Author: Dave Hill Date: To: exim-users Subject: [Exim] Re: Re: SMTP Auth doesn't prevent users from sending as other users
On Tue, 23 Mar 2004 16:22:28 +0000, Bruce Richardson wrote:
> On Tue, Mar 23, 2004 at 01:34:33PM +0000, Dave Hill wrote:
>> On Fri, 19 Mar 2004 04:13:41 -0600, Eric Rutherford wrote:
>>
>> > I finally got smtp auth working, i have it set up to use the plaintext
>> > type logins and check it against /etc/passwd
>> >
>> > the problem is if you have ANY users login/pass you can send as any
>> > other user, so if im Bob and i try to send an email as Joe, when it asks
>> > me my auth i just say Bob(and the pass) and it sends the email thru my
>> > server appearing to come from Joe
>> >
>> > does anyone know how to prevent this? its like spoofing but even more
>> > convincing because it comes from the real server. is there a way to make
>> > sure the name they are sending with is the same as the username they
>> > authenticated with?
>> >
>> > My current auth config is as follows: (i found it on the exim messages
>> > archive) it is at least making sure they are a user on my server
>>
>> If your users know each others passwords, then you have a bigger problem
>> than exim authentication!!
>
> You're coming at this from the wrong direction. They don't need to know
> anybody else's password, just their e-mail address. Then they can
> authenticate as themselves but send e-mail as someone else.
>
Ah, yes - re-reading the message, I see what he's getting at now. That's
the trouble with quickly reading messages.
I'll get my coat....
Dave
--
Dave Hill
Systems Administrator, Newnham Research Ltd
Tel: +44 (0) 8707 66 11 10
