At 16:16 2001-07-19 -0700, Dave Robbins wrote:
For security reasons, I want to limit an auto-responder
to queries from local users only (i.e. users local to my subnet).
Knowing that anyone could fake their email address
faking e.g. dave(_at_)geol(_dot_)ucsb(_dot_)edu,
This is only useful to them if they have access to the mailbox that they're
forging. Of course, forging someone else's address to cause an autoreply
to bomb that users mailbox is a different matter altogether.
I want to use procmail
to determine the real source address of where their email
originated from.
Real source email address, or source IP address? You can give up on
obtaining the real email address - if they're forging the from or reply
addresses, then they're forged - do you really expect to find a valid email
on the message? As for source IP (which I infer from your mention of
"subnet", which is the domain of IP addresses, not of email addresses),
that's a tricky one too.
However, grepping the ^Received: headers of my inbox,
it doesn't look like there's really a regexp that
could be used even if e.g. formail could be of use
for this.
FTR, it is entirely too easy to forge an extra recevied header to appear
before the insertion into the SMTP stream. This is common on spam.
If the incoming mail is from geol.ucsb.edu,
I want the auto-responder to respond
otherwise ignore the request.
Q: is there really a concern that people will be sending bogus requests
from OUTSIDE the netblock, but still using return addresses WITHIN the domain?
Seems like dictating that the reply address, obtained like so:
:0h
REPLYTO=formail -b -rtzxTo:
must be within the specified FQDN, would be sufficient. If your reply is
going to this address, and it's on the host you're limiting replies to,
then forging an address on a sent message won't miraculously grant them
access to the mailbox on the host (that they'd have to do by exploiting the
server, and if they can do that, then they can forge a request FROM that
server, and easily get around an IP block limitation).
Or do some users of the host in question also exist outside of your network
subnet, and you want to disallow their use. What about valid users who are
connected to the net from outside of your network?
Depending on why you want to limit responses, you might use a mechanism
such as requiring PGP-signed messages (which you'd check the signatures
against your own database of valid users).
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail