Bugtraq mailing list archives
Relaying in MDAEMON.
From: "buggzy" <alienhard () mail ru>
Date: Fri, 17 Aug 2001 11:42:24 +0600
It seems like that Mdaemon SMTP server can be used for unauthorized relaying. Mail can be relayed when sent "FROM or TO known user", it means that mail sent "from" the account of one of served domains always can be relayed. There is no problem to specify any "from" user, for example, system account "mdaemon". 220 bepe ESMTP MDaemon 4.0.5 UNREGISTERED; Thu, 16 Aug 2001 11:38:54 +0600
helo somedomain
250 bepe Hello somedomain, pleased to meet you
mail from: mdaemon@bepe
250 <mdaemon@bepe>, Sender ok
rcpt to: alienhard () mail ru
250 <alienhard () mail ru>, Recipient ok The message was successfully sent. Additionally, you can specify "Reply-To" field in message header, and mail client will reply to correct address. I can't find any configuration which will disallow it. It looks like design error - poor criteria. Maybe expert mdaemon users shows is it right or wrong. Tested: Mdaemon Pro 4.0.5 buggzy () nerf ru, Nerf Security Group http://www.nerf.ru
Current thread:
- Re: Relaying in MDAEMON. buggzy (Aug 17)
- Re: Relaying in MDAEMON. Alun Jones (Aug 17)
- <Possible follow-ups>
- Relaying in MDAEMON. buggzy (Aug 17)