RE: Relaying in MDaemon ((UPDATED ALEPH))

["JNJ" <jnj () pobox com>]

> Perhaps you should go download your product from your website and
> try this yourself rather than just claiming the original poster
> didn't read the documentation. I just downloaded a trial version
> of 4.0.5 and it relays out of the box.

Actually, his statement is accurate -- MDaemon does not allow relaying
out-of-the-box.  The issue noted by the original poster is not a relay
issue, but rather an address spoofing issue.  MDaemon has a detailed section
on how to prevent this type of activity.

Chapter 9, around page 130ish, goes into details about how to protect your
system from being used as a relay as well as how to protect it from spam.
Although I agree it would seem sensible to set the package up to deny relay
and require POP before SMTP, is it now the responsibility of a software
vendor to pre-configure every aspect of the software for those who download
it?  The original poster's claims are inaccurate -- there is in fact a
configuration that disallows relaying and to extend from that, there is a
feature that will prevent what he detected as well.  He did not fully
research the matter before posting it to BugTraq and that does a disservice
to the open-disclosure community.  Translation: This is a configuration
issue and a little RTFM would prevent it altogether.

Anyone who is considering running a mailserver should be advanced enough to
know relaying is an issue with servers, that default configurations seldom
account for all possible variables, and that prior to operating a public
server it is imperative to RTFM.  Since when is it legitimate to post RTFM
based issues to BugTraq?

James