[exim] Re: Need Help to Solve security hole (Sergio Basurto)

Top Page
Delete this message
Reply to this message
Author: Sergio Basurto Juarez
Date:  
To: exim-users
Subject: [exim] Re: Need Help to Solve security hole (Sergio Basurto)
> >very beginning I did not configure SMTP auth so
every one
> that connect
> >to my port 25 can send whatever they want,
>
> Very bad idea. Please take the host offline

immediately and
> repeat your experiments on a host that is not

publicly reachable.
>
> >I understand that leave SMTP without an auth method

is a
> security hole,
> >so I should reinstall the complete server because

even if I
> deinstall
> >exim and reinstall it, it goes on sending a lot of

stuff.

I believe there is a misconception here by the OP (not
by Marc the last poster:

One can have Exim with NO AUTHENTICATION but with
relaying
denied to all (or to all except "relay_to_domains" or
from relay_from_hosts).

[snip]
######################################################
# it's for one of our domains AND one of our users
accept  domains       = +local_domains
        endpass
[snip]


If you authenticate successfully you may relay, but
otherwise
you may merely send to "out domains/users". This
worked fine
[snip]

First of all I want to thank to anyone that response
to this message,
I already have the configurations as the configuration
that comes with this mail, I did not relay to anyone
at the very begining, what I really need is to manage
Auth because in my case even without relay they can
exploit my exim so I want to get working AUTH CRAM-MD5
with postgresql an want that exim4 always ask for
password and does not send any mail if the account
does not exist in the server, any clues or sources of
information will be very appreciate, I also bought the
Exim4 Book but it arrives to my place til monday of
the next week, menawhile I still researching.

Kind Regards.


--
Sergio Basurto J.

If I have seen further it is by standing on the
shoulders of giants. (Isaac Newton)
--

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com