[imp] Horde-imp as open relay.

Michael M Slusarz slusarz at horde.org
Fri Mar 27 16:26:54 UTC 2009

Quoting Duane Zimmer <duane.zimmer at yourlinkinc.net>:

> Hey all,
> I have two error messages on two different servers.  I am using  
> horde 3.3 and imp 4.3  on a Linux Gentoo Servers.  Originally  
> someone found a way to send messages using compose.php script and  
> they used my two domains as relays via imp.  I updated to the  
> current versions above but on the one server they are still able to  
> send through but I have enable policyd and limited sending from my  
> webmail and I am blocking senders, I base my blocking on the apache  
> access log
> - - [26/Mar/2009:09:19:21 -0600] "GET  
> /horde/imp/compose.php?mailbox=INBOX&uniq=1238080491000 HTTP/1.1"  
> 200 6305

This has appeared on the mailing list numerous times.  There is no  
security issue in IMP.  This can only happen if the attacker has  
obtained a username/password to login as.  Newer versions of IMP have  
rate limiting for senders to workaround this issue.

> After the upgrade on the other server I have a
> PHP Notice:  Undefined variable: editor in  
> /var/www/localhost/htdocs/horde/imp/lib/UI/Compose.php

This is a config file issue.  Or the (extremely) rare case where  
'tinymce' was previously your default jseditor (it was removed in  
later releases).


Michael Slusarz [slusarz at horde.org]

More information about the imp mailing list