On Sat, 13 Jul 2019 at 10:47, Matus UHLAR - fantomas <[email protected]> wrote: > > On 12.07.19 16:47, Deeztek Support wrote: > >> BUT... amavis identifies the address by matching the envelope sender OR > >> the From: header sender. So (in theory) a spammer can easily fake the > >> envelope sender and get whitelisted. > > > >I was under the impression that amavis uses the Return-Path header and not > >the From header. > > It's actually envelope from header. > Yes, amavis uses that one.
I quote again from amavis 2.6.6 release notes: "white and blacklisting now takes into account both the SMTP envelope sender address, as well as the author address from a header section (address(es) in a 'From:' header field). Note that whitelisting based only on a sender-specified address is mostly useless nowadays." You can confirm this by looking at the code.
