On Thu, Mar 02, 2000 at 09:35:02AM -0400, Shera wrote:
> Hello,
>
[snip]
> secure system possible. There are times that I need to vrfy users from
> remote and in the past the easiest and only form I knew was through the
> smtp server, but now using qmail it is impossible. I would just like to
> understand why qmail does not allow this to be an option as in sendmail.
It's the qmail design that makes it impossible - qmail-smtpd (which,
obviously, handles SMTP :) has no knowledge of users, because it doesn't
need to.
Allowing vrfy would require massive patching.
> -------------------- RFC -----------------------
>
> >RFC2505
> >February 1999
> >Category: Best Current Practice
> >2.11. SMTP VRFY and EXPN
> >
> > Both SMTP VRFY and EXPN provide means for a potential spammer to test
> > whether the addresses on his list are valid (VRFY) and even get more
> > addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed
> > to issue these commands. This may be "on/off" or it may use access
> > lists similar to those mentioned previously.
MTA SHOULD control. MTA does control. MTA says no :)
> >
> > Note that the "VRFY" command is required according to RFC821, [1].
> > The response can, though, be "252 Argument not checked" to represent
> > "off" or blocked via an access list. This should be the default.
This is what qmail does.
> > Default for the "EXPN" command should be "off".
Same here.
> >RFC1123 MAIL -- SMTP & RFC-822 October 1989
> >
> > CNAME.
> >
> > 5.2.3 VRFY and EXPN Commands: RFC-821 Section 3.3
> >
> > A receiver-SMTP MUST implement VRFY and SHOULD implement EXPN
> > (this requirement overrides RFC-821). However, there MAY be
> > configuration information to disable VRFY and EXPN in a
> > particular installation; this might even allow EXPN to be
> > disabled for selected lists.
> >
> > A new reply code is defined for the VRFY command:
> >
> > 252 Cannot VRFY user (e.g., info is not local), but will
> > take message for this user and attempt delivery.
This is what qmail uses.
> > DISCUSSION:
> > SMTP users and administrators make regular use of these
> > commands for diagnosing mail delivery problems. With the
> > increasing use of multi-level mailing list expansion
> > (sometimes more than two levels), EXPN has been
> > increasingly important for diagnosing inadvertent mail
> > loops. On the other hand, some feel that EXPN represents
> > a significant privacy, and perhaps even a security,
> > exposure.
The point in qmail isn't even privacy, or the security mentioned here.
The whole point is that qmail-smtpd doesn't know about users because
it doesn't have to.
I hope that sorts it out for you.
Greetz, Peter.
--
Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
|
| 'C makes it easy to shoot yourself in the foot;
| C++ makes it harder, but when you do it blows your whole leg off.'
| Bjarne Stroustrup, Inventor of C++
