At 12:16 +0200 6/25/2002, Johannes M. Posel wrote:
>Oh, yes, there's something not to forget: You must include a "NULL"
>username with a bogus password in your SQL database, else anyone can
>relay through your server by simply sending empty username and
>password (for example by using AUTH LOGIN and then just pressing enter
>when the server prompts you).
Thank you! (We're using LDAP, where the same issue is present.)
We've fixed open relay, thanks to your message.
I put the low-risk fix in first*...in the acl stanza which accepts
authenticated senders I added a condition requiring that $authenticated_id
not be empty (having set that up in the authentication).
A prober will still THINK they've authenticated...will fix that anon, but
at least the previously open relay is closed.
*the authenticators are already ugly, since I wanted to assume the domain
given a "bare" local part (in honor of Eudora, which really doesn't want to
authenticate john@???, although it can be forced to). And fixing
this there will make them uglier.
--John
--
John Baxter jwblist@??? Port Ludlow, WA, USA
