I was just thinking today that if anyone knew a valid email address on my Postfix mail server, anyone could simply telnet to it (assuming they're on a trusted network / mynetworks) and send mail posed as that valid email address. I know this is not a huge security deal since it's come from a client listed in the mynetworks parameter but sometimes we have not so nice people we are forced to trust. Does this sound correct to anyone here? Normally on any mail client you need a username / password to send / receive email for a specific user but in the case of Telnet or just sending, it appears this is not required. Is there something I over looked? Code: jim@iamghost:~$ telnet 192.168.0.105 25 Trying 192.168.0.105... Connected to 192.168.0.105. Escape character is '^]'. 220 mail.iamghost.com ESMTP EHLO carl.iamghost.com 250-mail.iamghost.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: [email protected] 250 2.1.0 Ok rcpt to: [email protected] 250 2.1.5 Ok Data 354 End data with <CR><LF>.<CR><LF> Subject: You Suck! You suck and I QUIT!!! . 250 2.0.0 Ok: queued as 7CE1B5FF18 quit 221 2.0.0 Bye Connection closed by foreign host.
