Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to forge a from: header without a CNAME check?

0 views
Skip to first unread message

Matthew Elkin

unread,
May 20, 1996, 3:00:00 AM5/20/96
to

UVA used to have three different unix machines, faraday, darwin and fermi. All
accounts on those machines were recently consolidated onto one machine
(faraday). So that mail and telnet requests for darwin and fermi would go to
faraday, all telnet requests, or mail directed to darwin.uva.edu or
fermi.uva.edu is directed to faraday.uva.edu (through the use of CNAME).

The problem is that now the old users of darwin and fermi cannot send mail with
their old email address in the From: header. Listservs etc. won't process
requests for an account unless the mail is from the actual account. I (and the
other users of the old machines) can't figure out how to get our old email
addresses in outgoing email from headers: (e.g., user...@darwin.uva.edu is
always changed to user...@faraday.uva.edu).

The IT folks here responded to request for help with this :
>a side effect of a cname is that it prevents forging mail (at least to
>machines with our sendmail config -- although I don't think it's a CONFIG
>issue, I think it's just the way sendmail works) as a cname'd host. You can
>easily forge mail from a non-existent host since sendmail can't look up the
>entry and has to trust you. If you forge mail from a cname, it looks it up
>and gets the real name of the host and plugs it in.

>I still, however, see no way that we can change this. The only other way we
>could do it would mean that users would no longer be able to telnet to
>darwin.clas or fermi.clas and that would most likely be a bigger problem....

...

>Unfortunately, it looks like DNS is the real culprit, so I don't think there
>is any way to do it....
>
>No matter what you put in the from: header, the MTA looks it up and replaces
>with the canonical name if it can find one. There's probably some MTAs that
>don't do this, but I've verified that sendmail and MMDF both do.

Does anyone know of a way around this problem? Is there any mail server I can
use that won't check the from header with DNS? Or is there anyway for the IT
people here to not have the DNS change but still direct telnet and email for
the old machines to the new ones?

thanks for any help. (sorry if I didn't get all the terminology right: I don't
know a lot about this stuff and am just trying to get straighten out my email
account...)

Matt; el...@virginia.edu

Frank Volf

unread,
May 21, 1996, 3:00:00 AM5/21/96
to

In article <4nqsqu$3ak...@James.Virginia.EDU>,
Matthew Elkin <mr...@faraday.clas.virginia.edu> wrote:

Hi,

>UVA used to have three different unix machines, faraday, darwin and fermi. All
>accounts on those machines were recently consolidated onto one machine
>(faraday). So that mail and telnet requests for darwin and fermi would go to
>faraday, all telnet requests, or mail directed to darwin.uva.edu or
>fermi.uva.edu is directed to faraday.uva.edu (through the use of CNAME).
>
>The problem is that now the old users of darwin and fermi cannot send mail with
>their old email address in the From: header. Listservs etc. won't process
>requests for an account unless the mail is from the actual account. I (and the
>other users of the old machines) can't figure out how to get our old email
>addresses in outgoing email from headers: (e.g., user...@darwin.uva.edu is
>always changed to user...@faraday.uva.edu).

[...]

>Does anyone know of a way around this problem? Is there any mail server I can
>use that won't check the from header with DNS?

If it is the sending MTA that does the CNAME -> CANONICAL name translation,
then it is possible to change the sendmail.cf file so that it leaves the
names darwin.uva.edu and fermi.uva.edu alone.
If the receiving MTA (running the mailing list) does CNAME translation, then
there is no way out for you using CNAMEs

>Or is there anyway for the IT
>people here to not have the DNS change but still direct telnet and email for
>the old machines to the new ones?

What they could do is to use an A record pointing to the IP address of
faraday for darwin and fermi instead of a CNAME.
This way incoming telnet and mail sessions still work, however the mail
configuration of faraday should be extended so it does local delivery of
darwin and femi mail (using the Cw macro or /etc/sendmail.cw this can be
done very easily). In this case there will be no CNAME translation, which
is exactly what you want!

Regards,

Frank

--
Frank Volf - vo...@IAEhv.nl - IAE Management
Internet Access Eindhoven (IAE) public access UNIX
Phone: 040-2438330 (voice), 040-2439436 (93 data lines)
For more info log in as info, to subscribe log in as new

0 new messages