FW: qmail smtp-auth bug allows open relay

Steve Thomas lists at STHOMAS.NET
Mon Jul 14 17:50:47 IST 2003

Heads up to all qmail users out there...

----- Forwarded message from John Brown -----

Date: Mon, 14 Jul 2003 10:34:00 -0600
From: John Brown <..... at chagresventures.com>
To: nanog at merit.edu
Subject: qmail smtp-auth bug allows open relay

seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.


is one URL that talks about this.

There has been an increase is what appears to be qmail based
open-relays over the last 5 days.  Each of these servers
pass the normal suite of open-relay tests.

Spammers are scanning for SMTP-AUTH and STARTTLS based
mail servers that may be misconfigured. Then using them
to send out their trash.

Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect.  This leads to /usr/bin/true
being used as the password checker. :(

>From an operational perspective, I suspect we will see more
SMTP scans

The basic test (see URL above) should get incorporated into
various open-relay testing scripts.


john brown
chagres technologies, inc

----- End forwarded message -----

"All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
- Arthur Schopenhauer (1788-1860)

More information about the MailScanner mailing list