On Mon, Aug 29, 2005 at 11:34:24PM +0800, Mark Quitoriano wrote: > i just implemented pop-before-smtp[1], my problem is after recieving the > mails i connect to the server using telnet and try to send spam using the > mail server it did send it didn't ask for authentication anymore. i'm not > sure how this pop-before-smtp really works but i was thinking how should i > secure the server in this kind of attacks. while others are correct that pop-before-smtp is a hack, it's not necessarily the wrong solution. it's not entirely clear what your question is - but here's how it's supposed to work: if you haven't popped from an IP address, you can't send smtp from that address (unless postfix is configured to allow it via some other mechanism). once you pop from an IP address, it's added to a list of permitted IPs that can send SMTP. There is a timeout attached, after which it is removed from the list. I think the perl pop-before-smtp program defaults to an hour - i changed it to 8 hours or maybe a day after too many (l)user complaints. danno