No comments on this from anyone? Is EnforceAuth working correctly for anyone else on 2.0.0? Is anyone else having problems enforcing MAIL FROM to use local known users only as I described?
At 11:50 PM 3/16/2009, Scott MacLean wrote: >I discovered my server has been used to relay a fair amount of spam >over the last few days, and in doing the investigation behind it, it >turns out ASSP is the hole that they got through. Version 2.0.0 >15.06, in particular, however I tested with 15.11 and it does the >exact same thing. > >First off: I have my listenPort2 and smtpAuthServer set, so that my >users can connect and send mail through my server. I also have >EnforceAuth set - however, upon investigation, anyone can connect to >my mail server, and without doing SMTP Auth, in a simple plain SMTP >session, pretend to be anyth...@anyofmydomains, and send mail to any >valid user on my server. Thankfully, if the user attempts to send >mail to a third party on a domain not hosted by me, it rejects it >with "530 SMTP authentication is required", so it's not wide open. >However, it is quite clearly ignoring EnforceAuth. > >Which brings me to my second problem. With my v1 ASSP, it was set up thusly: > >1. Anyone could connect on port 25 and send mail from any user to any >user on my server, with no auth required. This is an obvious public >SMTP server. > >2. Users could connect on port 25 or 125 with SMTP Auth, and could >send mail from themselves (MAIL FROM had to be a known user on the >server) to any email address. > >#1 is working, as you would expect. However, #2 is not working. The >way it is currently functioning is: any user who has a valid account >on my server, can log in via SMTP AUTH, and send mail from ANY email >address, to ANY email address, and my server will happily relay it. >This is where the spam problem comes in - One of my users had their >PC compromised, and their SMTP password stolen by a trojan. This was >then used to log into my server from zombie spam bots and send >massive amounts of spam all over the world. This spam had "MAIL FROM" >various spammy places, not my local domains. Normally, if it was >working as it should, this would not have been permitted - the only >way the SMTP AUTH session should be able to send mail is if the mail >is from a valid user on the server. > >noProcessingIPs contains a small list of IPs, primarily containing a >web server that sends mail through my mail server. >noProcessingList contains one email address. >noProcessingDomains:= > >acceptAllMail contains the same list of IPs as is used for noProcessingIPs. >DoLocalSenderDomain:=1 >DoLocalSenderAddress:=1 >nolocalDomains:= >ispip:= >contentOnlyRe:= >ispHostnames:= > >LocalAddresses_Flat:=file:files/users.txt >localDomains:=file:files/domains.txt >(these are both updated regularly by my mail server) > >noMsgId contains the same list of IPs as is used for noProcessingIPs. > >DoNoValidLocalSender:=1 >ForceNoValidLocalSender:=1 >DoNoSpoofing:=1 >DoLocalSender:=1 > >Am I missing something? Do I have something configured incorrectly? >Or is there a problem here in ASSP itself? I've been over the >configuration many times now, and I don't see what I could have set >up incorrectly. ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
