On Oct 20, 2006, at 8:14 PM, Rick Romero wrote:
I have an auditor who is telling me that allowing non-SMTP-AUTHd clients
to use a valid local user in MAIL FROM: is a potential spoof, and a
security vulnerability.

I don't know if it came up in the original thread, but enforcing that limitation assumes that your users send all of their email through your server. I guess no one works from the road and has to use the ISP's mail server for outbound messages.

It might be a good way to detect possible spam, and I can see a grain of truth in their reasoning. If you enforce that policy, the Return- Path header on email received on your sever should be accurate if it's a local domain.

I'll tell the auditors that your Received headers contain the SMTP AUTH information of any validated users, so if you need to validate a message with a forged MAIL FROM header, you just need to look at the Received headers.

After that, forge an email from [EMAIL PROTECTED] thanking them for their efforts in securing the homeland. ;-)

Tom Collins  -  [EMAIL PROTECTED]
Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/
QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/

Reply via email to