On Thu, 2 May 2002, V=EB=E9r=EAsh Kh=E5n=F6rk=E3r wrote:
> > I had made EHLO mandatory in the XMail server by > commenting the code which acknowledges the "HELO" > command,hence the only command that is accepeted by > the email server is "EHLO". And later when the server > was built I tested it again, and found that if the > authentication is failed stil the server will allow > the mail delivery. In my case the email server has no > chance accepting mail from another email server and > hence there is no need for allowing "HELO" command, > users can ofcourse use "EHLO". However while testing > the security, I found this security hole. I did change > the code a bit by rejecting the session as soon as the > authentication fails. However I thought I should > inform Davide abt. it. It could be a potential loop > hole. Try it out yourself, > > *) EHLO somedomain > *) MAIL FROM: <[EMAIL PROTECTED]> > *) RCPT To: <[EMAIL PROTECTED]> > > Now the mail server should object at the second > command itself, however that doesnt happen either. > And the message gets delivered, its the same as mail > delivery without authentication with EHLO. Your approach, besides being broken, breaks quite a few RFCs and does not fix any problem. Authentication *add* privileges to a default *init* state of the server. If your default/base state is *open* then you've to fix your configuration not break the code. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
