Well I found it.
Yes there is a method being employed by spammers to get mail relayed via our servers using SMTP-AUTH.
If the last line of your /var/qmail/supervise/qmail-smtpd/run file looks like this ...
/var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1
AND you've updated to the new 0.5 patch, you are now an open relay!
The fix ...
/var/qmail/bin/qmail-smtpd [hostname] /home/vpopmail/bin/vchkpw /bin/true 2>&1
Put your hostname where noted above and you are fixed.
More info here .. http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
Interestingly the old version of Bill's toaster isn't affected by this bug and the SMTP-AUTH is secure without the hostname in the run file.
Bill, you may wish to fix this in the next toaster update as it's not easy to see this hole until it is abused by someone. I discovered it this morning when I got up to my main server being blacklisted on bl.spamcop.net. I'll send this email once I'm off that blocklist since you happen to be using it to stop my mail getting to the list anyway > :)
It's not missing in the current release. Here's the default qmail-smtpd run file from the "toaster-scripts" archive:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 6000000 \
/usr/local/bin/tcpserver -H -R -l 0 \
-x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd domain.com \
/home/vpopmail/bin/vchkpw /bin/true 2>&1So, unless you removed "domain.com" from the script, you should be fine. Perhaps you upgraded from a much earlier toaster? I don't recall if/when I added the hostname argument to the default run file.
Regards,
Bill Shupp
