Author: Bruce Richardson Date: To: exim-users Subject: Re: [Exim] Re: SMTP Auth doesn't prevent users from sending as other users
On Tue, Mar 23, 2004 at 01:34:33PM +0000, Dave Hill wrote: > On Fri, 19 Mar 2004 04:13:41 -0600, Eric Rutherford wrote:
>
> > I finally got smtp auth working, i have it set up to use the plaintext
> > type logins and check it against /etc/passwd
> >
> > the problem is if you have ANY users login/pass you can send as any
> > other user, so if im Bob and i try to send an email as Joe, when it asks
> > me my auth i just say Bob(and the pass) and it sends the email thru my
> > server appearing to come from Joe
> >
> > does anyone know how to prevent this? its like spoofing but even more
> > convincing because it comes from the real server. is there a way to make
> > sure the name they are sending with is the same as the username they
> > authenticated with?
> >
> > My current auth config is as follows: (i found it on the exim messages
> > archive) it is at least making sure they are a user on my server
>
> If your users know each others passwords, then you have a bigger problem
> than exim authentication!!
You're coming at this from the wrong direction. They don't need to know
anybody else's password, just their e-mail address. Then they can
authenticate as themselves but send e-mail as someone else.
--
Bruce
I object to intellect without discipline. I object to power without
constructive purpose. -- Spock