RE: [IMail Forum] security holes

Mon, 04 Sep 2000 20:43:38 -0700 

It actually looks like they sent to our list as well which amazes me.  The
list is moderator only with a password.  How could they possibly send to the
list?  I assume this because the from field says [EMAIL PROTECTED]

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Len Conrad
Sent: Sunday, September 03, 2000 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [IMail Forum] security holes



>Thanks, that is very helpful.  I wish Ipswitch would have told me this.  I
>disabled the LDAP server, is there any reason to have it running?

Not unless you have users who have LDAP clients.

Preston, did you have LDAP and LDAP logging turned on?  If yes, can
you see some LDAP activity harvesting your mail accounts in your log files?

Since this is a security hole, I recommend that the Ipswitch install
program setup Imail with the "information services" of LDAP, finger,
and whois turned off by default.

And that the SMTP security default intall to "relay for
addresses".  It's not very responsible for Ipswitch to install Imail
as an open relay without signalling this fact.  Or, have the
admin  person select the security setting at install, with "relay for
addresses" and Uncheck SMTP AUTH as suggested
defaults.  Unexperienced Imail admins have quite enough on their
hands without getting hijacked and/or blacklisted due to imprudent
install defaults for security settings.0

The SMTP AUTH default would force new installations to begin their
mail operations with this "best" policy and not be forced to
implement retroactively after several 100 or several 1000 user mail
programs are setup without SMTP AUTH.

Len


http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5  installable binary for NT4
http://IMGate.MEIway.com:  Build free, hi-perf, anti-spam mail gateways

Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to