On Friday 02 May 2008 16:16:16 Maciej Drobniuch wrote:
Hi ! There's a bug(some kind of) in all RCWM versions. If you are using RCWM and MTA on the same machine then postfix(for example) isn't asking the saslauth daemon that the user is authenticated(because the process is running on the localhost) - it depends on the client restrictions. If the user changes the identity to another account located on the server then he can easily send messages using unauthorized e-mail address. For example foo@foobar.com is able to send e-mails via the foobar@foobar.com acoount without authentication To avoid the users to change the identity you could use my suggested patch.
You can find it at http://gorzow-wlkp.eu/~warlock/rcwm-0.1.1-identity-fix.patch Simply, go to the RCWM directory and type: patch -p0 < rcwm-0.1.1-identity-fix.patch BTW: SORRY for my lame eng.
i don't know.. i use different from addresses which all resolve to the same inbox. qmail e.g. has address extensions enabling foo@bar.com to use anything like foo-some@bar.com, foo-somemore@bar.com. and the user might want to use this feature for filtering. unless you use strict spf rules for the sender domain (and everybody else uses spf) and you deny your users direct access to your smtp (or use some way to lock the smtpauth login name to the sender email adress), you will always have someone sending mail with your email address.
use gpg to sign your mails. then anyone who's interested in authenticity can check.
List info: http://lists.roundcube.net/dev/