Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
Hi Devendra, At 18:38 07.06.04 +0530, you wrote: Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. Thanks for using it. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. Is there any remedy. Yes, thats possible. You can prevent it partially with my SPAMCONTROL patch for Qmail. It includes SMTP Autentication (with some nice logging). In addition you may want to set the environment variable LOCALMFCHEK. For a relayclient (in particular in case of an SMTP authenticated session), you may inforce that the domain part of the Mail From: in the SMTP envelope corresponds with your list of rcpthosts or some arbitary name provided thru the variable LOCALMFCHECK. See: http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html section 8.1. A more general discussion about SMTP Authentication can be found at: http://www.fehcom.de/qmail/smptauth.html regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
At 09/06/04 14:03 (), you wrote: Hi Devendra, At 18:38 07.06.04 +0530, you wrote: Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. Thanks for using it. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. Is there any remedy. Yes, thats possible. You can prevent it partially with my SPAMCONTROL patch for Qmail. It includes SMTP Autentication (with some nice logging). In addition you may want to set the environment variable LOCALMFCHEK. For a relayclient (in particular in case of an SMTP authenticated session), you may inforce that the domain part of the Mail From: in the SMTP envelope corresponds with your list of rcpthosts or some arbitary name provided thru the variable LOCALMFCHECK. See: http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html section 8.1. A more general discussion about SMTP Authentication can be found at: http://www.fehcom.de/qmail/smptauth.html Thanks Erwin, I am already using the following into the /etc/tcp.smtp :allow,LOCALMFCHECK=,MFDNSCHECK=,BADMIMETYPE=,MAXRECIPIENTS=20 As you have rightly said LOCALMFCHECK does prevent it partially with my SPAMCONTROL. If you try to notice what Shouguan Lin had pointed http://night.rdslink.ro/dudu/qmail/ with features o Added my own patch, that checks whether the 'mail from' value is different from the username used for SMTP AUTH, thus preventing source address spoofing. Useful for ISP's that only relay mails from authenticated users. o The 'mail from' verification is now configurable through a knob defined in /var/qmail/control/spoofcheck or in the environment variable $SPOOFCHECK Dr Erwin, You whole Spamcontrol Patch is so good that I have been using it in entirety since quite some time with remarkable results. I am sure that you may be able to add the functionality to stop own spamming clients. Thanks. Devendra Singh __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote: I would like to re-frame my Subject: SMTP Authenticated user is able to impersonate anyone in rcpthosts. You could re-frame it even more. Authenticated SMTP users can use any FROM address and submit mail for any host. Some clients may have multiple from addresses going through a single authenticated session. Limiting them to the address they authenticated as may be too strict. Including it in the Received header is probably a more useful option. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
At 08/06/04 11:41 (), Tom Collins wrote: On Jun 7, 2004, at 9:28 PM, Devendra Singh wrote: I would like to re-frame my Subject: SMTP Authenticated user is able to impersonate anyone in rcpthosts. You could re-frame it even more. Authenticated SMTP users can use any FROM address and submit mail for any host. Some clients may have multiple from addresses going through a single authenticated session. Limiting them to the address they authenticated as may be too strict. Including it in the Received header is probably a more useful option. Dear Tom, Thanks, that you understood. (Sorry, the issue is not related to Vpopmail, but may be of interest to most). Including the authenticated ID in the Received header is good, but still it would not be able to stop the menace of Spamming from your own users (who is going to monitor the logs of mails sent by users). Also, in the days of virus outbreak and users having password saved in their outlook express, the feature can be saviour. BTW, Shouguan Lin had pointed to a link http://night.rdslink.ro/dudu/qmail/http://night.rdslink.ro/dudu/qmail/ with features o Added my own patch, that checks whether the 'mail from' value is different from the username used for SMTP AUTH, thus preventing source address spoofing. Useful for ISP's that only relay mails from authenticated users. o The 'mail from' verification is now configurable through a knob defined in /var/qmail/control/spoofcheck or in the environment variable $SPOOFCHECK But, this is part of unified patch which is difficult situation for me. It's my request to Dr Erwin Hoffmann through this list that if he adds the feature into his authentication patch which is also included into the Vpopmail contrib, we all would get benefited. Devendra Singh __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
[vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. Is there any remedy. __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
