Michael Poole wrote: > Julian Mehnle writes: > > Don't you agree on my understanding of a sender address (or source > > mailbox) being the address (or source mailbox) the sender sends > > from? If so, please state it explicitly, so I have something I can > > argue against. :-) > > Mail is not sent from any particular address at all; it is sent by a > person or program. It is delivered to one or more addresses. The > From: address and SMTP and envelope sender addresses are for human > understanding and status reporting.
It does very well make sense to specify a "sender address" for an e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA envelope-from (and the "Sender:" header) is meant to be. Even RFCs (2)821 and (2)822 articulate it that way. Nowhere do these RFCs state that the envelope-from can or should be used for status reporting *only*, do they? > Forgery generally means to create written authorization that shows > false provenance. No. You can also forge paintings as well as originator address specifications and other information. Call it counterfeiting, but essentially it's the same thing. > A user who indicates status messages should go to his own address is > not forging that address, even if it is not an obvious address given > the user's hostname. Agreed, but a user indicating a "MAIL FROM: <[EMAIL PROTECTED]>" while sending from a host in the "bar.org" domain is forging the "MAIL FROM" address. > It probably is useful to perform checks on those addresses, to verify > that the administrator of the domain allows the sender to claim an > identity under the domain. If such an authorization check fails, > forgery is just one possible explanation. Generally true, but in part it depends on how you define "forgery".