james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Bagnara <apa...@bago.org>
Subject Re: POP3 and other handlers ...
Date Mon, 24 Jul 2006 07:39:48 GMT
Noel J. Bergman wrote:
> Something more important: I am -1 on the current code.  The technical
> justification for vetoing this change is that we are tracking only the IP
> address.  One person on a non-routable subnet authenticates via POP3 or
> IMAP, and everyone else going through the same gateway router gets to use
> the now Open Relay?  Better would to be to maintain {ID, IP}-tuples.
> Although that would be more difficult, or perhaps less useful, in virtual
> user table situations, since the POP3 USER and the SMTP MAIL FROM would be
> different, it would be better than creating Open Relays; especially Open
> Relays in a way that most admins would find every difficult to track down,
> and which most Open Relay probes would not detect.
> [...]
> Remember that you need not revert the commits at this time, but unless we
> find a resolution to the vulnerability or someone shows me the error of my
> assertion, we are not releasing this code.

I don't agree.

Using our config.xml administrators can even break rfc compliance, they 
can remove whole commands, and can add vulnerability.

It is really simply to create an open relay with a single line change.
We should simply add the feature and a good comment on what it really does.

What I would expect from my previous knowledge from a pop-before-smtp is 
that it only checks IPs.

Maybe we can add a configuration to the handler to decide wether to 
check {ip,id} tuples or ip only, but I think that IP only will be the 
one used.

Stefano


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message