douziqian2871 2014-04-15 21:21
浏览 48
已采纳

在CentOS VPS上区分通过postfix发送的假电子邮件

I am going through my first steps on VPS management and configuration; been able to install PHP, mySql, phpMyAdmin, postfix, etc ... and migrate a Wordpress from an existing shared server to this VPS.

Sorry for my question being naive, but when testing postfix with the php mail function, I purposely sent the email with a "From" header which was not my own email address (don't worry, nothing serious).

Question is: the email was sent and received in my inbox as if it was sent by somebody else! Is it this easy to send a fake email with php and postfix? (of course, checking email headers reveals the truth).

How can I restrict my VPS from being able to send emails from arbitrary addresses?

Thank you.

  • 写回答

1条回答 默认 最新

  • douwang4374 2014-04-15 21:29
    关注

    The answer is "yes and now": it is easy to "fake" emails, though that actually is not faking at all. Please understand that the "From" and "To" addresses shown inside an email message are part of the messages content. From a technical point of view these addresses have nothing to do with from whom (from which account) that messages has been sent or to whom it is addressed. Those addresses (accounts) are specified on a completely different level. In addition it is not up to the sending software to decide what is a valid message and what not, in terms of a message being genuine. That obviously would not make sense if you think about it. That is something that either the receiving side or the transmitting side have to make sure, here the email servers, especially the smtp servers accepting and routing messages.

    And indeed this is the case: it is a question of your local smtp servers configuration if such a message is accepted for delivery or not. Most likely the message in your test case has been accepted because it originated from within your local network, or what the smtp server considers as your local network. For such messages typically other rules exist compared to routes received "from the outside" and this does make sense. Further it is a well known fact that it is part of the responsibility of the smtp server administrators to make sure that their servers cannot be missused. The rules used for this are called "relaying rules", all current smtp server implementations offer configuration opions dealing with that issue.

    In general you can say that

    • really "faking" an email is not that easy if you look at the details. If a receiver only looks at superficial details then indeed he can easily be fooled.

    • email is not at all a secure means of communication, it never has been and it never was meant to be. It is built on trust in general.

    • the only secure way to make sure that an email has indeed been sent by the party that is claimed as sender inside the message is by using "signed messages", by using a digital signature.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题