At 4:19 PM +0100 2/28/12, Alessandro Vesely wrote:
On 28/Feb/12 13:05, Arnt Gulbrandsen wrote:
3. We'll restrict From and the smtp sender addresses to ones
explicitly connected to the SASL/Submit user.
IMHO, forcing the login ID to match any world-readable outgoing header
field is not a tremendous security improvement. Most MUAs allow to
configure From: with whatever (unverified) address.
This is my concern as well. I often set the 'From' header field to a
one-off or a user-detail or even someone else's address (when using
Eudora redirect). As long as I'm authenticated to the submit server,
and the message can be tracked back to me in case I abused it, what I
put in the 'From' header field shouldn't matter.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly selected tag: ---------------
Some days you feel like Schrodinger's cat. --M. S. Hutchenreuther