|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: mouss (mouss
netoyen.net)
Date: Thu Feb 07 2008 - 12:54:35 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alejandro Facultad wrote:
> Magnus Bäck wrote:
>
>> On Thursday, February 07, 2008 at 15:54 CET,
>> Alejandro Facultad <alejandro_facultadyahoo.com.ar> wrote:
>>
>>
>>> Dear all, I have Postfix 2.3.8 as my mail server and I want this: if
>>> someone write a message to a non existant mail account from my domain,
>>> he/she must get a response code = 250 and not 550. I want the same
>>> response code that he/she will obtain in case of writting to an
>>> existing mail account.
>>>
>> What on earth would be the point of this? It will cause for problems
>> for clients who think Postfix has accepted a recipient and continue
>> with DATA, to which Postfix will respond that there aren't any valid
>> recipients.
>>
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> 220 mail.example.com ESMTP Postfix (2.3.2)
>> HELO localhost
>> 250 mail.example.com
>> MAIL FROM:<>
>> 250 2.1.0 Ok
>> RCPT TO:<nonexistentuserexample.com>
>> 250 2.1.5 Ok
>> DATA
>> 554 5.5.1 Error: no valid recipients
>>
>
> Here is the point, I want the same behaviour you say because we have
> information that some people from Internet do just you write above and
> when they get:
>
> RCPT TO:<nonexistentuserexample.com>
> 250 2.1.5 Ok
>
> this 250 indicates that the user from our organization is a valid user
> and they get it, so they stop here and they don't follow with DATA
> command.
>
> We work for a government organization with sensible data, so our mails
> can't be in public data bases.
>
> If "intruder" do:
>
> RCPT TO:<nonexistentuserexample.com>
> 250 2.1.5 Ok
>
> they won't know wich mail account is valid or invalid, always get the
> same code and this behaviour "ofuscate" the valid mail accounts.
>
Instead of hiding secrets, create a lot of fake secrets. In short
"poison" the dictionary (create many false accounts).
The alternative is to create a catchall address and hire a team to
review the delivered mail (because people mistype addresses, but also
because "honest" people try to contact someone using a "guessed"
address, and since you don't return an error, you need to check for such
mail and deliver it to the intended recipient or contact the sender if
you are sure this is not forged mail).
Changing the return code brings nothing good. don't break the standard.
If SMTP is not adequate for your security level, then don't use SMTP.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]