If I send email to my ISPC server and forge the "from" header, I'm able to send mail, with no authentication required, to real mailbox recipients whose mailboxes are hosted on the server -- all from a remote IP address on my ISP's network. I find this to be alarming, and this seems to be possible with the default ISPC configuration. To be fair, I don't know how much ISPC modifies Postfix's default configuration, and whether the too-permissive default value is something that exists off-the-shelf, or if it's something that ISPC adds/removes. In fact, it's entirely possible that I have misconfigured something myself. So, I setup a test-case. The "real-world" application is a Web form. Now, it is important to note that I am running this Web application on my personal workstation; that is, on a desktop PC at home, connected to a residential ISP's network. I am not runnin the test application on the actual server to which I am sending mail. The fact that it's a Web application isn't even relevant, actually. I could replicate this same scenario just using telnet or a desktop email client. I am using this example scenario only as a frame of reference. This test application takes two actions in the way of email: 1.) Sends a message to the "customer care" email address (this address is hard-coded in the application logic). This email address is identified as [email protected] below. 2.) Sends a copy of the same message to the "submitter's" own email address (the address field is a free-form text field). This email address is identified as [email protected]. (The attacker would put the spam "target/recipient" address of the user whose mail is hosted at my.real-domain.com into this field.) The "from" header is set via the Web form application logic and is identified as [email protected] below. (This is the address that is being "forged"; I intentionally set this to a fake/nonexistent address as my real domain.) In any case, here's the mail.log excerpt when I perform this test. Code: May 31 07:36:52 server postfix/smtpd: connect from rrcs-1-2-3-4.nys.biz.rr.com[18.104.22.168] May 31 07:36:53 server postfix/smtpd: 1C45519018F2: client=rrcs-1-2-3-4.nys.biz.rr.com[22.214.171.124] May 31 07:36:53 server postfix/cleanup: 1C45519018F2: message-id=<1370011015.51a8b587172b8@desktop-pc> May 31 07:36:53 server postfix/qmgr: 1C45519018F2: from=<[email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected][email protected] from=<[email protected][email protected] <[email protected][email protected] What this means is that anyone can simply setup a desktop email client and send email to my server, from some external network, and the email will be accepted for delivery as long as a) the sender uses any "from address" ("local part") @my.real-domain.com, and b) the recipient has a mailbox @my.real-domain.com. Postfix "postfinger" output for this server: http://pastebin.com/QGE3cah5 Can anyone verify this behavior (or confirm that it "doesn't happen for me")?