On Wed, 2 Jul 2008, Michel wrote:
>
>> how the hell is the MTA to know what is genuine Email and what is not,
>
> that's the point, it does not and does not need to as well as SM does not need to
> check if a correct user/password given is typed by the client or by any other
> individual
thats correct, if they guess a user/pass they have as far as SM is
concerned a legitimate access and right to send email, so again it is not
SM's problem, it like the MTA is doing what its been told to do.
>
>> when they both posted from the same machine and its told to realy for
>
> that is the other point, the exploiter will probably NOT post from the same
> computer and that is where the correct MTA config hooks in: NOT allowing mail relay
HUH? no, you certainly do not understand this at all, it will not relay
for the end user, it relays for SM users, from teh web submission on that
loca server.
I'll put it as plain as I can think of...
SERVER (it has its 'net' IP and also it is internally known as
locahost/127.0.0.1)
MTA (any, will relay for itself, AKA localhost) (or whatever you config SM
to use as your outbound MTA.
SM (sits there waiting...)
USER -- logins into to SM
SM: hi thank you welcome heres your mail and will because you have
authenticated and been granted access let you send emails from your
current Webmail session.
The MTA is relaying for teh webmail server, no-one else (if you know how
to set it up)
So you see they just do what they are told to do, and the MTA must relay
for SM, else WTF is the point of having webmail, you might as well have a
read only mail system, in which case your users wont be back often if at
all :)
It is not SM or Sendmail or Qmail or Exim or postfix etc's fault if a user
has gained access to a webmail account illegaly through brute force or
however and sends 10K emails, because it is again an authorised account to
login and read/send email.
If you do what you earlier said and rate limit the localhost MTA, you
are going to be in all sorts of strife with no-one being able to send
emails, 2 out of 10 might get through, now to do it per user, will not
work because to the MTA every SM submitted email comes from the same IP,
the SM server itself, not the end users, it doesnt care less what IP that
user actually comes from if it is a legal login account.
--
Cheers
Res
--- Usenet policy, and why I might ignore you ---
1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
waste your time or energy replying to me.
2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
a nicer place.
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
