edit: after finishing this post I was completely confused, but did not want to delete the post, as maybe someone can give me a link to further read about this. P.S. please do not let yourself get confused by my writing, I don't understand it myself ;-) completely Hi guys, lets asume I have domain1.de = web1 and domain1.com = web2 hosted on my server. there are user web1_user1 and web2_user1 activated. now if web1_user1 sets up his mail client to use his real credentials to login but sets his name as web2_user1 and his email address as [email protected] it wil work. I am not sure if I made myself clear: what I mean is this: because both domains are hosted on the same server a user of one domain can safely send emails through my server setting any email@anotherdomain of this server. I mean this sounds wrong to me. shouldn't it be like this: if my server gets an email to be sent he shoud check if the user is allowed to set that specific sender address? Isn't this what is called relaying or am I getting something wrong? I mean to me it looks like a small version of relaying because only existing users on the serevr are able to relay and only faking of email addresses on the server are allowed ?
You can always fake the sender address, and you can use any sender address you can think of, not only other addresses on your server. That's what spammers do day in day out. Actually, this is a "bug" in the smtp protocol (well, you can't call it "bug", because when the protocol was specified, noone was thinking of people that would want to fake the sender address. Spammers didn't exist at that time, and so faking of sender addresses seemed to be nonsense that noone would do.).
ok, I agree so far I did do that severall years ago with a local smtp server to send dfrom: [email protected] but here things looked different to me: I thought because users were identified (logged onto the server) they could not do this... but I start to see things clearer: my server is no open relay, meaning somebody not logged on cannot send emails, while a legitimate user can spam, if he wants to? so how can I prevent or trackback this behaviour? In the case I described above it was easy as I was using squirrelmail for my test and it added a header to outgoing emails, but what about users using a regular email client? what trace would tehre be except the IP address ?
