Bill Shupp wrote:
Yes, you are an open relay due to the smtp-auth bug. You are missing the "hostname" argument to qmail-smtpd. I think that my early toaster setup was missing this, as it used the old qmail-toaster patch. Here's evidence of my relay test:
Bill is correct, the problem is that without the hostname in there the vchpw command is used as the hostname and /bin/true is actually the program that SMTP-AUTH then checks against, which of course gives a positive result no matter what you throw at it. Adding the hostname as instructed should close your hole.
Spammers started aiming at this hole in the last couple months, I discovered one of my machines with this hole a couple of weeks ago, it was a 0.5 patched version of an older toaster install. It should be noted that this hole actually didn't work until I installed the 0.5 patch, the previous qmail didn't exhibit the smtp-auth relay problem (I rolled back to it until I found the fix).
Which version of the toaster and patch worked without the hostname?
Bill
