I looked at this briefly, and determined it's not suitable for QMT.
If something like this ever practical, it would need to be configrable
on a per-user basis, as Dan sugggested.
A few thoughts about this.
First such a thing would be contrary to RFCs (not this this is a be-all
end-all reason).
Secondly, this moves in a direction that is actually *less* secure. A
more secure setup would have the authentication ID be *different* than
the email address. That way, malicious imposters would need to acquire
the login id *and* password in order to crack an account. So you see,
having a login ID that's different from the email address is actually a
good thing, from a security stand point.
Note, the authentication ID is frequently included in the message
header, so it's not entirely hidden. I'm looking into that as well
though, in a way that the last-4 of a credit card number is printed on
receipts. If indeed the authentication ID is even really needed in
message headers.
Along the lines of controlling spoofing, it might be practical for a
submission server to inquire from an authentication server, which
sending addresses are allowed to be used by a given account. This could
be specified as a list, and using wildcards. In that manner, some
control of spoofing addresses would be practical. I'm curious to know if
there's a way to do this with postfix. Anyone care to look into this? I
know we have some postfix converts lurking here (and I truely appreciate
that!). ;)
Thanks.
--
-Eric 'shubes'
On 07/18/2014 06:37 AM, Amit Dalia wrote:
Even I’m thinking this patch is needed. While searching I found one old
patch for the same, but don’t know can we integrate the same in
qmailtoaster.
http://translate.google.co.in/translate?hl=en&sl=tr&u=http://www.endersys.com.tr/blog/2009/12/16/qmail-from-address-and-smtp-auth-username-check-patch/&prev=/search%3Fq%3Dqmail-from-address-and-smtp-auth-username-check-patch/%26client%3Dfirefox-a%26hs%3DKig%26rls%3Dorg.mozilla:en-US:official
If anyone can look in this may be that is great.
*Amit Dalia *
*From:*Dan McAllister [mailto:q...@it4soho.com]
*Sent:* 18 July 2014 18:44
*To:* qmailtoaster-list@qmailtoaster.com
*Subject:* Re: [qmailtoaster] Prevent sender from spoofing email address
On 7/17/2014 7:32 PM, Hasan Akgöz wrote:
Hi Guys;
allows SMTP authenticated users to put a fake email address in an
email's sender field and the email is sent successfully ..How to
enforce sender/from address to be “logged_u...@test.com
<mailto:logged_u...@test.com>” in Qmailtoaster ?
Hasan:
I have brought this up before, and there are certain situations where
you NEED for a single auth'd user to be able to "send" mail as anyone.
Specifically, when you're using QMT as a filter or smart-host.
So the short answer to your query is that it cannot be done. Once you
are authenticated to the qmail-smtp program, it will take any email from
you -- including email that is spoofed...
Dan McAllister
PS: I am with you if you believe there should be a way to configure that
-- but that is not an option that I am aware of currently.
--
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
------------------------------------------------------------------------
<http://www.avast.com/>
This email is free from viruses and malware because avast! Antivirus
<http://www.avast.com/> protection is active.
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
