Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts

2004-06-08 Thread Tom Collins 
On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:
I would like to re-frame my Subject: SMTP Authenticated user is able 
to impersonate anyone in rcpthosts.
You could re-frame it even more.  Authenticated SMTP users can use any 
FROM address and submit mail for any host.

Some clients may have multiple from addresses going through a single 
authenticated session.  Limiting them to the address they authenticated 
as may be too strict.  Including it in the Received header is probably 
a more useful option.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Re: [vchkpw] Restrict messages and messages size per user

2004-06-08 Thread Eric Smoker 

Mario Gamito wrote:
Hi,
How can i use vpopmail (which command, options) to restrict the maximum
number of messages a user can have and the maximum size of each message
Max number xxxC (README.quotas)
Max size /var/qmail/control/databytes
?
I've searched the web and found nothing about this matter.
Is there a web interface to do this (costumers are usually mouse
enginners :P) ?
Any help would be appreciated.
Warm Regards,
Mário Gamito

Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts

2004-06-08 Thread Devendra Singh 
At 08/06/04 11:41 (), Tom Collins wrote:
On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote:
I would like to re-frame my Subject: SMTP Authenticated user is able to 
impersonate anyone in rcpthosts.
You could re-frame it even more.  Authenticated SMTP users can use any 
FROM address and submit mail for any host.

Some clients may have multiple from addresses going through a single 
authenticated session.  Limiting them to the address they authenticated as 
may be too strict.  Including it in the Received header is probably a more 
useful option.
Dear Tom,
Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, 
but may be of interest to most).

Including the authenticated ID in the Received header is good, but still it 
would not be able to stop the menace of Spamming from your own users (who 
is going to monitor the logs of mails sent by users). Also, in the days of 
virus outbreak and users having password saved in their outlook express, 
the feature can be saviour.

BTW, Shouguan Lin had pointed to a link 
http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/ 
with features

o   Added my own patch, that checks whether the 'mail from' 
value is
different from the username used for SMTP AUTH, thus 
preventing
source address spoofing. Useful for ISP's that only relay 
mails
from authenticated users.
o   The 'mail from' verification is now configurable through a 
knob
defined in /var/qmail/control/spoofcheck or in the environment
variable $SPOOFCHECK

But, this is part of unified patch which is difficult situation for me.
It's my request to Dr Erwin Hoffmann through this list that if he adds the 
feature into his authentication patch which is also included into the 
Vpopmail contrib, we all would get benefited.

Devendra Singh
__
Devendra Singh
IndiaMART InterMESH Limited
(Global Gateway to Indian Market Place)
B-1, Sector 8, Noida, UP - 201301, India
EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342
Fax: +91-120-2424943
http://www.indiamart.com
http://www.indiangiftsportal.com
http://www.indiantravelportal.com
__