Quoting Tom Collins <[EMAIL PROTECTED]>: > On Oct 20, 2006, at 8:14 PM, Rick Romero wrote: > >> I have an auditor who is telling me that allowing non-SMTP-AUTHd > >> clients > >> to use a valid local user in MAIL FROM: is a potential spoof, and a > >> security vulnerability. > > I don't know if it came up in the original thread, but enforcing that > limitation assumes that your users send all of their email through > your server. I guess no one works from the road and has to use the > ISP's mail server for outbound messages. > > It might be a good way to detect possible spam, and I can see a grain > of truth in their reasoning. If you enforce that policy, the Return- > Path header on email received on your sever should be accurate if > it's a local domain. > > I'll tell the auditors that your Received headers contain the SMTP > AUTH information of any validated users, so if you need to validate a > message with a forged MAIL FROM header, you just need to look at the > Received headers. > > After that, forge an email from [EMAIL PROTECTED] thanking > them for their efforts in securing the homeland. ;-) >
lol. Did I mention their SMTP server was replacing an empty 'FROM:' with the 'MAIL FROM:' data? *I* inserted the 'SMTP-Auth' variable in that statement. I honestly don't think they even know what it is, but to begin to attempt to prevent some sort of spoofing, it would almost be required. One thing I also noticed that I found odd about their 'spoofing' test, was that they don't even publish SPF records themselves. If spoofing an internal user was such as issue, you would think they'd also publish SPF - so those users couldn't be spoofed against another company's mail server... *shrug* These guys are a real headache - but we passed, so I don't need to fight with them for another year :) Rick > -- > Tom Collins - [EMAIL PROTECTED] > Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ > QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/ > > >
