I've configured qmail/vpopmail/courier to work for sending/recieving mails, with smtp authetnification, meaning that every user that would like to send mail thru mail server must use valid username and password.
But I noticed today, that users can manipulate return-path form.
For example if I set return-path in thunderbird as email@example.com
the email will be sent and mail would look like someone relly sent it from intel.
Showed on example under.
My "real-username" at mail server is firstname.lastname@example.org
but as you can see I faked the return-path to something else.
Received: (qmail 5267 invoked from network); 28 Mar 2007 11:56:43 -0000
Received: from somehost.fromuser (HELO usercomp2) (email@example.com@220.127.116.11)
by mail.domain.org with SMTP; 28 Mar 2007 11:56:43 -0000
From: My Name <firstname.lastname@example.org>
To: "Admin" <email@example.com>
References: <001101caaf8e$33f9e200$1700a8c0@usercomp2> <4607A127.firstname.lastname@example.org>
Subject: Changing Return-path/from unexisting user
Date: Wed, 28 Mar 2007 13:03:33 +0200
I would like to know is there any possibilty to force return-path and from field to be same as username (email@example.com). It would be the best if I get some error message when I try to use fake mail address (different from my real username address).