-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Am Montag, 11.08.03, um 12:59 Uhr (Europe/Zurich) schrieb Tomasz Papszun:
If you want to prevent them from using non existing sender addresses from your domain, you can do it by creating a file (lookup table) for postmap(1), containing all allowed addresses with "OK" and another table containing your domainname with "REJECT". If you want to prevent them from using sender addresses from other domain, it's also possible with properly prepared config. If you want to prevent them from using other (not their own) sender addresses from your domain, you must use SMTP AUTH, I'm afraid. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros. -- To UNSUBSCRIBE, email to debian-security-request@lists.debian.orgwith a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Theoretically there is another possibility. Actually pop-before-smtp does nothing than watching the log file, picking the ip address of the pop client and putting this address for a certain time into a postmap for postfix. If you would use the user's email address as his pop3 login name (within a sql or ldap db, for example), one could take this information and write it into another postmap file. This would necessite some modification of the pop-before-smtp script, but I think it wouldn't be too hard to implement. It wouldn't be perfect, though: Imagine two users logged in at the same time. Under this situation each user could "abuse" the other user's email address.
For a really secure system, there is no way around smtp auth. pop-before-smtp relies on ip addresses. But what about NAT? Users coming from a private masqueraded network, could misuse your server at their pleasure, if one user from this network has logged into his pop3 account.
Regards Marcel -----BEGIN PGP SIGNATURE----- iD8DBQE/N3/y1EXMUTKVE5URAjPsAKD1sVpkeqHSIcYnungYkuF/fNyumgCg7pmF o2GTZhfgn7NnZ63P8HLSpEI= =B+0b -----END PGP SIGNATURE-----