FreeBSD Port: netqmail-tls-1.06.20110119
Bryan Drewery
bdrewery at FreeBSD.org
Tue Mar 3 17:48:44 UTC 2015
On 3/2/2015 1:37 PM, Joel F Rodriguez wrote:
> Hello,
>
>
>
> I thought I’d send you a quick email to let you know that this port
> seems to be full of security holes. While it seems to work in normal
> operations, I experienced numerous spam attacks caused by an apparent
> failure of AUTH(STARTTLS).
>
>
IMHO it's kind of expected with qmail. It's many years unmaintained (in
an upstream sense). Every patch except for spamcontrol is unmaintained
upstream. Put another way, you may want to try qmail-spamcontrol since
it is actively maintained.
>
> Folks were authorizing using unknown accounts and passwords (backdoors?)
> and I faced a flood of spam as a result. I was able to log one account
> that was being used, and I was unable to block the attack even when I
> removed the account. These attacks continued even after I updated every
> email account to use a random 20 char password.
>
>
>
> The second issue I see here is that anyone that successfully authorizes
> can send email using any address they wish, which is why I was getting
> SPAM generated using fake email address as the originator.
>
>
>
> The port I am using is FreeBSD tahoestores.net 9.2-RELEASE-p10 FreeBSD
> 9.2-RELEASE-p10 #0: Tue Jul 8 10:48:24 UTC 2014
> root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
> and is the version of qmail is netqmail-tls-1.06.20110119.
>
>
>
> I would be happy to send you more detailed configurations docs.
>
>
>
> For now, I have had to drop tls support.
>
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20150303/83a1f66d/attachment.sig>
More information about the freebsd-ports
mailing list