Sorry to bother you with this again, but this seems to be somehow
undocumented or at least i am not intelligent enough to puzzle it
together myself:

when using pbs (pop-before-smtp) that can be found here

http://people.oven.com/bet/pop-before-smtp/

this problem occurs:

after a user is "authenticated", it is possible for him to send mail
with any account name, so everybody after popping succesfully could send
mail as e.g. rootmachine.com or bobby could send as bossbigcompany.com
... ok, that´s no wonder, because the script, as I understand it, just
checks for ip-addresses. That´s also a bad idea for people living behind
a proxy... do I really have to enable my whole department to send mail
via my account just because we´re using the same gateway?

Wouldn´t it be better to check usernames also?
And how to put this together with postfix to check not only for
ip-adresss but also that from-address matches the pop-user-id?
(something with smtpd_sender_restrictions should be the way?)

I am new to this and I may be wrong!

I haved hacked one or two little perl scrips, but I do not feel in state
of solving this myself - in fact I wonder that there is not a readymade
solution for such everyday-situations like pop-before-smtp - no wonder
spammers have easy life...

Please, could anybody give me a hint in how to build a pop-before-smtp
solution that is as reliable and secure as postfix itself? I mean, why
do you use a secure mailer if you patch something around it, that makes
it unsecure?

Is there a solution that plays well with postfix, that can handle all
situations needed with virtual hosting, roaming users?

thank you very much for your attention,
Peter

-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]