Re: possible open relay hole in qmail-smtpd-auth patch
From: Jonathan de Boyne Pollard (J.deBoynePollard_at_tesco.net)
To: firstname.lastname@example.org Date: Wed, 16 Jul 2003 02:09:14 +0100
JS> i have written a revision to the qmail-smtpd-auth patch
JS> which compensates for this common error by not supporting
JS> the AUTH command unless all three command line arguments
JS> are present.
You've no guarantee that 3 is the correct number. An administrator might
decide to use
qmail-smtpd domain checkpassword /bin/echo Hello there.
qmail-smtpd domain checkpassword /bin/true
for example, just for the heck of it.
If you are about to assert that "The number of arguments is always going to be
exactly 3 because 'checkpassword' is always going to be given just the one
argument, '/bin/true'.", then I suggest that you consider taking that fact
into account in the design of your modified patch, and eliminate the scope for
variation in something that you are asserting is in fact intended to be