I had made EHLO mandatory in the XMail server by commenting the code which acknowledges the "HELO" command,hence the only command that is accepeted by the email server is "EHLO". And later when the server was built I tested it again, and found that if the authentication is failed stil the server will allow the mail delivery. In my case the email server has no chance accepting mail from another email server and hence there is no need for allowing "HELO" command, users can ofcourse use "EHLO". However while testing the security, I found this security hole. I did change the code a bit by rejecting the session as soon as the authentication fails. However I thought I should inform Davide abt. it. It could be a potential loop hole. Try it out yourself,
*) EHLO somedomain *) MAIL FROM: <[EMAIL PROTECTED]> *) RCPT To: <[EMAIL PROTECTED]> Now the mail server should object at the second command itself, however that doesnt happen either. And the message gets delivered, its the same as mail delivery without authentication with EHLO. Veeresh --- Bill Healy <[EMAIL PROTECTED]> wrote: > > Try your test again without even trying to > authenticate. Your system > might not require authentication to send e-mail > because either your ip > is in smtprelay, you have smtp after pop enabled or > you have left your > system open some other way. When you have your > system configured so that > it won't take your test message without > authentication then try your > test again with authentication and post the results. > > Bill > > >---------- > >From: V=EB=E9r=EAsh" = > "Kh=E5n=F6rk=E3r[SMTP:[EMAIL PROTECTED]] > >Sent: Wednesday, May 01, 2002 1:17 AM > >To: [EMAIL PROTECTED] > >Subject: [xmail] Re: Might be A Bug [Part II] > > > > > >Agreed if the session is in non-authenticated state > >then the user should not be allowed to send mail > and > >thats what is exactly happening. In such case any > user > >who knows this failure in authentication but still > >maildelivery can give rise to spam, dont you think > so? > > > >I mean if the authentication is not succeeded then > >mail delivery should be denied. But thats not > occuring > >here. Anyone who knows this point can exploit it > for > >spamming. > > > >-Veeresh > > > >--- Davide Libenzi <[EMAIL PROTECTED]> wrote: > >>=20 > >> On Tue, 30 Apr 2002, V=3DEB=3DE9r=3DEAsh > Kh=3DE5n=3DF6rk=3DE3r > >> wrote: > >>=20 > >> > > >> > Another dump check it out: > >> > > >> > The underlined command shouldnt be allowed > IMHO. > >> Check > >> > it out: > >> > After the user has given EHLO, the user is > >> supposed to > >> > give AUTH, but in the below case if the user > gives > >> > _MAIL FROM_ its still accepted. Isnt it a > security > >> > lapse? > >> > > >> > Please do reply back. > >>=20 > >> no, if the auth fails the server state remain in > >> non-authenticated. that's > >> it. > >>=20 > >>=20 > >>=20 > >> - Davide > >>=20 > >>=20 > >> - > >> To unsubscribe from this list: send the line > >> "unsubscribe xmail" in > >> the body of a message to [EMAIL PROTECTED] > >> For general help: send the line "help" in the > body > >> of a message to > >> [EMAIL PROTECTED] > >>=20 > > > > > >__________________________________________________ > >Do You Yahoo!? > >Yahoo! Health - your guide to health and wellness > >http://health.yahoo.com > >- > >To unsubscribe from this list: send the line > "unsubscribe xmail" in > >the body of a message to [EMAIL PROTECTED] > >For general help: send the line "help" in the body > of a message to > >[EMAIL PROTECTED] > > > > > - > To unsubscribe from this list: send the line > "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body > of a message to > [EMAIL PROTECTED] > __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
