RE: IIS SMTP component allows mail relaying via Null Session
From: Frank Knobbe (FKnobbe@KnobbeITS.com)Date: 03/01/02
- Previous message: Michael Ward: "RE: MS02-012/Q313450"
- Maybe in reply to: Marc Fossi: "IIS SMTP component allows mail relaying via Null Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Knobbe <FKnobbe@KnobbeITS.com> To: 'Marc Fossi' <mfossi@securityfocus.com>, Focus-MS <focus-ms@securityfocus.com> Date: Fri, 1 Mar 2002 14:51:13 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Marc Fossi [mailto:mfossi@securityfocus.com]
> Sent: Friday, March 01, 2002 1:02 PM
>
> [...]
> Workarounds:
> Disable the SMTP service.
> Disable the ability of authenticated users to relay email.
> Firewall off the SMTP service from untrusted networks.
>
> Recommendations:
> Disable the SMTP service, if not needed.
> Install the patch from Microsoft
If this issue only occurs with NTLM authentication, wouldn't it be
possible to use only clear-text for authentication? (over SSL
preferred) Can NULL sessions be created (or an equivalent bypass)
using clear-text (basic authentication)?
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBPH/pwczYtOFvgXQfEQKrmwCgnKa/G/1YPjwj6CTAIVMek6QwdjoAoLBv
Yrr/+ZU9ieIPFTHidK6+xHjV
=SKpa
-----END PGP SIGNATURE-----
- Previous message: Michael Ward: "RE: MS02-012/Q313450"
- Maybe in reply to: Marc Fossi: "IIS SMTP component allows mail relaying via Null Session"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
