|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Pablo Fernández (pablo.mlist_at_attla.net.ar)
Date: Tue Oct 01 2002 - 14:46:43 CDT
----- Original Message -----
From: "Ralf Hildebrandt" <Ralf.Hildebrandt
charite.de>
To: <postfix-userspostfix.org>
Sent: Tuesday, October 01, 2002 3:46 PM
Subject: Re: Security bug?
> On Tue, Oct 01, 2002 at 03:37:13PM -0300, Pablo Fern?ndez wrote:
>
> > I'm using Postfix 1.1.11 in two of my servers. I don't know how, an
> > external user to my company had the possibility to see my aliases
> > list in both servers, discovering an alias called
> > 'envio_newsletter_1510' and 'mylist-outbound'. (both includes a file
> > with 15000 email addresses.)
> >
> [ ... ]
>
> Excellent. And what did you learn from this?
>
> [ ] I'm not supposed to leave lists unmoderated
> [ ] I'm supposed to run large distribution lists through a mailing
> list manager
> [ ] I'm supposed to protect my lists as described in the FAQ
It was just a forgotten alias to test the Postfix performance and to take
out
stats before installing Majordomo in each one of the systems.
I made a mistake in forgetting to remove that alias from my aliases file.
> > Is this a Postfix's bug? I mean, how would an external user be able to
see my aliases file?
>
> That is a valid question. Maybe he received a legitimate mail via this
> list and had a look at the headers? Do you have a webserver on that box?
The strange thing is that each mail sent to those email accounts was made
with Blind Courtesy Copy..
Supposedly nobody should have seen that account.. Am I mistaken?
I'm running Apache 1.3.26 in one of these boxes.
Thank you, I really appreciate your help.
Pablo.
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]