Re: [cobalt-users] SMTP hole maybe - any ideas

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Ian wrote:

> I then send an email using the raq3's smtp server ability to 50 other domains on the same
> server, purporting to being the company behind the domainonraq3.com.

Actually, it doesn't matter what the sender's domain name is.  Or where
the server is located, or what the sender's from address is.  This is
called local delivery.

> The relaying of this email to 50 others on the same server is not prevented, even though
> POP b4 SMTP is enabled. Admittedly it will not allow the relaying to domains that are not
> on the server, but will happily send on this email to the 50 or so domains on the same
> server.

And if this didn't work, how would you expect anyone to be able to
receive email?  How could you get this post, if list.cobalt.com couldn't
send email to addresses hosted on your server?

> Then, we have 50 very unhappy teddies who have supposably received an email from someone
> we host, but no infact, it came from someone know one knows masquarading as
> domainonraq3.com, as they have managed to send an email through the same server as the
> company hosts on.

They could have sent it to everyone on your server even without
masquerading.

> Surely this can not be right and the POP b4 SMTP should stop this sort of thing from
> happening.

Okay, but again, if it did how could I send you email?  How could the
list send you?  Surely you don't expect to give an account to everyone
who wants to send you email, do you?

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Internet & Unix/Linux/Sun/Cobalt Consulting +1 909 778-9980
Our jblists address used on lists is for list email only
To contact us offlist: "http://www.nobaloney.net/contactus.html";