On Sun, Jan 02, 2000 at 10:40:59AM -0600, Dustin Miller wrote:
> I was going over the qmail pictures to see if I could get a little more
> insight into the hows and whys of qmail's failure to throw an exception of
> some kind the moment someone unauthorized attempts a relay. As it is, it
> doesn't give any indication to the end user that he's not allowed to be
> doing what he's doing, so all of us get random messages from security
> people, blah blah blah.
>
> Here's the deal.
>
> Here's the "unauthorized relay" picture from the qmail package:
>
> ---[ begin picture ]---
> qmail-smtpd Receive message by SMTP from another host:
>
> MAIL FROM:<[EMAIL PROTECTED]>
> RCPT TO:<[EMAIL PROTECTED]>
>
> Is $RELAYCLIENT set? No.
> Is irs.gov in rcpthosts? No.
> Reject RCPT.
> ---[end picture ]---
>
> But qmail doesn't immediately reject RCPT. Rejecting the RCPT here would
> not give up any security information (that I can see). AFAICT, qmail waits
> until after the data command is passed and ended with a "." before it barks
> up that you can't relay.
qmail DOES immediately reject the recipient. The above is all wrong.
Chris
