On Fri, 10 Sep 1999 [EMAIL PROTECTED] wrote:
> On Fri, Sep 10, 1999 at 07:55:52PM -0400, Sam wrote:
> >
> > Furthermore, you ignored the rest of my post, which compared whatever
> > miniscule benefit you get from practicing security through obscurity
> > weighed against your server now being a willing accomplice in a
> > denial-of-service attack. The same script kiddies are far less likely to
> > select a nailed down service in order to mailbomb someone by proxy,
> > instead it's much easier to shove a few thousand messages with a few
> > thousand bad recipients into Qmail's queue, then sit back and watch Qmail
> > unload a few million messages into the target's mailbox.
>
> So aside from debating the value of doing it, can somebody address the
> main point of my initial post: How do you configure qmail to PREVENT such
> a thing from happening?
You don't. Qmail simply can't do it.
> I'm a qmail newbie, and haven't seen anything in
> the documentation that says how to get qmail to reject messages with bogus
> "to" fields up front, rather than delaying and then bouncing the message.
That's because such a thing does not exist. Qmail is not designed to do
that. Now, I do happen have a patch for Qmail that adds this capability,
since I've had a problem with this issue myself since 1997, but it is not
for the faint of heart. In addition to adding RCPT TO: checking, it also
includes several other drastic changes as well. This is not an
understatement. Qmail was simply not designed for some of these things,
so it's not just a one or two line change to the code. Even experienced
administrators do not always have an easy time integrating my patches, in
fact that happened just the other day. So, forget about it for the
moment, and become familiar an comfortable with Qmail as a starting point.
Afterwards, perhaps you might want to look into tweaking it by adding
other people's code.
