Gryffyn, Trevor wrote: > If it's a un*x system and you have permissions to connect to the SMTP > server, you could use the VRFY command to check to see if their email > address exists or not maybe: > > Example of Verifying a User Name > > Either > > S: VRFY Smith > R: 250 Fred Smith <Smith@xxxxxxxxxxxxx> > > Or > > S: VRFY Smith > R: 251 User not local; will forward to <Smith@xxxxxxxxxxxxx> > > Or > > S: VRFY Jones > R: 550 String does not match anything. > > Or > > S: VRFY Jones > R: 551 User not local; please try <Jones@xxxxxxxxxxxxx> > > Or > > S: VRFY Gourzenkyinplatz > R: 553 User ambiguous. > > (examples taken from: http://www.ietf.org/rfc/rfc0821.txt Page 8) I believe that, for performance and security reasons, many/most SMTP servers these days will out and out *LIE* to you about this... The real answer is: There is *NO* *WAY* to do this on a general basis, unless you control the remote machine, or know enough about its setup, to be certain that it will respond correctly. >> ServerA and ServerB Ah. The original poster probably has control of ServerB. Life is now simplified immensely. >> This, of course, is because the script is being run as "www" >> who has no >> place to put ssl keys. >> >> Could this be solved by having "www" "su" to a user who has >> remote access >> privileges? Something like this: >> >> $idResults = `su admin | ssh admin@xxxxxxxxxx id bigbob 2>&1`; su simply won't let you do that. su requires a TTY to avoid you doing something so incredibly dangerous as this. So, no, that won't work. And you shouldn't be trying to do that anyway. >> Anyone else doing or done something like this? Sure. I've never done it, but many many many have. One fairly simple thing is to create the 'www' user on ServerA so that they *do* have a home directory where they can store SSH keys. You may need to su to 'www' once, and do some ssh work -- ssh-key-gen or whatever it is. That, however, increases your risk in the event that the www user is compromised on ServerA. Probably the best answer is to attack this from the side of ServerB. You want ServerB to: Only allow ServerA to even ask. Tell ServerA if user "X" is a valid username. >From the point of ServerB, making sure that ServerA is the one asking is fairly simple. You could check the IP (which can be spoofed, but that's fairly difficult) or provide some other means of authentication (SSH/SSL) that ensures that ServerA is really ServerA. Then, ServerB can just check /etc/passwd usernames. Or be even simpler to use a shell command like 'user' (?) or 'groups' to verify that a user is valid. In other words, instead of writing some hacky code on ServerA to try to poke at ServerB to get the answer you want, write some nice clean code on ServerB to provide the answer, WHEN APPROPRIATE. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
