New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I mean you don't usually. Traditionally the client writes the From header. While it's become more popular among ESPs to rewrite the From header to match the authenticated account, that has never become a popular standard on open source mail servers.
Any particular reason for this? And what would be a good alternative approach to prevent say,
example1.com
from sending mail as say,example2.com
when both of them have the same IP in their SPF?*Any particular reason for this not ending up becoming a popular approach?
Because most people deploying open source mail servers for their organization don't give out access to untrusted users. Enterprise customers generally aren't using Postfix+Dovecot but instead much more elaborate and expensive setups.
Personally I police it through fear, intimidation, monitoring, and including an X-Auth-User header. Even just testing to see what you can get away with for potential malicious purpose is likely to result in data loss on my systems, and plenty of bad reviews tell the story.
And besides, spoofing a From header doesn't ensure the person doing the spoofing will get a reply (can't spoof inbound), and users everywhere should be trained not to click links without inspecting them and knowing whether or not they're trustworthy, because most systems out there accept spoofed email under certain conditions (meaning it could come from another server just as easily as yours, and might get accepted).
If a recipient can't be trusted to know what's safe and what isn't (and they usually can't), enforcing a From header isn't likely to save them. They'll fall for a misspelled user/domain just the same. And they do, all the time. Spoofing from a trusted mail server, as a trusted user, is the least reasonable way to try to get away with trying to trick a recipient. Sounds like a good way to get fired, really.
Generally speaking, email is one of the least secure methods of communication as a whole. The ways to abuse it are quite plentiful. Just think about all of those people using MailChannels, for example. All sharing an SPF with each other. And recipients don't care if a message isn't DKIM signed, there's usually no penalty for it. Strong DMARC requirements only protect you at certain recipient hosts and then usually break email forwarding, causing recipients to complain that they didn't get your emails.
There's no substitute for good old fashioned human monitoring. Script assisted is helpful to scale it up.