> Tomas Kuliavas said: >> In some cases this header is not security problem, but security feature. >> If admin does not understand possible sender forging issues, removal of >> authenticated header creates security problem in default squirrelmail >> configuration. > > Yes, I understand that. I am the administrator. However, it also creates a > security and privacy issue, and in fact I have received spam to the > address shown in this header even though that address is never used for > receiving mail. (The login address is used solely for login.) > > I'd like to disable it, either systemwide or on a per-user basis. However, > I'd prefer not to have to manually hack the code. I hope someone will > provide this as an option in core or as a plugin.
You want option that is not secure when implemented incorrectly. I think, you can't do that as plugin. There are no hooks in delivery class. it should be implemented in 1.4.5cvs within two weeks, if stable team accepts the patch. Header won't be removed if $edit_identity is set to true. If admin understands the risk of message forging, he or she can use The Force and modify squirrelmail source. Option will warn about forging and indicate file that has to be modified. -- Tomas ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click -- squirrelmail-users mailing list Posting Guidelines: http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines List Address: [email protected] List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
