Dave Sill <[EMAIL PROTECTED]> writes:
> Thomas Neumann <[EMAIL PROTECTED]> wrote:
> >
> >I think Exchange can also use ETRN to tell another SMTP
> >server that it wants it to send queued mail, but ETRN
> >is even worse, being incredibly insecure
>
> Not true. TURN is incredibly insecure, because it feeds messages back
> over an unverified connection, but ETRN is as secure any other SMTP
> exchange.
Yes, exactly as secure as any other SMTP command, which is
a nice way to say 'not secure at all'.
ETRN, on servers that support it, is part of a normal, unverified
SMTP session. What verification capabilities do you see in ETRN as
defined in RFC1985? It would at least be pseudo-secure if the domain
name given as parameter of the ETRN command would be the FQDN to
connect to for sending the queues content and the ETRN capable MTA on
the server side would open a separate connection to that given host,
but this is not the case (and can not be, as RFC1985 section 5 says
the given domain is allowed to resolve to only an MX, hence is allowed
to lack an A record and therefore maybe can not be connect()'ed to).
The domain supplied with ETRN is only to tell the server which
elements of its queue it should send to the client.
> Basically, it's just telling a server "hey, if you've got
> any mail for host X, you should try sending it now".
Yes, and it will send it over the already running SMTP session
in which the ETRN command was issued. So what keeps me away
from telnet'ing to some SMTP server that I know does ETRN for
domain foo.bar.com and shoot a 'ETRN foo.bar.com' at it and
it will happily send me all of foo.bar.com's mails?
> qmail+serialmail supports AutoTURN, which is like ETRN, but doesn't
> require the remote site to send an ETRN command.
This is true, but it only works iff your dialup clients have static IP
addresses.
-t
