Auteur: Chris Knadle Datum: Aan: exim-users Onderwerp: Re: [exim] how to secure alias-overtakings by other mailaccounts
On Sunday, February 17, 2013 15:46:19, Deep Thought wrote: > Dear Sir or Madam,
>
> I am using Exim on my server and realized that any user can overtake a
> mail address created by an user account. So it seems that for example, I
> can just enter an Alias or even change my sender mailaddress for example
> in Thunderbird to any mail addresses created by the account.
What you're describing has to do with settings in someone's mail client for
what their outbound email address is.
> There is no security check or a warning message like "Hey someone is
> using your mailaddress".
>
> How can I secure it? Is there any setting to change this behaviour? That
> the owner of the mail address has to agree on using its mail address as
> an alias or sender mail address from another account?
To do this (theoretically) you'd have to give Exim some way to /reliably/
iditify the user sending an email, independent of what the outbound email
address is, and then "validate" an outbound email address with the user in an
ACL rule.
I don't know how various machines and/or mail clients respond to identd
queries, but in _theory_ identd (RFC 1413) was meant to help identify the
remote user in some way for abuse situations. However some implmentations
(like slidentd) give back "secured" information, where it gives out fake
numbers but locally logs the answer it gave vs what the real information is,
so I don't think it would be sane to rely on identd for this purpose.
