After reading this thread, IMHO (not IMO) Juergen, Norman and Stefano
are right.
I would simply put a *strong* comment in config.xml stating that SMTP
AUTH is much safer and the way to go, but give the feature possibly with
the ip vs{ ip,id}options choice.
BTW, I would put SMTP AUTH "anounce" as the default in config.xml, with
proper comments.
Vincenzo
Stefano Bagnara wrote:
Noel J. Bergman wrote:
Something more important: I am -1 on the current code. The technical
justification for vetoing this change is that we are tracking only
the IP
address. One person on a non-routable subnet authenticates via POP3 or
IMAP, and everyone else going through the same gateway router gets to
use
the now Open Relay? Better would to be to maintain {ID, IP}-tuples.
Although that would be more difficult, or perhaps less useful, in
virtual
user table situations, since the POP3 USER and the SMTP MAIL FROM
would be
different, it would be better than creating Open Relays; especially Open
Relays in a way that most admins would find every difficult to track
down,
and which most Open Relay probes would not detect.
[...]
Remember that you need not revert the commits at this time, but
unless we
find a resolution to the vulnerability or someone shows me the error
of my
assertion, we are not releasing this code.
I don't agree.
Using our config.xml administrators can even break rfc compliance,
they can remove whole commands, and can add vulnerability.
It is really simply to create an open relay with a single line change.
We should simply add the feature and a good comment on what it really
does.
What I would expect from my previous knowledge from a pop-before-smtp
is that it only checks IPs.
Maybe we can add a configuration to the handler to decide wether to
check {ip,id} tuples or ip only, but I think that IP only will be the
one used.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
