From: Thomas E. <Tho...@th...> - 2013-11-19 17:18:22
|
Thank you for this really good report - this makes fixing easy. The next release will fix this. The check for 'is-authenticated' is simply missing in case 'EnforceAuth' is set. Thomas Von: "Mr. Courtney Creighton" <as...@de...> An: ass...@li..., Datum: 19.11.2013 10:50 Betreff: [Assp-user] ASSPv2 will permit open relaying with STARTTLS under certain circumstances Hi all, There is a possible config situation where mail can be relayed through ASSPv2 unauthenticated. The config for this is somewhat arcane and all parts must be exact in order to permit open relaying, and the ASSPv2 users who might have done this must be extremely small - if any, so I don't expect this to be much of a security issue. Still, I will put this information out to the list just in case someone else can't figure out why they are now a spam relay, or to keep someone from setting this config in the first place. The config in question: If (listenPort2) is set, with (smtpAuthServer) blank, and (EnforceAuth) is on, mail can be relayed through ports in (listenPort2), unauthenticated, using STARTTLS (and only STARTTLS). If (EnforceAuth) is turned off, then authentication is enforced. Likewise, if (smtpAuthServer) is not blank. All other combinations of attempts are properly stopped with a relaying denied error. I realize that the description for (EnforceAuth) says that (smtpAuthServer) must be configured in order to use it, but it doesn't say that if you happen to check (EnforceAuth) on, with (smtpAuthServer) blank, that it will actually act as a spam relay. I was testing out various configs, and had been using the option earlier, and then ended up reverting back to my previous config, but figured from the description, that it didn't matter if (EnforceAuth) was left on or not. But... that is not actually true. My suggestion is to add an additional check to (EnforceAuth) where it doesn't actually activate unless (smtpAuthServer) actually has a destination in it. This should reduce the likelihood of someone accidentally configuring themselves as an open relay. thanks, -C ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ Assp-user mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |