FreeBSD Port: netqmail-tls-1.06.20110119

Joel F Rodriguez joel at tahoestores.com
Mon Mar 2 19:37:55 UTC 2015


Hello,

 

I thought I'd send you a quick email to let you know that this port seems to
be full of security holes. While it seems to work in normal operations, I
experienced numerous spam attacks caused by an apparent failure of
AUTH(STARTTLS). 

 

Folks were authorizing using unknown accounts and passwords (backdoors?) and
I faced a flood of spam as a result. I was able to log one account that was
being used, and I was unable to block the attack even when I removed the
account. These attacks continued even after I updated every email account to
use a random 20 char password.

 

The second issue I see here is that anyone that successfully authorizes can
send email using any address they wish, which is why I was getting SPAM
generated using fake email address as the originator.

 

The port I am using is FreeBSD tahoestores.net 9.2-RELEASE-p10 FreeBSD
9.2-RELEASE-p10 #0: Tue Jul  8 10:48:24 UTC 2014
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64 and
is the version of qmail is netqmail-tls-1.06.20110119.

 

I would be happy to send you more detailed configurations docs.

 

For now, I have had to drop tls support.

 

Thanks

 

Joel Rodriguez

Gossamer Computer Services

 

 



More information about the freebsd-ports mailing list