From 7cceb3d8349d5c3af4d6d77c1c01bd94d6273673 Mon Sep 17 00:00:00 2001 From: Mechiel Lukkien Date: Thu, 10 Aug 2023 12:18:05 +0200 Subject: [PATCH] add comment about not verifying Sender for submissions --- smtpserver/server.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/smtpserver/server.go b/smtpserver/server.go index dcf471a..7f28320 100644 --- a/smtpserver/server.go +++ b/smtpserver/server.go @@ -1659,6 +1659,8 @@ func (c *conn) submit(ctx context.Context, recvHdrFor func(string) string, msgWr // Check that user is only sending email as one of its configured identities. Not // for other users. + // We don't check the Sender field, there is no expectation of verification, ../rfc/7489:2948 + // and with Resent headers it seems valid to have someone else as Sender. ../rfc/5322:1578 msgFrom, header, err := message.From(dataFile) if err != nil { metricSubmission.WithLabelValues("badmessage").Inc()