Sancho2k.net Lists wrote: >
>>> D. Monroe wrote:Dallas L. Engelken wrote:
Dallas-The main advantage of the Magic SMTP daemon over qmail-smtpd is it's ability to verify the existence of users before passing the mail into the qmail subsystem..."
xx Pro-Active protection against spammers by returning a 'USER DOES NOT EXIST' to the offender, hopefully to remove the address from bulk mailer lists doesnt this basically say, directory harvest me!!
I appreciate the point. Yes, I suppose this is akin to having VRFY enabled but I'm not sure what your real concerns are wrt harvesting. Asking semi-rhetorically...Is it likely someone will send (conservatively using 6 char alpanumeric addressing only) 36^6 submissions to glean relatively few positive results? And...unless you have some .qmail-default, bad addresses are going to end up bouncing, allowing such 'harvesting' anyway. I suppose tarpitting may mitigate this harvesting risk? Perhaps I'm naive in thinking of the benfits of avoiding Q-S/AV overhead may outweigh this harvesting risk? Maybe I'm missing something in your concerns? I'd appreciate more information even if offline. Thanks
Another point - I can't vouch for magic-smtpd's security implications, whereas I can for qmail-smtpd or rblsmtpd. Why risk qmail's integrity by something like this?
DS-
I agree, but it's quite likely we've all got patches, not all of which have been "vetted" by DJB, in all our qmail systems. Aren't the folks on this Q-S list are also "risking the integrity" of qmail itself by hooking Q-S and/or SA and/or AV etc into the system. I'm not saying any of these add-on tools are inherently risky (let's all hope not), just that we aren't talking about bare qmail integrity anymore anyway.
Is adding this -specific- risk (magic-smtpd) acceptable/beneficial?....that's the discussion I'm interested in.
I have no experience with magic-smtpd so I'm all ears wrt specific security issues, pro/con etc...I simply brought it up as a discussion point to possibly avoid Q-S/AV overhead unless needed.
Thanks all
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
