mirror of
https://blitiri.com.ar/repos/chasquid
synced 2026-01-09 17:55:57 +00:00
Add checks to prevent unauthorized relaying and impersonation
This patch adds checks that verify: - The envelope from must match the authenticated user. This prevents impersonation at the envelope level (while still allowing bounces, of course). - If the destination is remote, then the user must have completed authentication. This prevents unauthorized relaying. The patch ends up adjusting quite a few tests, as they were not written considering these restrictions so they have to be changed accordingly.
This commit is contained in:
Alberto Bertogli
@@ -31,6 +31,13 @@ acl_check_data:
|
||||
accept
|
||||
|
||||
|
||||
# Rewrite envelope-from to server@srv-exim.
|
||||
# This is so when we redirect, we don't use user@srv-chasquid in the
|
||||
# envelope-from (we're not authorized to send mail on behalf of
|
||||
# @srv-chasquid).
|
||||
begin rewrite
|
||||
user@srv-chasquid server@srv-exim F
|
||||
|
||||
# Forward all incoming email to chasquid (running on :1025 in this test).
|
||||
begin routers
|
||||
|
||||
|
||||
Reference in New Issue
Block a user