On 19 Mar 2004 at 23:41, Bruce Richardson wrote about
"Re: [Exim] SMTP Auth doesn't preven":
| --
| On Fri, Mar 19, 2004 at 01:14:44PM -0800, Fred Viles wrote:
| > Depending on what you want to accomplish, another option is to simply
| > add an X- header to the message with the authenticated ID.
|
| I don't trust headers for any kind of sensitive or crucial information.
Like I said, "depending on what you want to accomplish". It doesn't
seem to me that the authenticated user ID is either sensitive or
crucial in the OP's case, but that's for him to judge.
| In this case, since the information can be verified directly, I don't
| see the point of using a header. If you want an arbitrary placeholder
| to avoid redoing some calculations, use the ACL variables.
I'm not trying to talk anyone into anything, but I wonder if you've
misinterpreted something. The point is not to avoid recalculations,
the point is to make sure that user's can't hide their real identity
when they send messages.
The OP was asking how to prevent authenticated users from sending
spoofed messages, and I was pointing out that it might be simpler and
adequately effective just to prevent them from doing it
*anonymously*.
- Fred
