HylaFAX The world's most advanced open source fax server

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hylafax-users] Routing faxes to other fax servers based on phone number



On Fri, Mar 22, 2002 at 08:54:22AM -0800, Lee Howard wrote:
> On 2002.03.22 06:45 Joe Phillips wrote:
> > 
> > I wasn't only talking about the broken-ness of email-to-fax systems but
> > also email as a whole.  SMTP has little to no authentication built in.
> > It's a store and forward system where the relays basically accept email
> > from just about any other relay, headers can be easily forged, an open
> > relay is easy to configure and exploit.
> 
> Curious, do you feel, then, that SMTP AUTH is useless?  I think that open 
> mail relays (although still out there) have been diminishing in number 
> since SMTP servers have been changing their defaults away from that 
> configuration.  Granted, nothing stops an admin from opening it up because 
> "it's easier" to configure that way.

I am not familiar with SMTP AUTH.  All I know is in reality I get hundreds
of spam email a day when I disable the RBLs on my server.  Even with RBL,
I get a bunch of spam every day.  This whack-a-mole approach to catching
resource abuse tells me that there is a problem.  The problem may be in
the protocol or it's current implementations.

I agree that as the default config tightens, so the spam diminishes.  But
that only covers poorly configured open relays - open-relay-by-accident.
A spammer can still purposely configure an open relay and we have a
problem.
 
> > In designing a HylaFAX least-cost-routing solution, we should be aware
> > of these problems and try to learn from them.
> 
> Agreed.  Other than the hfaxd communication being in cleartext, do you 
> dislike its authentication method otherwise?

From what I've seen, it's functional.  It works and no obvious problems
stand out to me.

I'm mainly worried about things like the suggestion that we should allow
jobs to be relayed from any other server without passwords.  That's a problem.
We should aim to be secure by default.  If the admin wants to shoot his
own foot off then that's his problem.

-joe
-- 
     Innovation Software Group, LLC - http://www.innovationsw.com
               Custom Internet and Computer Solutions
                   Linux, UNIX, Java Training

____________________ HylaFAX(tm) Users Mailing List _______________________
 To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null




Project hosted by iFAX Solutions