开发者

How to verify mail origin?

开发者 https://www.devze.com 2022-12-25 22:34 出处:网络
I wish to code a little service where I will be able to send an e-mail to a specific address used by my server to send specific commands to my server.

I wish to code a little service where I will be able to send an e-mail to a specific address used by my server to send specific commands to my server.

I'll check against a list of permitted e-mail addresses to make sure no one unauthorized will send a command to the server, but how do I make sure that, say, an e-mail sent by "mrzombie@thezombie.net" really comes from "thezombie.net"?

I thought about checking the header for the original开发者_开发问答 e-mail server's IP and pinging the domain to make sure it is the same, but would that be reliable?

Example:

Server receives a command from mrzombie@thezombie.net mrzombie@thezombie.net is authorized, proceed with checks Server checks "thezombie.net"'s IP from the header: W.X.Y.Z Server pings "thezombie.net" for it's IP: A.B.C.D The IPs do not correspond, do not process command

Is there any better way to do that?


If you can solve this for generic e-mails, you solved the problem of SPAM.

Given that the mail headers are free form text in which anyone can claim anything, you can't do any sort of authorization nor authentication based on the mail headers. Your best bet is to authenticate the content, and there are protocols for that like S/MIME or PGP. They rely on cryptography for authentication and your server will be able to verify that the content is signed by a certificate you trust. But you'll move the burden on the mail sender that will have to send a properly signed message. Most mail readers though support adding digital signatures to content.


but how do I make sure that, say, an e-mail sent by "mrzombie@thezombie.net" really comes from "thezombie.net"?

You also may want to look at Sender Policy Framework, as it is at least in part trying to provide a means of verifying that email was sent from authorized domain servers.

Also, serverfault.com may have some helpful answers for you since it is a networking- and server-related question.


You can use SPF to verify that a given IP is/is not authorized to send email on behalf of a particular domain (assuming that domain implements SPF, of course), but that only gets you so far. For example, it may not prevent another user at the source domain from impersonating the authorized user.

Authenticating the content with a digital signature is really the best way to go.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号