RE: q-mail relay responses (revisited)

Dustin Miller Sun, 2 Jan 2000 13:23:46 -0800
It seems, from RoadRunner's recent probe of my qmail installation (yes, I
know, the test was bogus) that qmail DIDN'T flag it as a bad RCPT host.

I've enclosed the SMTP conversation between their security test and my qmail
server.  It doesn't seem to announce that a bad RCPT was given.

Connecting to 24.131.161.83 ...
 <<< 220 wfdevelopment.com ESMTP
 >>> HELO hrnva-sec01.rr.com
 <<< 250 wfdevelopment.com
 >>> MAIL FROM:<openrelaytest@localhost>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]>
 >>> RSET
 <<< 250 flushed
 >>> MAIL FROM:<openrelaytest>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]>
 >>> RSET
 <<< 250 flushed
 >>> MAIL FROM:<>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]>
 >>> RSET
 <<< 250 flushed
 >>> MAIL FROM:<openrelaytest@[24.131.161.83]>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]>
 >>> RSET
 <<< 250 flushed
 >>> MAIL FROM:<[EMAIL PROTECTED]>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]>
 >>> RSET
 <<< 250 flushed
 >>> MAIL FROM:<openrelaytest@[24.131.161.83]>
 <<< 250 ok
 >>> RCPT TO:<[EMAIL PROTECTED]@[24.131.161.83]>
 <<< 250 ok
 >>> DATA
 <<< 354 go ahead
 >>> (message body)
 <<< 250 ok 945363799 qp 29925

-----Original Message-----
From: Chris Johnson [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 02, 2000 10:59 AM
To: Dustin Miller
Cc: [EMAIL PROTECTED]
Subject: Re: q-mail relay responses (revisited)


On Sun, Jan 02, 2000 at 10:40:59AM -0600, Dustin Miller wrote:
> I was going over the qmail pictures to see if I could get a little more
> insight into the hows and whys of qmail's failure to throw an exception of
> some kind the moment someone unauthorized attempts a relay.  As it is, it
> doesn't give any indication to the end user that he's not allowed to be
> doing what he's doing, so all of us get random messages from security
> people, blah blah blah.
>
> Here's the deal.
>
> Here's the "unauthorized relay" picture from the qmail package:
>
> ---[ begin picture ]---
> qmail-smtpd     Receive message by SMTP from another host:
>
>                    MAIL FROM:<[EMAIL PROTECTED]>
>                    RCPT TO:<[EMAIL PROTECTED]>
>
>                 Is $RELAYCLIENT set? No.
>                 Is irs.gov in rcpthosts? No.
>                 Reject RCPT.
> ---[end picture ]---
>
> But qmail doesn't immediately reject RCPT.  Rejecting the RCPT here would
> not give up any security information (that I can see).  AFAICT, qmail
waits
> until after the data command is passed and ended with a "." before it
barks
> up that you can't relay.

qmail DOES immediately reject the recipient. The above is all wrong.

Chris
RE: q-mail relay responses (revisited)

Reply via email to
