Dustin Miller <[EMAIL PROTECTED]> wrote:
> I got scared by that one a few weeks back, and the list set me straight.
> RoadRunner's security staff would rather not write an actual check script
> that waits for the mail to come back. Oh well.
Not much you can do about that besides try to educate them.
> Although that does bring up an interesting security question. A spammer
> could, potentially, launch a denial of service attack against a qmail server
> by sending spams, couldn't they? If qmail takes the time to queue them,
> that's a Bad Thing(tm), in my opinion. Would it be violating any kind of
> RFC if we re-coded qmail to reject those relay messages the moment someone
> who doesn't have ALLOWRELAY set for their mask attemps to send a message to
> a non-local user? Just a thought.
Not much point to that - if someone is trying to launcb a deliberate DoS
attack on a qmail server, they could then just send a ton of 1MB messages
to aaa,aab,aac,[EMAIL PROTECTED] -- qmail has to queue and try
to deliver them because they're local. The next step (immediately denying
the mail if the local user doesn't exist) is difficult with qmail, because
of aliases and qmail-extension email addresses, and is a bad idea anyway,
because it opens you up to email-harvesting attacks (like with VRFY with
other MTAs).
However, I seem to remember an unoffical qmail patch somewhere that did
immediately reject mail to domains not in rcpthosts. You might want to
check the mailing list archives, or possibly www.qmail.org. Maybe even a
pointer in Dave Sill's (excellent) Life with qmail?
Charles
--
----------------------------------------------------
Charles Cazabon <[EMAIL PROTECTED]>
Any opinions expressed are just that -- my opinions.
----------------------------------------------------
