sender verification in qmail
Posted on 2009-12-29
I have a mail setup with qmail-1.03 as the MTA, openLDAP 2.2.13 as the authentication server and qmail-scanner 2.01 as the scanner. I have applied "smtp auth" patch for validating all the senders and PBS to check "pop before smtp". The issue I noticed is that in the mail client, if I mention the user name as "USER A", Password as "PasswordOfUserA" and E-mail Address as "USERB@domain.com", the server processes the mail. "FROM" field of this ID is shown as "UserB@domain.com". This means I can authenticate with any user and send Email as another user, which is probably a case of Email ID SPoofing.
Please help me getting this resolved. Attributes used in OpenLDAP:
uid: (user ID)
userPassword: Password of Email Address
mail: E-mail Address
I am not sure if qmail-scanner gets any attribute of the UserName (uid). If so, I can put a condition there to reject mails of UserName and EMail IDs do not compliment each other.