"Peter Nilsson" <[EMAIL PROTECTED]> writes: > I donīt wanīt to start a big discussion but i donīt think you understand > the potential risk here. The reson why i wrote it to this list was also > to warn about this issue, its a bad thing that qmail accept this kind of > abuse as default
No, you told it to deliver a mail to '', just as if you would have told it to deliver a mail to 'a' or 'peter'. And qmail does the job, the mail is delivered locally (unless you configured 'envathost' to be something, that is not in 'locals'). No bounces - no security risk - no flooding of innocent users mailboxes. > it is a risk that a user can use your mailserver to flood a user on > another server, it would be you explaining the angry sysadm at that site > what is going on No, it is not a risk and even if you configured your system, so that emails to '' would bounce, you are in the exact same situation as when someone have used your backup-mx to flood an innocent users mailbox. Forgeing headers is nothing new, it has existed as long as the SMTP protocol. >> This is nothing new, this is how SMTP works. > > no its not its how qmail works, i have a merak mailserver to (windows > box) and it is not accepting a blank rcpt to: and postfix is not > either.... i like qmail because of tools like qmailadmin and fast > webmail as sqwebmail, but my first impression of qmail is that it is > an old mailserver software that need an update to fix some small "bugs" > > sorry that i post the message in the first place but I was desperate > and about to move all users to my merak server because off this > issue.... /Claus A
