Noel J. Bergman wrote:
Something more important: I am -1 on the current code. The technical
justification for vetoing this change is that we are tracking only the IP
address. One person on a non-routable subnet authenticates via POP3 or
IMAP, and everyone else going through the same gateway router gets to use
the now Open Relay? Better would to be to maintain {ID, IP}-tuples.
Although that would be more difficult, or perhaps less useful, in virtual
user table situations, since the POP3 USER and the SMTP MAIL FROM would be
different, it would be better than creating Open Relays; especially Open
Relays in a way that most admins would find every difficult to track down,
and which most Open Relay probes would not detect.
[...]
Remember that you need not revert the commits at this time, but unless we
find a resolution to the vulnerability or someone shows me the error of my
assertion, we are not releasing this code.
I don't agree.
Using our config.xml administrators can even break rfc compliance, they
can remove whole commands, and can add vulnerability.
It is really simply to create an open relay with a single line change.
We should simply add the feature and a good comment on what it really does.
What I would expect from my previous knowledge from a pop-before-smtp is
that it only checks IPs.
Maybe we can add a configuration to the handler to decide wether to
check {ip,id} tuples or ip only, but I think that IP only will be the
one used.
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
