On Sun, 12 Sep 1999, Sebastian Andersson wrote:
> I just got a nasty letter from ORBS telling me that one of my SMTP
> servers was an open relay.
>
> The host was a secondary mailserver for some of our domains and it had
> no hosts in locals and a correctly configured rcpthosts. Its virtualhosts
> was also empty and it was not configured to allow percent hack.
> Still <user%domain@[ipnumber]>, where ipnumber was the hosts IP number,
> was allowed stright through.
>
> me was set to a local domain, where another server was was primary and that
> server was configured to allow relaying for this server.
>
> [ipnumber] was changed to the default domain and that was in the rcpthosts
> file so it was ok. The message was forwarded to the primary smtp server for
> that domain and that server saw that the mail came from an authorized
> relayer and past it along...
Well, yeah... This is a major hole. Plug it up by taking the host A's
ip/name out of the relay host's list of allowed relay clients. It'll
still receive email from that host, but will only deliver it locally.
