Thank you for this really good report - this makes fixing easy.
The next release will fix this. The check for 'is-authenticated' is simply
missing in case 'EnforceAuth' is set.
Thomas
Von: "Mr. Courtney Creighton" <a...@dezignguy.com>
An: assp-user@lists.sourceforge.net,
Datum: 19.11.2013 10:50
Betreff: [Assp-user] ASSPv2 will permit open relaying with STARTTLS
under certain circumstances
Hi all,
There is a possible config situation where mail can be relayed through
ASSPv2 unauthenticated. The config for this is somewhat arcane and all
parts must be exact in order to permit open relaying, and the ASSPv2
users who might have done this must be extremely small - if any, so I
don't expect this to be much of a security issue. Still, I will put this
information out to the list just in case someone else can't figure out
why they are now a spam relay, or to keep someone from setting this
config in the first place.
The config in question: If (listenPort2) is set, with (smtpAuthServer)
blank, and (EnforceAuth) is on, mail can be relayed through ports in
(listenPort2), unauthenticated, using STARTTLS (and only STARTTLS). If
(EnforceAuth) is turned off, then authentication is enforced. Likewise,
if (smtpAuthServer) is not blank.
All other combinations of attempts are properly stopped with a relaying
denied error.
I realize that the description for (EnforceAuth) says that
(smtpAuthServer) must be configured in order to use it, but it doesn't
say that if you happen to check (EnforceAuth) on, with (smtpAuthServer)
blank, that it will actually act as a spam relay. I was testing out
various configs, and had been using the option earlier, and then ended
up reverting back to my previous config, but figured from the
description, that it didn't matter if (EnforceAuth) was left on or not.
But... that is not actually true.
My suggestion is to add an additional check to (EnforceAuth) where it
doesn't actually activate unless (smtpAuthServer) actually has a
destination in it. This should reduce the likelihood of someone
accidentally configuring themselves as an open relay.
thanks,
-C
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up
now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
