Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts

[Devendra Singh]

At 08/06/04 11:41 (), Tom Collins wrote:
On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:
I would like to re-frame my Subject: "SMTP Authenticated user is able to 
impersonate anyone in rcpthosts".
You could re-frame it even more.  Authenticated SMTP users can use any 
FROM address and submit mail for any host.

Some clients may have multiple from addresses going through a single 
authenticated session.  Limiting them to the address they authenticated as 
may be too strict.  Including it in the Received header is probably a more 
useful option.
Dear Tom,
Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, 
but may be of interest to most).

Including the authenticated ID in the Received header is good, but still it 
would not be able to stop the menace of Spamming from your own users (who 
is going to monitor the logs of mails sent by users). Also, in the days of 
virus outbreak and users having password saved in their outlook express, 
the feature can be saviour.

BTW, Shouguan Lin had pointed to a link 
<http://night.rdslink.ro/dudu/qmail/>http://night.rdslink.ro/dudu/qmail/ 
with features

        o       Added my own patch, that checks whether the 'mail from' 
value is
                different from the username used for SMTP AUTH, thus 
preventing
                source address spoofing. Useful for ISP's that only relay 
mails
                from authenticated users.
        o       The 'mail from' verification is now configurable through a 
knob
                defined in /var/qmail/control/spoofcheck or in the environment
                variable $SPOOFCHECK

But, this is part of unified patch which is difficult situation for me.
It's my request to Dr Erwin Hoffmann through this list that if he adds the 
feature into his authentication patch which is also included into the 
Vpopmail contrib, we all would get benefited.

Devendra Singh
______________________________________________________
Devendra Singh
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342
Fax: +91-120-2424943
http://www.indiamart.com
http://www.indiangiftsportal.com
http://www.indiantravelportal.com
______________________________________________________