On Wed, 2 Aug 2006, Marc Perkel wrote:
3. The server would accept outgoing email and label the from field to
be the same as the email account preventing the user from
pretending to be an email address other than the one the user
authenticated as. It would then deliver the message to the local
SMTP server which would then send it to the destination server.
4. This method allows the system to assert that the sender's email
address was sent from a person who had the ability to log in and
read the email. Thus if you get an email from
[EMAIL PROTECTED] then you know that the person sending the
email had the username and password to receive email on that account.
I forgot to mention this in my other message, so I'll mention it now.
You don't, in fact, know that the person sending the message
had "the" username and password for that account. All you
know is that you received e-mail a server which claims to
have verified the username and password. You have no way of
knowing whether it actually did. That is, unless you have
a list of all valid e-mail servers everywhere in the world.
But if you had that, you could just ditch your whole scheme
and only accept e-mail from those servers.
- Logan
