Philip Prindeville wrote: >> Just whitelist them.. SA sees *both* the From: header AND the Return-Path >> header >> when evaluating "whitelist_from" type commands. >> >> > > The sender was already whitelisted... Or so I thought. I'll have to > double-check that. She tends to use a lot of different emailboxes. > > Since the From: header is easily forged, isn't this a weakness/liability?
The MAIL FROM is just as easily forged. NEITHER should be trusted. That's why whitelist_from_rcvd and whitelist_from_spf exist, they add additional checks to make forgery more difficult. the _rcvd version takes a second parameter, which must be a partial-match against the reverse DNS of the hostname in the Received: header dropping mail off at your network border (as determined by internal_networks). The _spf version requires the sender's domain publish SPF records, and validates that the relay used matches the published SPF record.
