[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Postfix is spammer-friendly by default on potato and woody

Try this :)

telnet some.other.host.running.postfix 25
HELO my.hostname
MAIL FROM:<nobody@some.other.host.running.postfix>
RCPT TO:<me@my.hostname>
DATA
Testing testing
.
QUIT

Ethan Benson wrote:
> 
> On Thu, Nov 02, 2000 at 10:42:38AM +0100, Ingemar Fällman wrote:
> > Hi
> >
> > When i was looking trough my logs tody i found that my host had been
> > used
> > as a relay host... I changed from sendmail to postfix because everyone
> > told
> > me that postfix was more secure.
> >
> > When looking at the default configurationfiles installed by debian there
> > was
> > nothing that prevents unauthorized users to send mail to anyone.
> 
> did you run a test to see if this was really the case?  such as telnet mail-abuse.org
> 
> i have run such a test on a default potato postfix setup and it passed
> all those tests, is there some other relay method that it does not
> catch?
> 
> > By adding this line to main.cf you can make sure that only your host can
> > send mail to users outside your system:
> >
> > smtpd_sender_restrictions = check_relay_domains,
> 
> from the smtpd man page:
> 
>        smtpd_sender_restrictions
>               Restrict  what sender addresses are allowed in MAIL
>               FROM commands.
> 
> it is true that postfix does not tend to care what you put in a FROM
> but that does not mean it allows relay (just watch the mail-abuse.org
> tests)
> 
> what postfix does is check to see whether the TO address is local, and
> if not it checks whether the connecting user is within the allowed
> relay domain (which is by default only the domain of the mailhost) if
> not it refuses the message.
> 
> > reject_unknown_sender_domain
> 
> didn't find this one.. (didnt search through all the man pages)
> 
> > Is this someting that should be added by default?? I think so....
> 
> no MTA should ever be a open relay much less by default, but from my
> testing postfix is not.  are you sure your using the debian current
> packages and not some old ones?  there was an old broken version of
> postfix way back when that was a open relay, it was a bug long ago
> fixed.  (its in the FAQ)
> 
> but then i could be missing something, im tired ;-)
> 
> --
> Ethan Benson
> http://www.alaska.net/~erbenson/
> 
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

-- 
Ingemar Fällman              Phone: +46(0)90 786 9335
UMDAC, Umeå University       Fax:   +46(0)90 786 6762
S-901 87 UMEÅ, SWEDEN	     MailTo:Ingemar.Fallman@UMDAC.UmU.SE
----------------------------------------------------------------
$_ = "I'n Jvtu bopuifs Pfsm ibdlfs,"; y/a-z/za-y/; print "$_\n";
Reply to: