id, or more
precisely, for the local_part corresponding to $authenticated_id (in
case of virtual domains).
I haven't worked out the details on how to do that, but it is clearly possible.

Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/