Hi all! I'm working on a free software package due to be launched on freshmeat some time soon (next month most probably). The program is a project development environment, somewhat similar to phpGroupWare but, I like to think, better and with less bugs.
Due to the nature of the project I need to be able to give registered users the ability to upload data in the system via e-mail. This obviously means checking who the originator of the e-mail is, apart from actually processing the e-mail (which works fine). My problem is, how do I check that securely? I'm currently using the headers of the e-mail for the "from:" field and check it against the registered users' e-mail addresses. Works fine. But I guess that's pretty easy to trick. I basically have two concerns: one is that a person may send an e-mail with fake headers. The other is that a user (or non-user) on the same domain with another user would be able to send messages using the second guy's e-mail account (that's because SMTP doesn't have any security mechanism and one can easily impersonate somebody else once they're logged on a computer with SMTP permissions on the mail server). Did anybody run into this kind of problem? Any suggestions? Thanks in advance - I'll let you know when we release this thing if you're interested. Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
