douziqian2871 2014-04-15 21:21
浏览 48
已采纳

在CentOS VPS上区分通过postfix发送的假电子邮件

I am going through my first steps on VPS management and configuration; been able to install PHP, mySql, phpMyAdmin, postfix, etc ... and migrate a Wordpress from an existing shared server to this VPS.

Sorry for my question being naive, but when testing postfix with the php mail function, I purposely sent the email with a "From" header which was not my own email address (don't worry, nothing serious).

Question is: the email was sent and received in my inbox as if it was sent by somebody else! Is it this easy to send a fake email with php and postfix? (of course, checking email headers reveals the truth).

How can I restrict my VPS from being able to send emails from arbitrary addresses?

Thank you.

  • 写回答

1条回答 默认 最新

  • douwang4374 2014-04-15 21:29
    关注

    The answer is "yes and now": it is easy to "fake" emails, though that actually is not faking at all. Please understand that the "From" and "To" addresses shown inside an email message are part of the messages content. From a technical point of view these addresses have nothing to do with from whom (from which account) that messages has been sent or to whom it is addressed. Those addresses (accounts) are specified on a completely different level. In addition it is not up to the sending software to decide what is a valid message and what not, in terms of a message being genuine. That obviously would not make sense if you think about it. That is something that either the receiving side or the transmitting side have to make sure, here the email servers, especially the smtp servers accepting and routing messages.

    And indeed this is the case: it is a question of your local smtp servers configuration if such a message is accepted for delivery or not. Most likely the message in your test case has been accepted because it originated from within your local network, or what the smtp server considers as your local network. For such messages typically other rules exist compared to routes received "from the outside" and this does make sense. Further it is a well known fact that it is part of the responsibility of the smtp server administrators to make sure that their servers cannot be missused. The rules used for this are called "relaying rules", all current smtp server implementations offer configuration opions dealing with that issue.

    In general you can say that

    • really "faking" an email is not that easy if you look at the details. If a receiver only looks at superficial details then indeed he can easily be fooled.

    • email is not at all a secure means of communication, it never has been and it never was meant to be. It is built on trust in general.

    • the only secure way to make sure that an email has indeed been sent by the party that is claimed as sender inside the message is by using "signed messages", by using a digital signature.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题