Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login
even when sasl.anonymous is disabled in c2s.xml.

Yesterday I noticed, that spammers are using this bug to send spam via
my server, using ANONYMOUS logins.

I am working on a fix.
This mail is to serve as a warning.

I've been able to workaround this bug by disabling "auto-create" in
sm.xml, so the spammer can log in ANONYMOUS, but is not able to create
SM session for not-existing account.

Will keep you informed about a progress of the fix.

smoku @ @

Reply via email to