Date: Tue, 03 Mar 2015 11:48:33 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Joel F Rodriguez <joel@tahoestores.com> Cc: ports@FreeBSD.org Subject: Re: FreeBSD Port: netqmail-tls-1.06.20110119 Message-ID: <54F5F3F1.3050103@FreeBSD.org> In-Reply-To: <000b01d05520$62e3e000$28aba000$@tahoestores.com> References: <000b01d05520$62e3e000$28aba000$@tahoestores.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --bqMdnxMKF4PtvvU6QOQQFkcU3rMXwiSbc Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 3/2/2015 1:37 PM, Joel F Rodriguez wrote: > Hello, >=20 > =20 >=20 > I thought I=92d send you a quick email to let you know that this port > seems to be full of security holes. While it seems to work in normal > operations, I experienced numerous spam attacks caused by an apparent > failure of AUTH(STARTTLS). >=20 > =20 IMHO it's kind of expected with qmail. It's many years unmaintained (in an upstream sense). Every patch except for spamcontrol is unmaintained upstream. Put another way, you may want to try qmail-spamcontrol since it is actively maintained. >=20 > Folks were authorizing using unknown accounts and passwords (backdoors?= ) > and I faced a flood of spam as a result. I was able to log one account > that was being used, and I was unable to block the attack even when I > removed the account. These attacks continued even after I updated every= > email account to use a random 20 char password. >=20 > =20 >=20 > The second issue I see here is that anyone that successfully authorizes= > can send email using any address they wish, which is why I was getting > SPAM generated using fake email address as the originator. >=20 > =20 >=20 > The port I am using is FreeBSD tahoestores.net 9.2-RELEASE-p10 FreeBSD > 9.2-RELEASE-p10 #0: Tue Jul 8 10:48:24 UTC 2014 =20 > root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 > and is the version of qmail is netqmail-tls-1.06.20110119. >=20 > =20 >=20 > I would be happy to send you more detailed configurations docs. >=20 > =20 >=20 > For now, I have had to drop tls support. >=20 --=20 Regards, Bryan Drewery --bqMdnxMKF4PtvvU6QOQQFkcU3rMXwiSbc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU9fP7AAoJEDXXcbtuRpfP3FoIANkQ9hk62AVI/bWR+8zZQh/N M/XebsilBqbaJl7Kk9vAiiwR88bE+D29V3TR7IrQIy1lOOOf6b14q/nmQuKfzaQn eLwokQDwgziNtU/14wjOcygD868HwKquq3J6YdyU9MVtP5cz2fk8SmztJbbi7Sqk h1yRabF3pnGnsAiXE0GV3fCjtZ6w5GoTrYQuEJSGojxTi3LvzuCg8rBlQCeg1oPc 6v0bt0qYfSqiTQ78b48oIbMn7hZJwo3yyhjQsYLYEXKlj4/6bGN67yldCvmQeRkD FRNpGD8DbD709HqM1DXIc/3wxPS0MUZHFQpOckVe+hR5Y2RM/pPfUo4urwOPalI= =KkJ7 -----END PGP SIGNATURE----- --bqMdnxMKF4PtvvU6QOQQFkcU3rMXwiSbc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54F5F3F1.3050103>