I'm working on a free software package due to be launched on freshmeat
some time soon (next month most probably). The program is a project
development environment, somewhat similar to phpGroupWare but, I like to
think, better and with less bugs.
Due to the nature of the project I need to be able to give registered
users the ability to upload data in the system via e-mail. This
obviously means checking who the originator of the e-mail is, apart from
actually processing the e-mail (which works fine).
My problem is, how do I check that securely? I'm currently using the
headers of the e-mail for the "from:" field and check it against the
registered users' e-mail addresses. Works fine. But I guess that's
pretty easy to trick.
I basically have two concerns: one is that a person may send an e-mail
with fake headers. The other is that a user (or non-user) on the same
domain with another user would be able to send messages using the second
guy's e-mail account (that's because SMTP doesn't have any security
mechanism and one can easily impersonate somebody else once they're
logged on a computer with SMTP permissions on the mail server).
Did anybody run into this kind of problem? Any suggestions?
Thanks in advance - I'll let you know when we release this thing if
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]