For those of you running qmail, with smtp-auth/starttls configured - double-check your configuration. Please, no "this is why you should use X" flamewars. We've had enough already. -- Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500 ---------- Forwarded message ---------- Date: Mon, 14 Jul 2003 10:34:00 -0600 From: John Brown <jmbrown at chagresventures.com> To: "nanog at merit.edu" <nanog at merit.edu> Subject: qmail smtp-auth bug allows open relay seems that there are installs of the smtp-auth patch to qmail that accept anything as a user name and password and thus allow you to connect. http://marc.theaimsgroup.com/?l=qmail&m=105452174430616&w=2 is one URL that talks about this. There has been an increase is what appears to be qmail based open-relays over the last 5 days. Each of these servers pass the normal suite of open-relay tests. Spammers are scanning for SMTP-AUTH and STARTTLS based mail servers that may be misconfigured. Then using them to send out their trash. Some early docs on setting up qmail based smtp-auth systems had the config infor incorrect. This leads to /usr/bin/true being used as the password checker. :(