Hector Santos <hsantos(_at_)santronics(_dot_)com> writes:
220 mail6.velocitywest.com ESMTP
helo hdev1
250 mail6.velocitywest.com
mail from: <>
250 ok
rcpt to: <dmq(_at_)gain(_dot_)com>
250 ok
data
354 go ahead
hi there david! No RFC Header!
.
250 ok 1110911858 qp 17196
PS: I didn't show it above, but at a minimum, your server should check
for MAIL FROM correct syntax. It accepted a typo address. That alone
will add some security.
qmail accepts a space before the envelope sender specifically because
sendmail does, and therefore many e-mail clients send it that way. This
gets back to that previous discussion about false positives on enforcement
of strict SMTP checking.
qmail also does no syntax checking of the mail message (the DATA portion)
at all in the SMTP listener specifically to limit possible remote attacks
by doing the minimal possible work in the publically accessible portion of
the system. It's a questionable decision (and believe me, lots of people
have questioned it), but it was an intentional design choice and one that
arguing about on IETF mailing lists is guaranteed not to change anything
(most of us here have been there and done that).
If one doesn't like these design choices, one shouldn't use qmail. qmail
is pretty much an all or nothing deal; either you can live with djb's
quirks as well as his good design points, or you need to use a different
MTA. (Although for this issue in particular, there are several different
SMTP front ends that can be used instead of qmail-smtpd that do stricter
checking.)
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>