Noel, Thanks again, points acknowledged. I can't figure out how to edit
the From: in Thunderbird without simultaneously changing the envelope
value, but that's just one client among many.
Re: the From:/Reply-To cases: It seems one can write a better regexp
then given by mouss, such as including angle brackets in the match
field, or the full syntax /user@domain|".*"\b*<user@domain>\b*/. (This
is a guess at the full syntax anyway, haven't read any RFCs recently.)
But at some point, it seems one can try too hard to prevent such
"masquerading" activity and instead one has to look at throttling or
quota limits based on usage statistics (assuming overuse is the real
concern). If this were a standard need, I imagine there would be a
canned, comprehensive, iron-clad solution.
-Daniel
On 1/30/2011 10:16 PM, Noel Jones wrote:
On 1/30/2011 6:17 PM, Daniel Bromberg wrote:
Conceivably, someone could hack a non-standard e-mail client
to use the SASL name in the MAIL FROM, but tweak the 'From: '
line to anything they like (although the MAIL FROM would
appear in the Return-Path / Sender fields), and this is harder
to stop, correct? But we are in rare corner cases now, not
ordinary users I would think.
I think alternate From: is a fairly standard feature, no hacking
required. Even easier for them to use Reply-To:, which is supported
by pretty much every mail client and aided by the fact that when
reading mail, some popular mail clients don't show the address of the
sender, only the name.
As mouss already pointed out, you can use a header_checks rule on
submission/smtps that rejects mail that doesn't have 'From:
.*@example.com', but it's not iron-clad protection.
Also note that defining a separate header_checks for submission/smtps
requires defining an alternate cleanup_service, or a separate postfix
instance. Examples can be found in the archives.
-- Noel Jones
