On Monday 07 June 2004 10:17 am, Devendra Singh wrote: > > Sorry Jeremy, > > Perhaps I was unable to explain the problem properly. > > Suppose a Server is hosting the following domains: > > abc.com > xyz.com > test.com > .... > ....
> Now, the user [EMAIL PROTECTED] has been enabled for SMTP (not POP-Before SMTP > but SMTP-AUTH using Erwin's Patch). > > If the user [EMAIL PROTECTED] tries to send an email as [EMAIL PROTECTED] in FROM > headers, its denied.
no, it's not, unless you've got some funky stuff set up, in which case, you'll
have to provide more details.
> But, if he impersonates (for say spamming) in FROM > headers as [EMAIL PROTECTED] or even [EMAIL PROTECTED] his outgoing mail would go > through. Isn't this a case to worry?
well, if you see it happening, that's why <insert deity here> created userdel.
> The example that you have talked about is totally unrelated to the above > explained situation.
no, it's entirely the same concept. Why let an unauthenticated user use any combination of envelope sender/header information but restrict authenticated users. Doesn't make much sense to me.
Again I am misunderstood. But, "Shouguan Lin" has understood the point.
I would like to re-frame my Subject: "SMTP Authenticated user is able to impersonate anyone in rcpthosts".
The SMTP-AUTH Patch by Erwin Hoffmann (from http://www.fehcom.de) "qmail-smtpd-auth-0.4.2" recommended by latest Vpopmail has the functionality as discussed earlier.
Dr Erwin are you listening??
The unauthenticated users can easily be prevented to use "any combination of envelope sender/header information" by using Split Horizon Check, which I am already using.
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342