Henning Brauer <[EMAIL PROTECTED]> writes: > On Fri, Apr 05, 2002 at 03:39:23PM -0500, Scott Gifford wrote: > > Henning Brauer <[EMAIL PROTECTED]> writes: > > > On Fri, Apr 05, 2002 at 03:09:38PM -0500, Ed Abrams wrote: > > > > My problem: We are working with domain name registrars. When a user > > > > registers his domain with one of our partners, that partner will create an > > > > MX record for that new domain, and that MX record will point to our email > > > > server. [without notifying you] > > > So the rule would be "accept and deliver all mail for domains with an MX > > > pointing to me". > > > That's insane and fscking insecure. > > What's insecure about it, as long as any mail that comes this way is > > always delivered locally (which seemed to be what Ed wanted), and > > never relayed to another server? > > okay, the real question is what happens afterwards with the mail. having the > domain in locals and rcpthosts is not enough as we all know. As you did not > mention that I guess there is some kind of program delivery, and with this > in mind (specifically, I had an autocreated mailbox with webmail access in > mind), everybody can (ab)use your service by just adding MX entries to > whatever domain.
First, this isn't me doing this, this is Ed, and I have no idea what kind of delivery he's doing. I assumed that the mail would just be stored in a catchall mailbox, and when the user signed up for the service, would get the mail for their domain. At any rate, without either of us making assumptions, we don't know whether it's secure or not. BTW, you replied to me privately, so I've responded privately. I'm not sure whether you meant to or not (it looks like you alluded to this message in a later post to the mailing list). If you did, that's fine; if you didn't, this message isn't private at all, so feel free to quote it on the list. -----ScottG.
