By choosing the new option in WHM to have cpanel/exim set the username/host combination as the value for the sender field, cpanel makes the system noncompliant with RFC 822. I have copied the relevant fields here in case someone is interested.
As you can see, RFC 822 makes clear that the Sender field "...contains the authenticated identity of the AGENT (person, system or process) that sends the message."
But if I send an email from [email protected]
to my account [email protected]
and it gets a Sender field of [email protected]
everyone can see that this is against RFC 822.
To prevent spammers forging from or sender fields it is very easy to use a syntax within exim to make sure these fields are correct without being non-compliant with RFC 822.
I am open to discuss this offline due to the nature of this issue.
excerpt from RFC 822
...4.4.1. FROM / RESENT-FROM
This field contains the identity of the person(s) who wished
this message to be sent. The message-creation process should
default this field to be a single, authenticated machine
address, indicating the AGENT (person, system or process)
entering the message. If this is not done, the "Sender" field
MUST be present. If the "From" field IS defaulted this way,
the "Sender" field is optional and is redundant with the
"From" field. In all cases, addresses in the "From" field
must be machine-usable (addr-specs) and may not contain named
4.4.2. SENDER / RESENT-SENDER
This field contains the authenticated identity of the AGENT
(person, system or process) that sends the message. It is
intended for use when the sender is not the author of the mes-
sage, or to indicate who among a group of authors actually
sent the message. If the contents of the "Sender" field would
be completely redundant with the "From" field, then the
"Sender" field need not be present and its use is discouraged
(though still legal). In particular, the "Sender" field MUST
be present if it is NOT the same as the "From" Field.
The Sender mailbox specification includes a word sequence
which must correspond to a specific agent (i.e., a human user
or a computer program) rather than a standard address. This
indicates the expectation that the field will identify the
single AGENT (person, system, or process) responsible for
sending the mail and not simply include the name of a mailbox
from which the mail was sent. For example in the case of a
shared login name, the name, by itself, would not be adequate.
The local-part address unit, which refers to this agent, is
expected to be a computer system term, and not (for example) a
generalized person reference which can be used outside the
network text message context.
August 13, 1982 - 21 - RFC #822
Standard for ARPA Internet Text Messages
Since the critical function served by the "Sender" field is
identification of the agent responsible for sending mail and
since computer programs cannot be held accountable for their
behavior, it is strongly recommended that when a computer pro-
gram generates a message, the HUMAN who is responsible for
that program be referenced as part of the "Sender" field mail-