"Open Relay" was one of the first things I double checked. So, for inbound mail, qmail only checks whether the user is "available" on the system (chkuser) before accepting the mail. (UNAUTHENTICATED)
However, for outbound mail (being a domain not hosted on the machine), authentication of the user is required. Therefore, my confusion relates to using Telnet, whereby no authentication is implemented prior to sending the test message? Therefore, as mentioned earlier, the only other logical conclusion is a compromised email account's password. -----Original Message-----rcp From: Dan McAllister [mailto:[email protected]] Sent: 17 February 2014 12:00 AM To: [email protected] Subject: Re: [qmailtoaster] Re: Spamming via valid vpopmail account Wicus - On port 25 CURRENTLY: - If the connection is for a LOCAL address (that is: the RECIPIENT address is one that is local to the server), the message is accepted -- regardless of whether you are authenticated or not - If the connection is for a REMOTE address (that is: the RECIPIENT address is one that is NOT local to the server), the messages is accepted ONLY IF the user is authenticated. Again, the CORRECT use of port 25 is SOLELY for the receipt of inbound messages for the local server. Users (who authenticate) should be using ports 587 or 465 -- which, after they authenticate, will allow them to relay to other servers. Now here's a kicker -- if you authenticate to the QMail SMTP server (with ANY credentials that work!) you can send as any user to any user. Once you're AUTHENTICATED, you're free to send from anyone TO anyone. This is because the AUTH mechanism is separate from the SMTP mechanism -- and to my knowledge, there is no way to fix this in QMail (maybe with spamdyke? I don't know). Now, if your server accepts UNAUTHENTICATED clients, and forwards to domains that are NOT LOCAL to you, then you are what is referred to as an "OPEN RELAY" -- you've made a mistake that will get you blacklisted within 24-48 hours, for sure! :) I hope this answers your question Wicus... Dan IT4SOHO On 2/16/2014 3:07 PM, Wicus Roets wrote: > Eric, > > This is where I'm confused. If qmail accepts mail for relay based on > authentication of a valid account/pw pair, how could I have send mail > via telnet on port 25 by only supplying a valid account (without a password)? > > -----Original Message----- > From: Eric Shubert [mailto:[email protected]] > Sent: 16 February 2014 09:56 PM > To: [email protected] > Subject: [qmailtoaster] Re: Spamming via valid vpopmail account > > On 02/16/2014 11:32 AM, Wicus Roets wrote: >> That explains is quite nicely. >> >> One more question though ;) >> >> Quoting from "http://gmane.org/post.php"; - " People who do not have >> valid email addresses in their From or Reply-To headers can't use >> Gmane to post to mailing lists." > That's (primarily) because gmane doesn't have accounts with passwords. > It uses the From/Reply-To to verify that an address exists, when the > first message from an account is sent to the list. This is akin to > adding an account. > >> From my earlier mail, qmail accepts mail based only on the "rcpt to:" >> of the header. As an interim, would inclusion of verification on the >> "mail > from:" >> be easier/quicker ? > I'm not sure what you mean by this. qmail accepts mail (for relay) > based on authentication (valid account/pw pair). > > I don't think that verifying the "mail from" is always practical, but > I know that SamC is considering adding some such capability to > spamdyke. I think we should wait and see what he comes up with for > that. QMT doesn't presently use spamdyke on port 587, but it soon > will. spamdyke v5.0 was just released, and once it's deemed stable (by > me), QMT will use it to handle authentication (on port 587). > > -- > -Eric 'shubes' > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
