qmail smtp-auth bug allows open relay
W.D. McKinney
dee at akwireless.net
Tue Jul 15 04:45:44 UTC 2003
John,
Did you mean to post this on the qmail list per chance ?
Dee
On Mon, 2003-07-14 at 08:34, John Brown wrote:
> seems that there are installs of the smtp-auth patch
> to qmail that accept anything as a user name and password
> and thus allow you to connect.
>
> http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2
>
> is one URL that talks about this.
>
> There has been an increase is what appears to be qmail based
> open-relays over the last 5 days. Each of these servers
> pass the normal suite of open-relay tests.
>
> Spammers are scanning for SMTP-AUTH and STARTTLS based
> mail servers that may be misconfigured. Then using them
> to send out their trash.
>
> Some early docs on setting up qmail based smtp-auth systems
> had the config infor incorrect. This leads to /usr/bin/true
> being used as the password checker. :(
>
> >From an operational perspective, I suspect we will see more
> SMTP scans
>
> The basic test (see URL above) should get incorporated into
> various open-relay testing scripts.
>
> cheers
>
> john brown
> chagres technologies, inc
>
>
More information about the NANOG
mailing list