if you don't sign the whole message this can be easily forged.
b
Serge Knystautas wrote:
Vincenzo Gianferrari Pini wrote:
Why not considering a different approach: if (i) SMTPAuth is on, and (ii) the "From" user is the same as the SMTPAuth-enticated user, a "Sign" mailet could sign the message using a single common "server" certificate, certifying that the sender email address was not forged. This is not a sender's signature, but James certifying the truthfulness of the sender, or better of the sender's email address. It is a weaker signature, but exactly what Serge is looking for, and IMO very useful.
I like this notion... maybe not the means that you authenticate, but the point is the server could sign the message to say this domain sent it.
When a mail server receives the message, it could check whether this was a valid message from an email address of that domain.
Last step is to add something to DNS so anyone could see whether a domain mandates this technique. I would think someone like Yahoo! would jump at this... anyone with this check in their server could confirm that a message sent by [EMAIL PROTECTED] was in fact originated by a yahoo.com server.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
