At 08/06/04 11:41 (), Tom Collins wrote:
On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:
I would like to re-frame my Subject: SMTP Authenticated user is able to
impersonate anyone in rcpthosts.
You could re-frame it even more. Authenticated SMTP users can use any
FROM address and submit mail for any host.
Some clients may have multiple from addresses going through a single
authenticated session. Limiting them to the address they authenticated as
may be too strict. Including it in the Received header is probably a more
useful option.
Dear Tom,
Thanks, that you understood. (Sorry, the issue is not related to Vpopmail,
but may be of interest to most).
Including the authenticated ID in the Received header is good, but still it
would not be able to stop the menace of Spamming from your own users (who
is going to monitor the logs of mails sent by users). Also, in the days of
virus outbreak and users having password saved in their outlook express,
the feature can be saviour.
BTW, Shouguan Lin had pointed to a link
http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/
with features
o Added my own patch, that checks whether the 'mail from'
value is
different from the username used for SMTP AUTH, thus
preventing
source address spoofing. Useful for ISP's that only relay
mails
from authenticated users.
o The 'mail from' verification is now configurable through a
knob
defined in /var/qmail/control/spoofcheck or in the environment
variable $SPOOFCHECK
But, this is part of unified patch which is difficult situation for me.
It's my request to Dr Erwin Hoffmann through this list that if he adds the
feature into his authentication patch which is also included into the
Vpopmail contrib, we all would get benefited.
Devendra Singh
__
Devendra Singh
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342
Fax: +91-120-2424943
http://www.indiamart.com
http://www.indiangiftsportal.com
http://www.indiantravelportal.com
__