> I am working on changing the code of majordomo by hand to solve some
> major security problems with it. The problems that I have are that
> 1) anyone can post to the list by sending e-mail to list-l-outgoing
> and 2) anyone can get a copy of the list by sending majordomo telnet
> client 25, expn listname-outgoing even if I disable the who command
> in majordomo.
>
> Can anyone give suggestions on solving the above problems?
Suggestion for problem #2:
If you are using V8 sendmail as your MTA, it can be configured to disallow
the SMTP expn operation. This is also useful in many contexts other than
mailing lists and Majordomo. Take a look at the p (privacy) option, and
especially the "noexpn" argument.
Granted, this will need to be done systemwide, and if you aren't the sys.
admin. for your site, you'll need to convince someone else of the validity
of this solution. I think, however, the arguments in favor of enabling
this behavior outweigh the arguments against it.
Hope this helps!
Tim
--
Tim Pesce Whole Earth 'Lectronic Link (415) 332-4335 VOICE
System Administrator 1750 Bridgeway Suite A200 (415) 332-4927 FAX
tpesce@well.sf.ca.us Sausalito, CA 94965-1900
Follow-Ups:
References:
|
|