On Monday 07 June 2004 08:08 am, Devendra Singh wrote: Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. even an unauthenticated user can do this. How do you think this mailing list post will have my From: header, but an envelope sender of vchkpw-return-somenumber[EMAIL PROTECTED] Is there any remedy. What Problem Are You Trying To Solve? -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
At 07/06/04 20:05 (), you wrote: On Monday 07 June 2004 08:08 am, Devendra Singh wrote: Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. even an unauthenticated user can do this. How do you think this mailing list post will have my From: header, but an envelope sender of vchkpw-return-somenumber[EMAIL PROTECTED] Is there any remedy. What Problem Are You Trying To Solve? -Jeremy Sorry Jeremy, Perhaps I was unable to explain the problem properly. Suppose a Server is hosting the following domains: abc.com xyz.com test.com Now, the user [EMAIL PROTECTED] has been enabled for SMTP (not POP-Before SMTP but SMTP-AUTH using Erwin's Patch). If the user [EMAIL PROTECTED] tries to send an email as [EMAIL PROTECTED] in FROM headers, its denied. But, if he impersonates (for say spamming) in FROM headers as [EMAIL PROTECTED] or even [EMAIL PROTECTED] his outgoing mail would go through. Isn't this a case to worry? The example that you have talked about is totally unrelated to the above explained situation. Devendra Singh __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
On Monday 07 June 2004 10:17 am, Devendra Singh wrote: Sorry Jeremy, Perhaps I was unable to explain the problem properly. Suppose a Server is hosting the following domains: abc.com xyz.com test.com ok. Now, the user [EMAIL PROTECTED] has been enabled for SMTP (not POP-Before SMTP but SMTP-AUTH using Erwin's Patch). If the user [EMAIL PROTECTED] tries to send an email as [EMAIL PROTECTED] in FROM headers, its denied. no, it's not, unless you've got some funky stuff set up, in which case, you'll have to provide more details. But, if he impersonates (for say spamming) in FROM headers as [EMAIL PROTECTED] or even [EMAIL PROTECTED] his outgoing mail would go through. Isn't this a case to worry? well, if you see it happening, that's why insert deity here created userdel. The example that you have talked about is totally unrelated to the above explained situation. no, it's entirely the same concept. Why let an unauthenticated user use any combination of envelope sender/header information but restrict authenticated users. Doesn't make much sense to me. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
RE: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
The unified qmail patches include a patch to verify the FROM address with authenticated user. The patch is located at http://night.rdslink.ro/dudu/qmail/. Check README for 2004_05_02. Hope it helps. Shouguan Lin -Original Message- From: Devendra Singh [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 6:08 AM To: VpopMail Mailing List Subject: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts Hi, I am using Erwin Hoffmann's qmail-smtpd-auth-0.4.2. I have noticed that once authenticated a user can use [EMAIL PROTECTED] (where server.com is a domain listed in rcpthosts) in the FROM header. Is there any remedy. __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __
Re: [vchkpw] SMTP Authenticated user is able to anyone in rcpthosts
At 07/06/04 21:27 (), you wrote: On Monday 07 June 2004 10:17 am, Devendra Singh wrote: Sorry Jeremy, Perhaps I was unable to explain the problem properly. Suppose a Server is hosting the following domains: abc.com xyz.com test.com ok. Now, the user [EMAIL PROTECTED] has been enabled for SMTP (not POP-Before SMTP but SMTP-AUTH using Erwin's Patch). If the user [EMAIL PROTECTED] tries to send an email as [EMAIL PROTECTED] in FROM headers, its denied. no, it's not, unless you've got some funky stuff set up, in which case, you'll have to provide more details. But, if he impersonates (for say spamming) in FROM headers as [EMAIL PROTECTED] or even [EMAIL PROTECTED] his outgoing mail would go through. Isn't this a case to worry? well, if you see it happening, that's why insert deity here created userdel. The example that you have talked about is totally unrelated to the above explained situation. no, it's entirely the same concept. Why let an unauthenticated user use any combination of envelope sender/header information but restrict authenticated users. Doesn't make much sense to me. -Jeremy Jeremy, Again I am misunderstood. But, Shouguan Lin has understood the point. I would like to re-frame my Subject: SMTP Authenticated user is able to impersonate anyone in rcpthosts. The SMTP-AUTH Patch by Erwin Hoffmann (from http://www.fehcom.de) qmail-smtpd-auth-0.4.2 recommended by latest Vpopmail has the functionality as discussed earlier. Dr Erwin are you listening?? The unauthenticated users can easily be prevented to use any combination of envelope sender/header information by using Split Horizon Check, which I am already using. Devendra Singh __ Devendra Singh IndiaMART InterMESH Limited (Global Gateway to Indian Market Place) B-1, Sector 8, Noida, UP - 201301, India EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 Fax: +91-120-2424943 http://www.indiamart.com http://www.indiangiftsportal.com http://www.indiantravelportal.com __