[Exim] Re: Re: SMTP Auth doesn't prevent users from sending …

Pàgina inicial
Delete this message
Reply to this message
Autor: Dave Hill
Data:  
A: exim-users
Assumpte: [Exim] Re: Re: SMTP Auth doesn't prevent users from sending as other users
On Tue, 23 Mar 2004 16:22:28 +0000, Bruce Richardson wrote:

> On Tue, Mar 23, 2004 at 01:34:33PM +0000, Dave Hill wrote:
>> On Fri, 19 Mar 2004 04:13:41 -0600, Eric Rutherford wrote:
>>
>> > I finally got smtp auth working, i have it set up to use the plaintext
>> > type logins and check it against /etc/passwd
>> >
>> > the problem is if you have ANY users login/pass you can send as any
>> > other user, so if im Bob and i try to send an email as Joe, when it asks
>> > me my auth i just say Bob(and the pass) and it sends the email thru my
>> > server appearing to come from Joe
>> >
>> > does anyone know how to prevent this? its like spoofing but even more
>> > convincing because it comes from the real server. is there a way to make
>> > sure the name they are sending with is the same as the username they
>> > authenticated with?
>> >
>> > My current auth config is as follows: (i found it on the exim messages
>> > archive) it is at least making sure they are a user on my server
>>
>> If your users know each others passwords, then you have a bigger problem
>> than exim authentication!!
>
> You're coming at this from the wrong direction. They don't need to know
> anybody else's password, just their e-mail address. Then they can
> authenticate as themselves but send e-mail as someone else.
>


Ah, yes - re-reading the message, I see what he's getting at now. That's
the trouble with quickly reading messages.

I'll get my coat....

Dave

--
Dave Hill
Systems Administrator, Newnham Research Ltd
Tel: +44 (0) 8707 66 11 10