[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.22pre4



On Wed, Oct 02, 2002 at 11:42:01AM -0400, Jeremy Kusnetz wrote:
> > Qmail-sql 0.22pre4 is now available. The main change is the 
> > ability to check
> > whether a user exists or not _before_ accepting the mail: at 
> > smtp-level.
> > This protects against a specific type of spam-attack. Suppose 
> > you have a
> > domain 'foo.org'. A spammer chooses the non-existing address 
> > bar@xxxxxxx to 
> > send the junk. Complaints and bounces go to bar@xxxxxxxx With 
> > the new patch, 
> > the server immediately rejects this mails, which should save 
> > resources on 
> > your server and network.
> 
> Stupid question, does this check come before or after calling qmail-queue?
Before. 
> 
> How does it handle mail going to multiple people, some may exists, some may
> not exists?
The check happens at smtp-level. For every recipient, the other mta sends
a command 'rcpt to:<recipient>'. The server replies with 250 if it accepts
mail for that recipient or with 5?? if it permanently denies the mail for
that recipient. 
Qmail returns 553 if  the domain isn't in rcpthosts. Qmail-sql also
returns 550 if the user doesn't exist. Version 0.22pre4 actually returns 553,
but this has changed in 0.22pre6 after reading the rfc.

If the server receives mail for 10 users, it will 10 times reply with either
250 or 5??. Suppose 8 users don't exist: the server will accept mail for the
2 'legal' recipients and put them in the queue.

As mentioned, 0.22pre6 is now available. This corrects a bug concerning 
checking for aliases. If nobody yells it doesn't work, this will be the
0.22-release.


Regards,
Michael.