For those of you running qmail, with smtp-auth/starttls configured -
double-check your configuration.

Please, no "this is why you should use X" flamewars. We've had enough
already.

-- 
Nate Carlson <natecars at real-time.com>   | Phone : (952)943-8700
http://www.real-time.com                | Fax   : (952)943-8500


---------- Forwarded message ----------
Date: Mon, 14 Jul 2003 10:34:00 -0600
From: John Brown <jmbrown at chagresventures.com>
To: "nanog at merit.edu" <nanog at merit.edu>
Subject: qmail smtp-auth bug allows open relay


seems that there are installs of the smtp-auth patch
to qmail that accept anything as a user name and password
and thus allow you to connect.

http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2

is one URL that talks about this.

There has been an increase is what appears to be qmail based
open-relays over the last 5 days.  Each of these servers
pass the normal suite of open-relay tests.

Spammers are scanning for SMTP-AUTH and STARTTLS based
mail servers that may be misconfigured. Then using them
to send out their trash.

Some early docs on setting up qmail based smtp-auth systems
had the config infor incorrect.  This leads to /usr/bin/true
being used as the password checker. :(