Scott Kitterman [spf2(_at_)kitterman(_dot_)com] wrote:
Last year I asked if anyone on this list was aware of a company I could
buy SMTP services from that would not allow cross customer forgery. I
got one positive answer from Brazil.
In addition to SMTP-AUTH, MTA operators need to limit customers to using
authorized identities. This is a change for them that isn't going to
happen overnight.
And that can only mean that we have to advocate prevention of
cross-customer forgery more aggressively. We might even want to write up
an RFC that explains what MTA implementors and ISPs have to do.
I do see two options for how to prevent cross-customer forgery
technically:
1. Notice the SMTP-AUTH identity. Receive the message including its
headers, and see if "From:"/"Sender:" matches the SMTP-AUTH identity. If
not, reject the message after DATA.
2. Notice the SMTP-AUTH identity. Receive the message including its
headers, and see if "From:"/"Sender:" matches the SMTP-AUTH identity. If
not, accept the message but add/overwrite the "Sender:" header with an
appropriate e-mail address of the SMTP-AUTH identity.
I don't think any one of these is "more right" than the other, so they are
both valid options.