FreeBSD : spamdyke -- open relay (555ac165-2bee-11dd-bbdc-00e0815b8da8)
Medium Nessus Plugin ID 32449
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionSpamdyke Team reports :
Fixed smtp_filter() to reject the DATA command if no valid recipients have been specified. Otherwise, a specific scenario could result in every spamdyke installation being used as an open relay. If the remote server connects and gives one or more recipients that are rejected (for relaying or blacklisting), then gives the DATA command, spamdyke will ignore all other commands, assuming that message data is being transmitted. However, because all of the recipients were rejected, qmail will reject the DATA command. From that point on, the remote server can give as many recipients as it likes and spamdyke will ignore them all -- they will not be filtered at all. After that, the remote server can give the DATA command and send the actual message data. Because spamdyke is controlling relaying, the RELAYCLIENT environment variable is set and qmail won't check for relaying either.
Thanks to Mirko Buffoni for reporting this one.
SolutionUpdate the affected package.