After about a week of using qpsmtpd-0.40, I noticed last night that there were an excessive amount of emails in my queue. After poking through qpsmtpd's logs I could see that messages were being tagged as 'recipient ok' for domains that were not in my rcpthosts file.
After further checking of the logs, every incoming connection that issued the "AUTH LOGIN" command was automatically authenticated, thus allowing relaying. Apparantly this is the intended behavior of the "proof of concept" authnull plugin. I installed qpsmtpd based on the quick install instructions on the wiki, which suggests moving the config.sample directory to config. It turns out that the config.sample/plugins file enables the authnull plugin. I can imagine that I'm not be the only person that has followed these instructions. Would it not be a good idea to remove the authnull plugin from the "default" install to avoid this? Regards, Angelo
