junga
01-27-2004, 03:49 PM
I notice that I do not need to config my mail client to use a username and password to connect to my domain's SMTP server to send mail. (I have not changed the default setup except adding accounts and aliases through SiteManager)
How does the SMTP server prevent others from sending mail as if it came from one of my users?
Couldn't anyone who knows a valid username on my domain, setup a mail client to use my domain's SMTP server to send mail on that person's behalf? They could not retrieve that person's mail without their password, but they could send out spam that looks like it came from them.
I notice the /etc/mail/relay-domains file. It has a lot of entries of IP addresses (most of them the same address over and over. I think its my public IP from my ISP. I wonder if every time there is a successfull pop3 login it puts the remote IP in this file indicating that its OK to relay from this host.
I don't have access to another IP address to test this out. I tried setting up a fresh host to send mail on behalf of a fictious user on my domain without trying to retrieve mail. It worked, but this machine shares my ISP and therefore has the same public IP as my machine so its not a perfect test.
I am wondering whether I should figure out how to enable authentication for the SMTP server.
Thanks,
--BobG
How does the SMTP server prevent others from sending mail as if it came from one of my users?
Couldn't anyone who knows a valid username on my domain, setup a mail client to use my domain's SMTP server to send mail on that person's behalf? They could not retrieve that person's mail without their password, but they could send out spam that looks like it came from them.
I notice the /etc/mail/relay-domains file. It has a lot of entries of IP addresses (most of them the same address over and over. I think its my public IP from my ISP. I wonder if every time there is a successfull pop3 login it puts the remote IP in this file indicating that its OK to relay from this host.
I don't have access to another IP address to test this out. I tried setting up a fresh host to send mail on behalf of a fictious user on my domain without trying to retrieve mail. It worked, but this machine shares my ISP and therefore has the same public IP as my machine so its not a perfect test.
I am wondering whether I should figure out how to enable authentication for the SMTP server.
Thanks,
--BobG