On Sat, Jun 03, 2000 at 10:27:40AM -0300, Rodrigo Severo wrote:
> I was looking at ORBS page about MTAs vulnerabilities and found this
> about qmail:
Forget about ORBS. Anyone using/caring about ORBS should reconsider
his decision:
- ORBS blocks "unfriendly" sites criticising ORBS
- ORBS does not notify blocked sites about the blockage
- ORBS has IMHO too much false positives
> ---------------------------------------------------------
> Qmail admins: Qmail's current version is insecure by default. Most
> admins know enough to follow the instructions for securing it before
> putting qmail into service, however it usually drops ORBS test messages
> checking for UUCP pathing vulnerabilities - "! pathing" - into the admin
> mailbox. As ! is a standard network addressing indicator, this should be
> regarded as a Qmail bug.
> ---------------------------------------------------------
> 1. Isn't there a reasonable (easy?) way to make the default qmail
> installation open relay safe?
qmail is relay closed by default. ORBS does not state this in the above
paragraph as I read it. They say it is "insecure" because it drops their
test messages to the admin box.
I don't think this has something to do with security.
> 2. What is this "UUCP pathing vulnerabilities" talk all about? Can it
> represent any kind of real trouble no tbeing able to properly process !
> as "a standard network addressing indicator"?
I haven't seen a legitimate eMail using bang notation in the last ...
hmmm .... five years. I have seen some mail bomb programs using it and
trying to relay through our server.
Oh, and we have about 30 UUCP hosts and no problems, though.
This notation was more important some years ago, when most of the Usenet
traffic was delivered by uucp hosts. As uucp hosts didn't usually didn't
have connections to internet hosts but only to other uucp hosts it was
essential to have routing information along with the addresses.
This was done by adding the relay host to the left side of the address
separated with a "!". Thus a from address
hostA!userhost!user
after passing through my system would result in
myhost!hostA!userhost!user
With "to" addresses you just do the reverse, you remove your hostname
from the "to" address.
Nowadays even UUCP hosts mostly have connections to fully connected
Internet sites so the routing information is no longer needed, as you
can set an MX to that Internet site and rewrite the addresses to uucp
notation and vice versa.
As I said: don't care about ORBS too much.
\Maex
--
SpaceNet GmbH | http://www.Space.Net/ | Stress is when you wake
Research & Development | mailto:[EMAIL PROTECTED] | up screaming and you
Joseph-Dollinger-Bogen 14 | Tel: +49 (89) 32356-0 | realize you haven't
D-80807 Muenchen | Fax: +49 (89) 32356-299 | fallen asleep yet.
