On 8-Apr-07, at 9:53 AM, Hans Salvisberg wrote:
When using qpsmtpd (trunk) to relay outgoing messages, it
constructs a Received header that contains among other information
-- the SMTP authorization mechanism
-- the SMTP authorization username
-- the qpsmtpd version number
I know that obscurity does not provide security, but unnecessarily
disseminating this information to the world at large is an
invitation to (would-be) crackers to try their hand at our server.
smtpgreeting allows hiding the version number from callers, but
this doesn't make much sense, when the version number is broadcast
freely on other channels.
Knowing which account was used to relay a given message may
certainly be useful in some cases, but this doesn't necessarily
need to be common knowledge. A hash of the account name and some
salt would be enough to track an account if necessary.
What do you think about this?
Two points:
1) If the sender meant to send the mail, then the recipient knows who
the user is anyway.
2) If the sender *didn't* mean to send the mail, the info is very
useful for anti-spam measures (and for you, in an abuse report).
Matt.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
