[wplug] double-authentication for IMAP and SMTP-AUTH
Chris Romano
romano.chris at gmail.com
Tue Dec 14 09:04:01 EST 2004
On Tue, 14 Dec 2004 08:44:29 -0500, Bill Moran <wmoran at potentialtech.com> wrote:
> Chris Romano <romano.chris at gmail.com> wrote:
>
> > I don't know if postfix has this option/patch or not but you can look
> > look for a smtp-after-imap feature. I use qmail and there are patches
> > that will allow relaying only after a successfull auth against imap or
> > pop3. This way there is only one user/pass combo and you can use
> > virtual users so there are no shell accounts.
>
> Just like pop-before-smtp, that sort of setup is succeptable to a race
> condition that would allow unauthorized relaying. Those techniques are
> basically a hack to make it work until SMTP AUTH was ready.
>
True, but if this is not a large mail server it would be hard to
trigger. If he sets the timeouts to say 15 minutes, then some one
only has 15 mintues to guess an IP and send a forged message or
messages. If his users are connecting from home and have dynamic IPs,
then the attacker can't really rely on using the same IPs.
Chris
More information about the wplug
mailing list