On Thu, 18 Jan 2001 13:50:56 -0500, Yurais Fernández Leal
<[EMAIL PROTECTED]> wrote:
>The problem is, yes, I know that in the remote mail client the mail
>appears as if sent from [EMAIL PROTECTED], but in the sendmail
>connection, for example the Return-Path is set to the UID of the web
>server, the problem
This issue was discussed a few days ago in another thread.
The site performing final delivery determines Return-Path from the
envelope address. That means you cannot control Return-Path by means
of header manipulation.
The only way to control the envelope address is to have the web server
call sendmail with the -f option as a trusted user. The -f option
will let you specify any address. This has great potential for abuse,
so you must tell sendmail, via its configuration, that the web server
UID can be trusted.
But before doing that, consider the potential for abuse. For example,
in a virtual hosting environment, what would prevent PHP authors from
providing users with a web form which takes an email address input and
calls sendmail with the -f option, forcing it to use a possibly forced
address as the envelope address?
If the web server is a trusted sendmail user, any PHP script could do
that. Whoa!
Egan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
