Matthew Schumacher wrote: > I have this running at one site:
[...] > This pretty much stops mail from our domain from being spoofed by users > that don't authenticate, then I turn off relaying for everything that > doesn't authenticate. Uh, no. You can't prevent me from pretending to be <[EMAIL PROTECTED]> and e-mailing to <[EMAIL PROTECTED]> or <[EMAIL PROTECTED]>. SPF might be able to help, but probably not, because I can send mail with an envelope sender of <[EMAIL PROTECTED]> and a From: header of <[EMAIL PROTECTED]>. 99% of the time, the recipient will only see the header value and not the envelope value. And it will pass the SPF tests. DomainKeys might help, but only if a site is using DomainKeys. As far as I know, only Yahoo does. SMTP was never designed to provide strong end-to-end authentication. About the only way to enforce it would be to require everyone to sign every piece of e-mail he/she sends, and also somehow manage the nightmarish PKI or web-of-trust infrastructure that implies... Regards, David. _______________________________________________ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
