Bill Jonas on Thu, 6 Sep 2001 00:20:22 +0200


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Does restricting partial words weaken passwords?


On Tue, Sep 04, 2001 at 01:42:43PM -0400, Dave Turner wrote:
> Sorry to moderators for making you manually approve this,  I am too busy right
> now to fix my broken email system (and anyway, yours is broken because it
> looks at Sender rather than From)

RFC 822 (Standard for ARPA Internet Text Messages) would seem to
disagree with you:

...
     4.1.  SYNTAX
...
     authentic   =   "From"       ":"   mailbox  ; Single author
                 / ( "Sender"     ":"   mailbox  ; Actual submittor
                     "From"       ":" 1#mailbox) ; Multiple authors
                                                 ;  or not sender
...
     4.4.2.  SENDER / RESENT-SENDER

        This field contains the authenticated identity  of  the  AGENT
        (person,  system  or  process)  that sends the message.  It is
        intended for use when the sender is not the author of the mes-
        sage,  or  to  indicate  who among a group of authors actually
        sent the message.  If the contents of the "Sender" field would
        be  completely  redundant  with  the  "From"  field,  then the
        "Sender" field need not be present and its use is  discouraged
        (though  still legal).  In particular, the "Sender" field MUST
        be present if it is NOT the same as the "From" Field.
...
     4.4.4.  AUTOMATIC USE OF FROM / SENDER / REPLY-TO
...
            o   The "Sender" field mailbox should be sent  notices  of
                any  problems in transport or delivery of the original
                messages.  If there is no  "Sender"  field,  then  the
                "From" field mailbox should be used.
...


IOW, From: is who the person sending the message claims that it's from,
whereas Sender: is who it's actually from.  (An example given in the RFC
is a secretary sending email for his/her boss; he/she would put his/her
address as the Sender: and his/her boss's address as From:.)

To be honest, I didn't realize the significance of the Sender: header
until I noticed some messages getting held up by Mailman which had a
subscribed address in the From: header; I noticed that the Sender:
header was present and had a different, unsubscribed email address in
those messages, though.

Anyway, since I don't feel like hacking Mailman at present, you can do
one of a couple of things:

1.) Configure your MTA so that you are a trusted user; your MTA will not
generate the Sender: headers in this case.  For example, if you use
Exim, you'd want to set the trusted_users variable to a colon-separated
list of users who are to be trusted to set their own From: headers.  I
forget how to do it with Sendmail; I do know that Debian's
sendmailconfig program will ask you for trusted users.

2.) Subscribe as whatever your Sender: appears as.  If you don't want to
receive list mail twice (and who does?), disable mail delivery for one
of your subscriptions.

HTH.

-- 
Bill Jonas    *    bill@billjonas.com    *    http://www.billjonas.com/
"As we enjoy great advantages from the inventions of others,  we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously."          -- Benjamin Franklin


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug