At 07/06/04 21:27 (), you wrote:
On Monday 07 June 2004 10:17 am, Devendra Singh wrote:
> Sorry Jeremy,
> Perhaps I was unable to explain the problem properly.
> Suppose a Server is hosting the following domains:
> ....
> ....


> Now, the user [EMAIL PROTECTED] has been enabled for SMTP (not POP-Before SMTP
> but SMTP-AUTH using Erwin's Patch).
> If the user [EMAIL PROTECTED] tries to send an email as [EMAIL PROTECTED] in FROM
> headers, its denied.

no, it's not, unless you've got some funky stuff set up, in which case, you'll
have to provide more details.

> But, if he impersonates (for say spamming) in FROM
> headers as [EMAIL PROTECTED] or even [EMAIL PROTECTED] his outgoing mail would go
> through. Isn't this a case to worry?

well, if you see it happening, that's why <insert deity here> created userdel.

> The example that you have talked about is totally unrelated to the above
> explained situation.

no, it's entirely the same concept.  Why let an unauthenticated user use any
combination of envelope sender/header information but restrict authenticated
users.  Doesn't make much sense to me.



Again I am misunderstood. But, "Shouguan Lin" has understood the point.

I would like to re-frame my Subject: "SMTP Authenticated user is able to impersonate anyone in rcpthosts".

The SMTP-AUTH Patch by Erwin Hoffmann (from "qmail-smtpd-auth-0.4.2" recommended by latest Vpopmail has the functionality as discussed earlier.

Dr Erwin are you listening??

The unauthenticated users can easily be prevented to use "any combination of envelope sender/header information" by using Split Horizon Check, which I am already using.

Devendra Singh

Devendra Singh
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342
Fax: +91-120-2424943

Reply via email to