On Fri, 2004-09-03 at 17:19, George Schlossnagle wrote:
[snip]
To be a little more accurate, SMTP AUTH does not prevent customers of
an ISP or hosting company spoofing one another, but it does provide an
audit trail, so the person doing the spoofing can easily be identified
from log entries.
It can. There are MTAs which support only using a set envelope sender
after SMTP AUTH.
I'm actually doing this with some simple rulesets in sendmail on my
personal domains. I even do 2822.from header checking to prevent
forging the 2822.from address beyond issued aliases for a given username
(my usernames are username(_at_)example(_dot_)com). I currently don't support
Resent-* headers (From: header is always checked) and don't know that I
ever will.
Point being that although SMTP AUTH doesn't require limiting users to
specific 2821.from and/or 2822.from addresses, it certainly makes it
possible, and in fact is trivial to add in at least some MTAs/MSAs.
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets