Re: qmail smtp-auth bug allows open relay

From: Frank Knobbe (fknobbe_at_knobbeits.com)
Date: 07/16/03

  • Next message: Dowling, Gabrielle: "RE: Patched IIS/frontpage host compromised 7-1-2003"
    To: rcs@flashwave.com
    Date: 16 Jul 2003 12:16:14 -0500
    
    
    

    On Tue, 2003-07-15 at 18:14, Roberto Cardona wrote:
    > Is the patch needed if the implementation of the auth module is correct? I
    > checked and my conf files for qmail are setup correctly so I wonder if
    > it's worth applying the patch. Thank you.

    From what I understand, the patch just ensures that the system is not
    vulnerable if you accidentally do not set it up correctly. I haven't
    looked at the code, but according to the description, it checks for the
    presence of all three command line arguments, and refuses to relay if
    one is missing.

    In other words, it's not a patch per se (i.e. to get rid of a bug), but
    an added safety precaution. If you are confident, that you won't
    misconfigure it by mistake, you don't need to apply the patch. Your
    risk, your choice.

    Regards,
    Frank

    
    



  • Next message: Dowling, Gabrielle: "RE: Patched IIS/frontpage host compromised 7-1-2003"