I was going over the qmail pictures to see if I could get a little more
insight into the hows and whys of qmail's failure to throw an exception of
some kind the moment someone unauthorized attempts a relay. As it is, it
doesn't give any indication to the end user that he's not allowed to be
doing what he's doing, so all of us get random messages from security
people, blah blah blah.
Here's the deal.
Here's the "unauthorized relay" picture from the qmail package:
---[ begin picture ]---
qmail-smtpd Receive message by SMTP from another host:
MAIL FROM:<[EMAIL PROTECTED]>
RCPT TO:<[EMAIL PROTECTED]>
Is $RELAYCLIENT set? No.
Is irs.gov in rcpthosts? No.
Reject RCPT.
---[end picture ]---
But qmail doesn't immediately reject RCPT. Rejecting the RCPT here would
not give up any security information (that I can see). AFAICT, qmail waits
until after the data command is passed and ended with a "." before it barks
up that you can't relay.
Can't this behavior be changed?
Dustin
