On Wed, 2005-01-12 at 18:16 +0100, jpinkerton wrote:
I don't think it needs to be that complex -- you can just use the record
for the reverse-path and compare with the sending host and the Received:
Your solution is good, but has a problem -- it's trivial to fake a
Received: header claiming that the mail did originate from an authorised
IP address. You need the original sending MTA to include a signature
which really can be trusted, and then it'll work.