[courier-users] RE: outgoing mail

Thu, 11 Mar 2004 15:03:40 -0800 

Phillip Hutchings [EMAIL PROTECTED] wrote:
> > Generally enforcing the "From:" header to be within a hosted domain
> > doesn't make much sense.  The "From:" header only contains the
> > sender's address if there's no "Sender:" header.  Generally, checking
> > the *envelope sender* (from the message control file) is a better
> > idea.
> 
> Generally there's no Sender: header on personal emails. Lists often use
> them, but most MUAs don't.  I know my mail client doesn't even listen
> to it, much to my annoyance. Bug reports have been filed :)
> 
> People who want this sort of control are more likely to be worried
> about the From: header, as that's what shows to the receivers of the
> e-mails. Considering that, the envelope sender makes little sense to
> check, as it has no relation to the MUA's From: header. Normally MUAs
> link them, but they don't have to.

First, it's just plain wrong to generally rely on the "From:" header.  To determine 
the alleged sender address (it cannot be the *true* sender since it is easily 
forgeable), you may rely on the "From:" header exactly as long as there is no 
"Sender:" header.  Regardless of how often that is the case, if there is a "Sender:" 
header, you *must* consider its value over the "From:" header as the alleged sender 
address.  There's simply no point in arguing about that.

You might want to always consider the "From:" header the sender address *for 
simplicity of code*, but be aware that it's just plain wrong.

Second, IMO it *does* make sense to rely on the envelope sender if you somehow verify 
its validity (using sender authorization schemes or anti-forgery schemes like SPF, or 
maybe even Yahoo's DomainKeys) and then overwrite any existing "Sender:" header with 
it, optionally adding an "X-Message-Flag:" header as a warning if the original 
"Sender:" header contained a differing address.  This methodology can even be a tool 
against phishing (visually faking the "From:" or "Sender:" addresses, e.g. "[EMAIL 
PROTECTED]" or "[EMAIL PROTECTED] <[EMAIL PROTECTED]>").



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to