security? smail in frozen is an open relay

To: debian-user@lists.debian.org
Subject: security? smail in frozen is an open relay
From: Andrew Lewycky <amplewycky@undergrad.math.uwaterloo.ca>
Date: Tue, 14 Jul 1998 21:19:21 -0400
Message-id: <[🔎] 35AC0399.AAEA6410@undergrad.math.uwaterloo.ca>

(My apologies if this already known, and also for not submitting a
proper bug report, since I don't know how, and I don't want to risk
this being overlooked.)

The smailconfig script included with smail 3.2.0.101-4.4 (in frozen)
does not set the smtp_remote_allow option. As a result, any computer
on the internet can relay mail through a Debian system with smail
installed. Spammers take advantage of sites that are open relays to
send their mass mailings for them. (So any site with an open relay
is not doing the rest of the internet a big favour.) (For more
information on open relays, spammers and what to do about them,
consult http://maps.vix.com/tsi/.)

It is my opinion that this is serious enough that it should be fixed
before Debian 2.0 is released.

One possible fix, even suggested in the default smail config file is
to say smtp_remote_allow=localnet, which restricts relay to users on
the same network as the mail server. It will not restrict incoming or
outgoing mail. This is reasonable as it allows the default config to
be used on a server, and minimises the risk of unwanted relay. Another
fix would be to add another question to the smailconfig script.

Also note that this is not fixed in smail 3.2.0.101-5, which is in
unstable.

Andrew Lewycky
amplewycky@undergrad.math.uwaterloo.ca


--  
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

Follow-Ups:
- Re: security? smail in frozen is an open relay
  - From: jdassen@wi.leidenuniv.nl

Prev by Date: Re: the time
Next by Date: Page Counting (print accounting)
Previous by thread: Re: Printing .tex files
Next by thread: Re: security? smail in frozen is an open relay
Index(es):
- Date
- Thread