[22304] in bugtraq
RE: Relaying in MDaemon ((UPDATED ALEPH))
daemon@ATHENA.MIT.EDU (JNJ)
Sun Aug 19 12:33:02 2001
From: "JNJ" <jnj@pobox.com>
To: "BugTraq Listserv" <bugtraq@securityfocus.com>
Date: Sat, 18 Aug 2001 19:47:07 -0400
Message-ID: <NCBBJHKLEKDDKGOCJBBPKEMCLKAA.jnj@pobox.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20010817182640.E7879@fsckit.net>
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Reply-To: jnj@pobox.com
> Perhaps you should go download your product from your website and
> try this yourself rather than just claiming the original poster
> didn't read the documentation. I just downloaded a trial version
> of 4.0.5 and it relays out of the box.
Actually, his statement is accurate -- MDaemon does not allow relaying
out-of-the-box. The issue noted by the original poster is not a relay
issue, but rather an address spoofing issue. MDaemon has a detailed section
on how to prevent this type of activity.
Chapter 9, around page 130ish, goes into details about how to protect your
system from being used as a relay as well as how to protect it from spam.
Although I agree it would seem sensible to set the package up to deny relay
and require POP before SMTP, is it now the responsibility of a software
vendor to pre-configure every aspect of the software for those who download
it? The original poster's claims are inaccurate -- there is in fact a
configuration that disallows relaying and to extend from that, there is a
feature that will prevent what he detected as well. He did not fully
research the matter before posting it to BugTraq and that does a disservice
to the open-disclosure community. Translation: This is a configuration
issue and a little RTFM would prevent it altogether.
Anyone who is considering running a mailserver should be advanced enough to
know relaying is an issue with servers, that default configurations seldom
account for all possible variables, and that prior to operating a public
server it is imperative to RTFM. Since when is it legitimate to post RTFM
based issues to BugTraq?
James
