Companies often expose SMTP Servers and not POP3/IMAP Servers outside firewall.
The point is that you can always send mail or spam to anyone but you cannot do a dictionary attack, guess passwords and read any mail. ATRN/ETRN actually allow an SMTP Server to act as a mail reciever and also mail publisher. Here is a scenerio: A hacker looks for valid userids by searching for '@<companyname>' Does dictionary attack to find password. Say gets 5% of passwords on a system that does not have good auditing. Finds a mail server that has TURN commands, and then once in a while routes mail to herself for those users. Harmeet PS: Polymorphism may be good and object oriented but Security folks are not likely to know the advantages. ----- Original Message ----- From: "Harmeet Bedi" <[EMAIL PROTECTED]> To: "James Users List" <[EMAIL PROTECTED]> Sent: Wednesday, June 12, 2002 5:36 PM Subject: Re: ATRN > FYI: ATRN is bad from a security point of view. > > Reason: "My need is for a simple device > that simply queues mail and relays it on-demand, no delivery necessary." > One can send (snail)mail to anyone in the directory, but I want to keep my > own mail inbox hidden. > > Harmeet > ----- Original Message ----- > From: "Jeff Schnitzer" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, June 11, 2002 7:32 PM > Subject: ATRN > > > I need to use ATRN to pull mail from a relay into an Exchange server > which has a dynamic IP address. Does James support ATRN? > > I'm guessing it doesn't, since a search of the mail archives and > documentation turns up nada. > > The next question is: How amenable is the James architecture to > supporting ATRN? I notice SMTP AUTH is already supported, which is > good. But I know relatively little (yet) about the internal workings of > an MTA, so I don't know what else is needed. Can James queue mail > without delivery for a more or less indefinite time? Does the > architecture make it possible to easily take an inbound SMTP connection > and reverse the client/server roles? > > If it's realistically possible for me to implement it in a week, I'm > willing to grab the RFC and start hacking. But I'm starting at the > bottom of both the James and MTA learning curves, so I can't even > evaluate the feasibility. > > Comments? > > ATRN would be a really cool feature to have, especially since neither > sendmail nor qmail currently support it. My need is for a simple device > that simply queues mail and relays it on-demand, no delivery necessary. > > Jeff Schnitzer > [EMAIL PROTECTED] > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
