Hi All,
When using qpsmtpd (trunk) to relay outgoing messages, it constructs a
Received header that contains among other information
-- the SMTP authorization mechanism
-- the SMTP authorization username
-- the qpsmtpd version number
I know that obscurity does not provide security, but unnecessarily
disseminating this information to the world at large is an invitation to
(would-be) crackers to try their hand at our server.
smtpgreeting allows hiding the version number from callers, but this
doesn't make much sense, when the version number is broadcast freely on
other channels.
Knowing which account was used to relay a given message may certainly be
useful in some cases, but this doesn't necessarily need to be common
knowledge. A hash of the account name and some salt would be enough to
track an account if necessary.
What do you think about this?
Are there any safeguards against a cracker hammering away at our server
day and night and brute-forcing an account that they could then use for
sending out spam?
Hans
