Re: [Exim] SMTP Auth doesn't prevent users from sending as o…

Top Page
Delete this message
Reply to this message
Author: Giuliano Gavazzi
Date:  
To: exim-users
Subject: Re: [Exim] SMTP Auth doesn't prevent users from sending as other users
At 1:18 pm +0000 2004/03/20, Bruce Richardson wrote:
>--
>On Fri, Mar 19, 2004 at 05:46:48PM -0800, Fred Viles wrote:
>> The OP was asking how to prevent authenticated users from sending
>> spoofed messages, and I was pointing out that it might be simpler and
>> adequately effective just to prevent them from doing it
>> *anonymously*.
>
>Given that it is quite easy to restrict them to only being able to send
>mail from their authorised address, which is what the OP specifically
>asked for, I fail to see the point in only going half the way there.
>The complex configuration examples only arose from tangential
>speculation about creating very generic solutions that would allow any
>kind of arbitrary restriction.
>


true, but not quite so tangential. If a user has got aliases, these
aliases must be allowed, and not only in the headers but also in the
envelope sender. I have found services basing some sort of loose
authentication on the MAIL FROM: and not on the From: header. I know,
this is silly, but they do exist. Also, an alias might be used to
hide an address, if we must reveal the protected address what's the
point then?
So my point is that the only complete solution is a bit more complex
than it seems, but not too much..

Giuliano
--
H U M P H
    || |||
  software


Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/