Your question is not related to vpopmail in any way.  I will assume that
it's a qmail question and advise that you take any further
correspondence with this post to the qmail list.

That being said:

On Mon, 2004-11-01 at 15:47 -0800, Bill Sappington wrote:
> I seem to have discovered a relay vulnerability.  It seems that a rcpt 
> to: in the form of,
> 
>   <spamlart.homeunix.org!spamtest65.223.68.197>
> 
> Gets past.  Any idea's??

Right.  There's no @.  qmail will accept the message, try to deliver it
locally to the value of the control/defaultdomain file (or control/me if
the former doesn't exist), and subsequently bounces the message.

Regardless, where would you expect that message to go?  The envelope
recipient has no information that would make qmail know where to deliver
it.

This is not a vulnerability.  qmail is not doing anything bad here.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
  [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
        kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
           GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to