views:

56

answers:

3

I wish to code a little service where I will be able to send an e-mail to a specific address used by my server to send specific commands to my server.

I'll check against a list of permitted e-mail addresses to make sure no one unauthorized will send a command to the server, but how do I make sure that, say, an e-mail sent by "[email protected]" really comes from "thezombie.net"?

I thought about checking the header for the original e-mail server's IP and pinging the domain to make sure it is the same, but would that be reliable?

Example:

Server receives a command from [email protected] [email protected] is authorized, proceed with checks Server checks "thezombie.net"'s IP from the header: W.X.Y.Z Server pings "thezombie.net" for it's IP: A.B.C.D The IPs do not correspond, do not process command

Is there any better way to do that?

+2  A: 

If you can solve this for generic e-mails, you solved the problem of SPAM.

Given that the mail headers are free form text in which anyone can claim anything, you can't do any sort of authorization nor authentication based on the mail headers. Your best bet is to authenticate the content, and there are protocols for that like S/MIME or PGP. They rely on cryptography for authentication and your server will be able to verify that the content is signed by a certificate you trust. But you'll move the burden on the mail sender that will have to send a properly signed message. Most mail readers though support adding digital signatures to content.

Remus Rusanu
Yeah, it kinda kills the purpose of the program, which is to provide a simple way to send commands to my server via e-mail when, say, on the road, using a cellphone (provided that the server also sends notifications via e-mail to my phone, which is the easy part).
MrZombie
A: 

You can use SPF to verify that a given IP is/is not authorized to send email on behalf of a particular domain (assuming that domain implements SPF, of course), but that only gets you so far. For example, it may not prevent another user at the source domain from impersonating the authorized user.

Authenticating the content with a digital signature is really the best way to go.

David Gelhar
+1  A: 

but how do I make sure that, say, an e-mail sent by "[email protected]" really comes from "thezombie.net"?

You also may want to look at Sender Policy Framework, as it is at least in part trying to provide a means of verifying that email was sent from authorized domain servers.

Also, serverfault.com may have some helpful answers for you since it is a networking- and server-related question.

JYelton