Hello Derrick,

Monday, September 15, 2003, 10:57:57 AM, you wrote:

D> I think I figured it out.  The qmail-smtpd.c patch for SMTP AUTH had an
D> exploit.  It did require authentications, but it didn't care what
D> credentials you threw at it, so long as you sent something.

Yes, there are/were a few SMTP auth patches put up by people who did not
fully give the correct instructions on how to install with regards to the
smtpd run file. qmail by itself has never had a security breach.

Chances are you have a misconfigured qmail-smtpd run file, which some of
these sites for patches have put up erroneously, causing this error.

an explanation and fix is in the thread of

http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2

Or, you can do the following:

If you have the current source code and the patch you applied, you
should be able to use "patch -R" to apply the patch in reverse, which
will essentially remove it from qmail.

If you don't know what qmail patches you have, it's probably best
to re-install from scratch, so in the future you know how your system
is configured. It just takes a few minutes to install from source.

D> On that note, does anyone know of a way to get SMTP AUTH working with
D> qmail without being an accidental relay?

See above link for probable fix, or

Yes, install qmail from source, run make setup check, and pick a good auth
patch from lifewithqmail.org A good one is

http://members.elysium.pl/brush/qmail-smtpd-auth/index.html


-- 
Best regards,
 Gary 

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to