On Oct 20, 2006, at 8:14 PM, Rick Romero wrote:
I have an auditor who is telling me that allowing non-SMTP-AUTHd
clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.
I don't know if it came up in the original thread, but enforcing that
limitation assumes that your users send all of their email through
your server. I guess no one works from the road and has to use the
ISP's mail server for outbound messages.
It might be a good way to detect possible spam, and I can see a grain
of truth in their reasoning. If you enforce that policy, the Return-
Path header on email received on your sever should be accurate if
it's a local domain.
I'll tell the auditors that your Received headers contain the SMTP
AUTH information of any validated users, so if you need to validate a
message with a forged MAIL FROM header, you just need to look at the
Received headers.
After that, forge an email from [EMAIL PROTECTED] thanking
them for their efforts in securing the homeland. ;-)
--
Tom Collins - [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
