[Mimedefang] Not piggybacking HELO checks
Philip Prindeville
philipp_subx at redfish-solutions.com
Wed Jan 11 13:59:28 EST 2006
Jan Pieter Cornet wrote:
>On Tue, Jan 10, 2006 at 07:11:35PM -0700, Philip Prindeville wrote:
>
>
>>>This seems like pretty weak security to me. Is there a valid reason for
>>>having sites answer to an EXPN or VRFY?
>>>
>>>
>>Agreed that it's weak security: some legacy management software requires it.
>>
>>But... that doesn't change the fact that having individual knobs and
>>controls
>>provides finer tuning... And it might be nice to block the connection
>>before
>>we've exposed too much information.
>>
>>
>
>Can't you use an IP-based access control? That can be done in stock
>sendmail via the access.db
>
>
Due to the way that addresses are treated as strings, representing
address blocks
that aren't aligned on 8-bit boundaries is a pain... And you can't do
programmatic
checks like you can in Perl.
>If that's not possible, due to roaming or dynamic users, I'd switch
>to SSL, and SMTP AUTH.
>
>
>
>>Well, from a purely architectural point of view... a symmetrical
>>design would provide a control hook at each transition point in the
>>state machine...
>>
>>
>
>Last I heard, there was a bug in sendmail that makes it ignore the
>error code from a milter after the xxfi_helo call... but that might
>be fixed nowadays.
>
>
>
Nowadays start with which version? 8.13.1? Or more recent?
BTW: Anyone have a .spec file for FC3 that works with 8.13.5?
And can mimedefang be run and used without spamassassin?
-Philip
More information about the MIMEDefang
mailing list