I added the host name to the /var/qmail/supervise/qmail-smtpd/run file and re-ran the tests from http://spamlart.homeunix.org and got the same results (a lot of "Potential Vulnerabilities"). I guess I need to "grab the 0.5 patch from shupp.org. You'll have to patch a fresh copy of qmail." I hate to be too dense here, but are there some instructions for doing this to a live mail server? I'd really like to avoid demolishing something that works well. Is this something I should do in the middle of the night? Are there any non-obvious configuration files that need to be backed up first?
As Bill says in his reply, keep a backup of the old version you know works, that way you can always roll back to it if a problem crops up. You just go back to the old versions directory and do a "make setup check" to reinstall it.
As with most critical systems I recommend doing this off-hours if possible, but sometimes it's best to do right away and in this case you're attempting to close an open relay hole so doing it sooner rather than later is likely best for you and your clients.
Also keep in mind that some relay tests do give false positives for Qmail because by its very nature it tends to accept a message for a given domain in the local list and then bounce it after the SMTP session if it is a bounce. As long as said relay isn't forwarded on to the relay tester, other than in a bounce format, everything will be fine.
