Re: Security Issue on qmail

Tue, 7 Sep 1999 16:03:00 -0700 

On Tue, 7 Sep 1999 [EMAIL PROTECTED] wrote:

> Hello,
> 
> I am a rookie on using qmail, but I can feel the power of it, really
> amazing.
> 
> I have several questions about the implementation of qmail. If possible,
> please give me some advice. Thanks.
> 
> (1) Anti-relay Issue
> 
> Any security risk about Mail Relaying? If I really want to get rid of
> relay, which module or file is required to be modified? According to Mr.
> Peter Samuel's qmail tutorial at the recent SAGE-AU '99 conference, he
> states that qmail can be configured to prevent mail relaying by specifying
> valid incoming domains in /var/qmail/control/rcpthosts. Is it the case?

It certainly is :) If you are using qmail-smtpd and you wish to avoid
being an open relay, create the file

    /var/qmail/control/rcpthosts

This file contains the list of mail domains for which you are happy to
RECEIVE mail. I'll repeat that as it seems to be a common error
amongst new qmail admins. The list of domains in rcpthosts are the
domains for which you will RECEIVE mail, they are NOT the list of
domains to which you want to SEND mail.

Now, if someone sends you mail and the envelope RCPT TO: component is
does NOT contain a mail domain listed in your rcpthosts file, then
qmail-smtpd will reject that address. Voila, you have now closed
relaying.

Read the qmail-smtpd man page, also see Dave Sill's excellent "Life
with qmail" pages.

PS This section was covered quite well during the tutorial session
itself - however the notes by themselves don't always convey the
complete discussions. That's why people pay to go to those
conferences :)

PPS Even though I'm now approaching 40 I still can't get used to being
called Mr :)

> 
> (2) EXPN and VRFY Issue
> 
> Any security risk about EXPN and VRFY? I can't find any information about
> them on qmail released notes. Is that mean I can ignore these issues? Is it
> enabled as default on qmail?

As Annand has already stated, VRFY and EXPN are not supported by
qmail-smtpd, so there are NO security issues with these SMTP commands.

Regards
Peter
----------
Peter Samuel                                [EMAIL PROTECTED]
Technical Consultant                        or at present:
eServ. Pty Ltd                              [EMAIL PROTECTED]
Phone: +61 2 9206 3410                      Fax: +61 2 9281 1301

"If you kill all your unhappy customers, you'll only have happy ones left"

Reply via email to