> -----Original Message-----
> From: tonix (Antonio Nati) [ mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 19, 2005 5:24 PM
> To: vchkpw@inter7.com
> Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!
>
>
> You may disable acceptance of message from not authenticated
> users only if you make one of these changes:
>
> - delete any entry from rcpthosts
If I did so, no one can send emails to my local domains.
So now you may understand why this not a bug neither a security hole. It's a standard feature, and cannot be another way.
> or
> - modify auth patch so that only auth relaying is allowed.
>
I think that is a good solution , but how I can modify it ??????
You must setup a dedicated qmail-smtpd server for these domains, and change code: within smtp_rcpt, before chkuser (if you use it), or after these lines (I use Shupp's patch)
- if (flagbarfbmt) {
- strerr_warn4("qmail-smtpd: badmailto: ",addr.s," at ",remoteip,0);
- err_bmt();
- return;
- }
- strerr_warn4("qmail-smtpd: badmailto: ",addr.s," at ",remoteip,0);
if (!relayclient) {
strerr_warn4("qmail-smtpd: not auth sender: ",addr.s," at ",remoteip,0);
err_notauth();
return;
}
where err_notauth() can be:
void err_notauth() { out("553 sorry, you must authenticate before using this server (#5.7.1)\r\n"); }
It would be much better if this would be a configurable option of auth patch, that would force authentication in the first smtp steps, and not within rcpt dialog (but this is better than nothing).
Tonino
> Tonino
Thanks and Best Regards.
Samir Noshy
At 16.24 19/04/2005, you wrote:
>Hi Everybody,
>
>I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
>courier-imap-4.0.2 and SM and QS.
>
>I think that there is a bug in the qmail-smtpd.
>
>the bug that I can send mail as/from a local account to any other local
>account Although I use SMTP auth provided by :
> http://www.fehcom.de/qmail/smtpauth.html.
>
>smtpd and SMTP Auth. must prevent anyone to Impersonate and send mail
>from an Local Account other than his Local Account to any other Local
account.
>
>Imagine that I host the two domains: companyXX.com and companyYY.com
>for example.
>
>So , an any person who did not belong to companyXX.com can Impersonate
>as [EMAIL PROTECTED] and send a formal email - w/o authenticating of
>course - to [EMAIL PROTECTED] or [EMAIL PROTECTED]
>
>I want to do that to prevent any other third party - or even any local
>account users- to Impersonate and send mail from an other Local Account
>to any other Local account.
>
>By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
>
>
>
>#!/bin/sh
>
># when QMAILQUEUE is set, all mail will be sent to the nominated script
>QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
>
>QMAILDUID=`id -u vpopmail`
>
>QMAILDGID=`id -g vchkpw`
>
>exec /usr/local/bin/softlimit -m 15000000 \ /usr/local/bin/tcpserver \
>
>-v -x /etc/tcp.smtp.cdb \
>
>-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \
>/usr/local/bin/rblsmtpd -b -C \
>
>-r 'relays.ordb.org:Your message was rejected because the mail server
>you use is configured to allow OPEN RELAY - More detailed information
>regarding this problem is available from
> http://www.ordb.org/lookup/?host=%IP%
>< http://www.ordb.org/lookup/?host=%IP%> - Please forward this error
>through to your email server support staff for easy resolution.' \
>
>-r 'list.dsbl.org:Your message was rejected because the message was
>sent from a server listed in DSBL - More information regarding this
>problem is available at http://dsbl.org/listing?%IP%
>< http://dsbl.org/listing?%IP%> - Please forward this error to your
>email server support staff for resolution.' \
>
>-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message
>was sent from a server listed in the Spamhaus RBL - More information
>regarding this problems is available at
> http://www.spamhaus.org/query/bl?ip=%IP%
>< http://www.spamhaus.org/query/bl?ip=%IP%> - Please forward this error
>to your email server support staff for resolution.' \
>
>/var/qmail/bin/qmail-smtpd \
>
>/home/vpopmail/bin/vchkpw /bin/true 2>&1
>
>
>
>Can anyone help me to work around this problem ????
>
>
>Best Regards.
>
>Samir Noshy
