--On 26 March 2011 10:28:45 -0700 Jeff Lasman <blists@???> wrote:
> Some (not many) of the users of the exim.conf file I maintain have
> requested that we check to make sure the authenticated user sending
> email only use a From address we have on file for them.
>
> They suggest we only send email if the From address is the same as the
> domain registered to the authenticated sender.
>
> I once thought the RFCs said something about that, but I can't find it
> anywhere. I'm probably not googling as well as I should.
No, the RFCs don't say anything about that. In fact, I think they say that
it's perfectly acceptable that the From address and the envelope sender
differ. However, if they do differ, then the Sender header should be used.
In an ideal world, you'd not be able to do this without permission of the
owner of the From address. That's reasonably achievable where you control
the domain of both the sender address and the spoofed address, but not
otherwise. I guess you could build a web app that gets permission using a
mail-back mechansism, in the same way that mailing list subscriptions often
work. However, revocation would become a problem. OAuth for SMTP, anyone?
Exim's mechanisms to restrict spoofing are documented in 44.1 of the docs.
Essentially, you need to add the line "control = submission" to an ACL at
MAIL, RCPT or pre-data. There are some options available: "sender_retain",
and "domain=...", "name=..." which can be used to set the sender address
domain and the sender's full name.
You should avoid using "sender_retain" for your purposes.
With these measures, you can ensure that the real sender is identifiable
from the message envelope, and from a "Sender" header. However, nothing
here prevents anyone from putting whatever they like in the From header.
I suppose that you could simply fix up the "From:" header by putting
something like
"headers_remove = From:Sender
headers_add = From: $h_sender"
on the router for a properly fixed up message see 44.17. This is an
untested suggestion. You may have to keep track of fixed up messages, and
make a special router for this purpose.
> Our exim.conf file is used by webhosting companies, and it's always
> allowed users, once they authenticate, to use any outgoing email address
> they want. I make use of that myself,sometimes sending email out with
> my gmail return address, and sending from several domains I use but
> maintaining only one outgoing MTA in my desktop client.
>
> What is the current consensus on this issue? Is it mentioned in any RFC?
>
> Thanks.
>
> Jeff
> --
> Jeff Lasman, Nobaloney Internet Services
> Post Office Box 52200, Riverside, CA 92517
> Our blists address used on lists is for list email only
> Phone +1 951 643-5345, or see: "http://www.nobaloney.net/contactus.html"
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see
http://www.sussex.ac.uk/its/help/