On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:I would like to re-frame my Subject: "SMTP Authenticated user is able to impersonate anyone in rcpthosts".
You could re-frame it even more. Authenticated SMTP users can use any FROM address and submit mail for any host.
Some clients may have multiple from addresses going through a single authenticated session. Limiting them to the address they authenticated as may be too strict. Including it in the Received header is probably a more useful option.
Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, but may be of interest to most).
Including the authenticated ID in the Received header is good, but still it would not be able to stop the menace of Spamming from your own users (who is going to monitor the logs of mails sent by users). Also, in the days of virus outbreak and users having password saved in their outlook express, the feature can be saviour.
BTW, Shouguan Lin had pointed to a link <http://night.rdslink.ro/dudu/qmail/>http://night.rdslink.ro/dudu/qmail/ with features
o Added my own patch, that checks whether the 'mail from' value is
different from the username used for SMTP AUTH, thus preventing
source address spoofing. Useful for ISP's that only relay mails
from authenticated users.
o The 'mail from' verification is now configurable through a knob
defined in /var/qmail/control/spoofcheck or in the environment
But, this is part of unified patch which is difficult situation for me.
It's my request to Dr Erwin Hoffmann through this list that if he adds the feature into his authentication patch which is also included into the Vpopmail contrib, we all would get benefited.
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342