On 2024-10-11 at 01:59:04 UTC-0400 (Fri, 11 Oct 2024 01:59:04 -0400)
Scott Q. via mailop <qm...@top-consulting.net>
is rumored to have said:
Hi John,
if you don't mind me asking, when you say:
which makes it easy for any of their customers to SPF spoof any
other customer.
you mean the header or the envelope from ? Afaik, the envelope from is
(should be!) tied to the authenticated user
"Should" is an awfully squishy term...
There's no mandate in the spec for ESMTP AUTH that the authentication ID
be in any way related to the sender address given in the MAIL FROM
command or that either identifier be exposed in any headers.
It's also not a default constraint in many (any?) MTAs.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
