[Mimedefang] Not piggybacking HELO checks

Philip Prindeville philipp_subx at redfish-solutions.com
Wed Jan 11 13:59:28 EST 2006


Jan Pieter Cornet wrote:

>On Tue, Jan 10, 2006 at 07:11:35PM -0700, Philip Prindeville wrote:
>  
>
>>>This seems like pretty weak security to me.  Is there a valid reason for
>>>having sites answer to an EXPN or VRFY?
>>>      
>>>
>>Agreed that it's weak security: some legacy management software requires it.
>>
>>But... that doesn't change the fact that having individual knobs and 
>>controls
>>provides finer tuning...  And it might be nice to block the connection 
>>before
>>we've exposed too much information.
>>    
>>
>
>Can't you use an IP-based access control? That can be done in stock
>sendmail via the access.db
>  
>

Due to the way that addresses are treated as strings, representing 
address blocks
that aren't aligned on 8-bit boundaries is a pain...  And you can't do 
programmatic
checks like you can in Perl.

>If that's not possible, due to roaming or dynamic users, I'd switch
>to SSL, and SMTP AUTH.
>
>  
>
>>Well, from a purely architectural point of view... a symmetrical
>>design would provide a control hook at each transition point in the
>>state machine...
>>    
>>
>
>Last I heard, there was a bug in sendmail that makes it ignore the
>error code from a milter after the xxfi_helo call... but that might
>be fixed nowadays.
>
>  
>

Nowadays start with which version?  8.13.1?  Or more recent?

BTW:  Anyone have a .spec file for FC3 that works with 8.13.5?

And can mimedefang be run and used without spamassassin?

-Philip





More information about the MIMEDefang mailing list