[imp] IMP as an open relay

Carlton Thomas carlton@gifford.co.uk
Mon, 27 May 2002 10:01:13 +0100 (GMT/BST)

On Sun, 26 May 2002, Chuck Hagenbuch wrote:

> Quoting Carlton Thomas <carlton@gifford.co.uk>:
> > I think that the easiest way to combat this is to require that the
> > user specify an SMTP server and SMTP authentication details when
> > they specify a POP3/IMAP server which is not local (i.e. the POP3/IMAP
> > server is not selected from a pull-down list). The administrator should
> > be allowed to override this. however, I believe that the default should
> > be to require SMTP server details where POP3/IMAP server details have
> > been specified.
> This is completely unworkable with most SMTP servers; a user's local SMTP 
> server will likely think you're trying to relay through it if you use it 
> remotely in that way.


I think that you have misunderstood me. If you provide a drop-down list of
servers, you are most likely providing email services for a closed 
community and it is OK to allow them to relay through your SMTP server 
without having to provide SMTP authentication details. However, if the
user is allowed to specify a POP3/IMAP server by typing its name (just
like the IMP demo site) then I believe that the facility should be built
into IMP to also request the SMTP server authentication details. IMP
should then send mail using the specified SMTP server. 

If this facility is not added, IMP installations which allow the user to 
type in a POP3/IMAP server name *will* be abused sooner or later and will 
then be blackholed.

Regards !

Bristol, United Kingdom 
Tel: 0845 111 0032
Tel: 0117 939 7722
Fax: 0845 111 0033
Email: admin@gifford.co.uk
Web: http://www.gifford.co.uk