Re: [exim] authenticating from address for outgoing email?

Top Page
Delete this message
Reply to this message
Author: J.R.Haynes
Date:  
To: Jeff Lasman
CC: exim-users
Subject: Re: [exim] authenticating from address for outgoing email?
On Mon, 28 Mar 2011 at 03:12 +0100, Jeff Lasman wrote

>
>
> I'd still like to find out if others are doing this or not. Will anyone else
> respond?
>


Well we are a university, not an ISP, so parameters are very different but
for what it's worth :-

We only require the sender address to verify. For addresses on our domains
that means a valid local part, but if people use addresses on other
domains then it only requires the domain to verify - we don't use sender
callouts (statement of fact, I'm not trying to restart that thread!).

Yes, this means people can spoof other addresses at our domains (or
elsewhere) but this has not yet been found to be a problem (we can of
course trace actual sender through authentication details) so I have seen
no reason to add an extra layer of complexity by keeping a lookup table
for authenticated-id -> sender_address.

The main purpose of this setup is to catch mistyped email addresses in
MUAs rather than anti forgery. The latter is stopped by policy rather than
technical methods.

I should also point out that mail storage at this site is MS Exchange so
primary mail access is via Outlook / webmail and only users who choose to
use another MUA will be using the MSA so there is actually fairly low use.


       Jonathan


--
------------------------------------------------------------------------------

                              J. R. Haynes
                         Senior Network Specialist


      IT Department,                  e-mail: J.Haynes@???
      Bld 63,
      Cranfield University,           Tel: Bedford (01234) 754205
      Wharley End,                         Bedford (01234) 750111 Extn 4205
      Cranfield,                      Fax: Bedford (01234) 751814
      Beds.,
      MK43 0AL.