OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ETRN too fast!
From: Daniel Roesen (droesenentire-systems.com)
Date: Wed Sep 27 2000 - 11:47:37 CDT


On Wed, Sep 27, 2000 at 06:33:04PM +0200, Brad Knowles wrote:
> > I think having an interface to command postfix into flushing
> > to a specific IP is cleaner.
>
> I disagree. This could cause untold amounts of damage if some
> malicious person decided to connect to your mail server and say "ETRN
> entire-systems.com my-ip-address-not-theirs".

Perhaps I was not clear. This interface was intended for other
authentication daemons. NOT for a connecting SMTP client.

> There's a *REASON* why the old "TURN" command in SMTP is not used
> anymore. That's because it is inherently insecure. People
> recognized that a long time ago.

Sure, in it's unauthenticated form. I'n combination with SMTP AUTH
it would be feasible though and would not have the race condition
Wietse outlined.

> But frankly, at that point, you'd be a hell of a lot better off
> with UUCP-over-TCP.

Does Exchange and other products like this support that? I doubt.
What I was looking for was an as generic as possible approach.
SMTP AUTH with TURN would not be generic, too. Using a fake POP3
server which authenticates a customer to trigger SMTP delivery
would be absolutely generic but is prone to the race condition.

Best regards,
Daniel

-- 
----------------------------------------------------------------------
entire systems GmbH         | droesenentire-systems.com
Internet Services           | Phone: +49 2624 9550-55 
Ferbachstrasse 12           | Fax:   +49 2624 9550-20
D-56203 Hoehr-Grenzhausen   | http://www.entire-systems.com/
----------------------------------------------------------------------