Re: [exim] how to secure alias-overtakings by other mailacco…

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Deep Thought
CC: <exim-users@exim.org>
Subject: Re: [exim] how to secure alias-overtakings by other mailaccounts

On 17 Feb 2013, at 20:46, Deep Thought <service@???> wrote:

> Dear Sir or Madam,
>
> I am using Exim on my server and realized that any user can overtake a mail address created by an user account. So it seems that for example, I can just enter an Alias or even change my sender mailaddress for example in Thunderbird to any mail addresses created by the account.


Yes, that's true.

Similarly, if I write a letter to anyone, I can put your address at the top of the letter, or any address that I like to put. There's nothing that you, or anyone else, can do to prevent that.

The only things that you can do to attempt to secure your email domain (and hence addresses in that domain) are to publish SPF, DKIM and DMARC records. Some recipient sites will check those records, including some large email service providers. None of that will prevent forgery.

You can also use S-MIME or GPG/PGP to sign outgoing mail, but that only protects you to the extent that recipients (a) expect it, and (b) have tools to analyse the signatures.

> There is no security check or a warning message like "Hey someone is using your mailaddress".
>
> How can I secure it? Is there any setting to change this behaviour? That the owner of the mail address has to agree on using its mail address as an alias or sender mail address from another account?


You can only do this if you know the sender is going to use your email server. In that case you could, for example, create an ACL that requires that the sender address be present in the from header.

> Thanks in advance,
> Sandra Mende
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148