COMMAND

    MDaemon

SYSTEMS AFFECTED

    MDaemon 4.0.5

PROBLEM

    'buggzy' found following.  It seems like that Mdaemon SMTP  server
    can be used for unauthorized  relaying.  Mail can be  relayed when
    sent "FROM or TO known user",  it means that mail sent "from"  the
    account of one of served domains always can be relayed.  There  is
    no problem to specify any "from" user, for example, system account
    "mdaemon".

        220 bepe ESMTP MDaemon 4.0.5 UNREGISTERED; Thu, 16 Aug 2001 11:38:54 +0600
        > helo somedomain
        250 bepe Hello somedomain, pleased to meet you
        > mail from: mdaemon@bepe
        250 <mdaemon@bepe>, Sender ok
        > rcpt to: alienhard@mail.ru
        250 <alienhard@mail.ru>, Recipient ok

    The message was successfully sent.  Additionally, you can  specify
    "Reply-To" field in message header, and mail client will reply  to
    correct address.

    It looks like design  error - poor criteria.   This was tested  on
    Mdaemon Pro 4.0.5.

    A random invalid user fails:

        220 example.com ESMTP MDaemon 4.0.5 UNREGISTERED; Fri, 17 Aug 2001 18:11:35 -0400
        ehlo blah
        250-example.com Hello blah, pleased to meet you
        250-ETRN
        250-AUTH LOGIN CRAM-MD5
        250-8BITMIME
        250 SIZE 0
        mail from:<blah@example.com>
        250 <blah@example.com>, Sender ok
        rcpt to:<twells@fsckit.net>
        550 <twells@fsckit.net>, Recipient unknown
        quit
        221 See ya in cyberspace

    A known valid user succeeds:

        220 example.com ESMTP MDaemon 4.0.5 UNREGISTERED; Fri, 17 Aug 2001 18:11:52 -0400
        ehlo blah
        250-example.com Hello blah, pleased to meet you
        250-ETRN
        250-AUTH LOGIN CRAM-MD5
        250-8BITMIME
        250 SIZE 0
        mail from:<MDaemon@example.com>
        250 <MDaemon@example.com>, Sender ok
        rcpt to:<twells@fsckit.net>
        250 <twells@fsckit.net>, Recipient ok
        data
        354 Enter mail, end with <CRLF>.<CRLF>
        From: mdaemon@example.com
        To: twells@fsckit.net
        Subject: Relay Test

        Blah
        .
        250 Ok, message saved
        quit
        221 See ya in cyberspace

SOLUTION

    MDaemon does not allow  relaying out-of-the-box.  The  issue noted
    by  the  'bugzzy'  is  not  a  relay  issue, but rather an address
    spoofing issue.  MDaemon has a detailed section on how to  prevent
    this type of activity.

    Chapter 9,  around page  130ish, goes  into details  about how  to
    protect your system from being used  as a relay as well as  how to
    protect it from  spam.  Although  we agree it  would seem sensible
    to set the package up to  deny relay and require POP before  SMTP,
    is it now the responsibility of a software vendor to pre-configure
    every aspect of the software for those who download it?

    This is a configuration issue  and a little RTFM would  prevent it
    altogether.