John Hasler wrote: > Julian Mehnle writes: > > It does very well make sense to specify a "sender address" for an > > e-mail, and that's exactly what the SMTP "MAIL FROM" command AKA > > envelope-from (and the "Sender:" header) is meant to be. Even RFCs > > (2)821 and (2)822 articulate it that way. Nowhere do these RFCs state > > that the envelope-from can or should be used for status reporting > > *only*, do they? > > If I go to Eau Claire and drop a letter in a letter box am I required to > put the address of the box on the letter?
No, but this again is one of these broken "e-mail vs. real world" analogies. You can't receive mail through such a letter box, but a sender address is inherently meant to be a valid address through which you can be contacted (among other criteria). Sender address forgery is not a serious problem with snail mail, but it is with e-mail. And with e-mail, it is possible to do things that are hardly possible with snail mail, e.g. checking the authenticity of the sender address. An e-mail's sender address domain should (in this regard) better be compared to the stamp of the post office where the letter was accepted. > How about if I go into a library in Eau Claire and send an email? Why > should I not put my Elmwood address on it? You may put your Elmwood address into the From: or Reply-To: fields, but should not specify it as the envelope-from. > Of what possible use to anyone would the address of the machine I sent > it from be? If the sender address (envelope-from) of an e-mail was unforgeable (for a given domain), the sender would be guaranteed to have an account at this domain (and be it only to *send* mail), and any abuse could be reliably traced back to the sender's account (not just to the sending host). That's what address forgers fear.
