Anand Buddhdev <[EMAIL PROTECTED]> schrieb/wrote:
> No there isn't. qmail's design is such that it does no recipient
> verification when accepting an email. I wish there were some way to do
> this though. Perhaps qmail-smtpd can look up a file list users/assign.
Well, the question here is, what's better: A security hole allowing
remote attackers to find out which email address is valid without
waiting for the bounce (and giving a valid return address in advance) or
a security hole allowing remote attackers to start a DoS attack by
sending messages which eventually double bounce?
I believe it's better not to accept that mail in the first place.
Unfortunatly, qmail-smtpd has absolutly no access to the list of valid
addresses, maybe not even users. I have spent some thinking about this
and ended up with the following idea: A separate daemon validating
addresses by looking if there is a .qmail file or a default action for
that address (and maybe caching the results). Of course, if you need
~alias/.qmail-default, this would not help. Further, to check whether a
.qmail file for .qmail-user-anything exists, you would have to start a
process with this user's id to be able to read the directory...
--
Claus Andre Faerber <http://www.faerber.muc.de>
PGP: ID=1024/527CADCD FP=12 20 49 F3 E1 04 9E 9E 25 56 69 A5 C6 A0 C9 DC
