|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Andres (tandres
vis.ethz.ch)Date: Tue Jun 05 2001 - 01:58:32 CDT
On Mon, 4 Jun 2001, Peter Holm wrote:
> after a user is "authenticated", it is possible for him to send mail
> with any account name, so everybody after popping succesfully could send
> mail as e.g. rootmachine.com or bobby could send as bossbigcompany.com
> ... ok, that´s no wonder, because the script, as I understand it, just
> checks for ip-addresses. That´s also a bad idea for people living behind
> a proxy... do I really have to enable my whole department to send mail
> via my account just because we´re using the same gateway?
I suggest you just forget it. Even if you check the envelope header to
match the authenticated user (which I find a bad idea. If you look at the
header of this mail you see a From Header tandresvis.ethz.ch, but the
mail originates from the domain ergon.ch. Why should this mail not be
sent?) you can still fake the header information. SMTP just doesn't
prevent this. So you better live with it. If you want authentication I
suggest to use pgp or similar. Everything else won't really help.
Thomas
-- First Law of Socio-Genetics: Celibacy is not hereditary.- To unsubscribe, send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]