>> On 2010/12/17 11:47 AM, Ted Mittelstaedt wrote: >>> And what prevents a spammer from forging this into a header and >>> bypassing SA? Just askin.
> On 12/17/2010 8:51 AM, Jason Bertoch wrote: >> Without checking, I'd guess that matching an authentication header with >> an address in trusted_networks would be sufficient. On 17.12.10 09:19, Ted Mittelstaedt wrote: > why are you using authenticated SMTP from trusted networks? > The whole point of auth smtp is to come from UN-trusted networks. Not exactly. The point of auth smtp is not to accept mail from anyone without authentication, even if ip-based for some hosts. >> If your >> authentication server is relaying for spammers, you've got an entirely >> different problem. > No, not really. You as an administrator cannot control what your users > do and if your users save their authenticated SMTP passwords into their > e-mail clients then later allow their machines to be cracked, then the > crackers get the auth password and away they go. I think this depends on order of mail headers. If authenticating server before the received header, it is surely trusted. Otherwise you are right and we don't know, if it wasn't the spammer who started with fake authentication header. The best is, of course, to put the authentication data to the Received: header so we don't have to take care of the header order. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.
