Further, I've contacted Mark Herrick at RoadRunner security to tell him that
his test is faulty, and have made several suggestions on how to fix it.
First suggestion would be: To assume qmail users are not allowing relay. :)
Drop him a line at ([EMAIL PROTECTED]) and tell him that you're running qmail,
and that you're not an open relay. Their test is faulty.
I got scared by that one a few weeks back, and the list set me straight.
RoadRunner's security staff would rather not write an actual check script
that waits for the mail to come back. Oh well.
Although that does bring up an interesting security question. A spammer
could, potentially, launch a denial of service attack against a qmail server
by sending spams, couldn't they? If qmail takes the time to queue them,
that's a Bad Thing(tm), in my opinion. Would it be violating any kind of
RFC if we re-coded qmail to reject those relay messages the moment someone
who doesn't have ALLOWRELAY set for their mask attemps to send a message to
a non-local user? Just a thought.
Dustin
-----Original Message-----
From: Charles Cazabon [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 22, 1999 9:11 AM
To: Mark H. Mabry
Cc: [EMAIL PROTECTED]
Subject: Re: Qmail is relaying external mail (Spam).
Mark H. Mabry <[EMAIL PROTECTED]> wrote:
>
> I'm running Qmail 1.03 on a Debian Linux PC connected to a cable-modem
> (roadrunner). The other day, a roadrunner security test found that my
> mailserver allows some third-party relays. It sent me the failing example
> which I'll include below. It also pointed me to a website to help me in
> fixing this problem. The website is
http://mail-abuse.org/tsi/ar-fix.html,
> which says that I should not be having this problem since I use qmail.
>
> Here is the failing example. I've tried it myself and seen it accept the
> message. In the example I've replaced my explicit IP address with
> 200.200.200.200.
>
> >>> MAIL FROM:<openrelaytest@[200.200.200.200]>
> <<< 250 ok
> >>> RCPT TO:<[EMAIL PROTECTED]@[200.200.200.200]>
> <<< 250 ok
> >>> DATA
> <<< 354 go ahead
This isn't a failure. Roadrunner isn't doing their homework -- not all
MTAs mean "Yes, I'll deliver this mail" when they say "354 go ahead".
Qmail would have properly bounced this message _after_ accepting it into
the queue if your system is configured as you say -- and therefore, you
aren't an open relay.
Charles
--
----------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
Any opinions expressed are just that -- my opinions.
----------------------------------------------------
