"Peter Nilsson" <[EMAIL PROTECTED]> writes: > Hi! I know that this group isn�t about qmail,
Then why post here in the first place? Use the qmail list. > but maybe someone know about qmails blank rcp to problem, its a big > security risk. No it is not a big security risk. > It is possible to telnet to a qmail server and do this: > > helo > mail from:[EMAIL PROTECTED] > rcpt to: > data > > he he here is a delivery failure...you will be flooded with this > . > Se this enable an attacker to use your qmail server to create a flood > of delivery failures to the adresse given in mail from:....could be a > person you dont like. How do I disable this? anyone have a solution? If > it can be disable, then i have to skip qmail (to risky to use then) The mail will be delivered to @'envnoathost' (from /var/qmail/control/envnoathost, which defaults to /var/qmail/control/me). And as 'locals' defaults to 'me', the mail will be delivered locally to, well - nobody. If you want to flood a mailbox, just inject the mail through domail.tld's backup-mx putting [EMAIL PROTECTED] as the envelope sender and [EMAIL PROTECTED] as the envelope recipient. This is nothing new, this is how SMTP works. > Other mailservers don�t accept a blank rcpt to: HELP! > > Regards, Peter Nilsson /Claus A
