[OpenIndiana-discuss] OT Qmail-to-go on openindian?

[låzaro]

Thread name: "Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?" 
Mail number: 6 
Date: Tue, Apr 24, 2012 
In reply to: Christopher Chan <christopher.chan at bradbury.edu.hk> 

> NO, that is not accurate. "security" where it means anti-spam, DJB did not
> bother because as far as he is concerned, the way things are, things are
> just broken. Too bad his idea of how email should work never took off. So
> any anti-spam features are provided by THIRD-PARTIES. It is not
> 'patch-maked'. There is zero anti-spam.

Of corse, anti-spam is not the only security bussine in the "email 
things related". For example, what about the "domain replace delivery"

Using you domain address against from outside of you LAN. Long time ago,
a "clown" mail to all my users from the CEO address and convoke a fake 
meeting. Was horrible, all my partners was looking to kill me :D the
whole day.

Other vulnerability: If I use AUTH as "fulano at yourdomain" and then send
you a email  from the name "siclano at spaming". When the MTA leave me
replace MAIL FROM: after of the AUTH time, is very bad, is other "domain
replace like atack"

Other example:

If I say "MAIL FROM: fulano" and then in the email, the from header say: 
"From: mengano at fakedomain.tld". If my From:  header leave me make
whatever, and have not be like the MAIL FROM: is dangerous to.

Security is not only SPAM making stoped.

Other very big hole, is the backscatter or bounce atack. If for some 
motive, I can make you server return a bounce, and then, that return 
will be tou you address (or whatever address) You MTA will "bouncing" 
how many emails? That email who say:

 "sorry, your email can't be [some action]"
 
Is a hole bunch of danger, because, for example, the atacking return 
address can be a Spamcop trap.

You will be send to he Black List at the moment very easy.


Greetings from Cuba.