You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Jacques Lema <ja...@link-u.com> on 2001/08/26 14:33:08 UTC
Security with HELO
Hi, I just scanned my system running james 1.2.1...
Warning is included below. Does this warning apply to james and if so how
can I avoid that?
Thanx
Warning found on port smtp (25/tcp)
The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).
This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.
Risk factor : Low.
Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org
Re: Security with HELO
Posted by Serge Knystautas <se...@lokitech.com>.
This warning only applies if you were running sendmail, because there is a
vulnerability from sending a long HELO message. James doesn't have this
bug, so you're getting a false warning. (there's nothing in the HELO
command that could allow you to send a message.)
Serge Knystautas
Loki Technologies
http://www.lokitech.com/
----- Original Message -----
From: "Jacques Lema" <ja...@link-u.com>
To: <ja...@jakarta.apache.org>
Sent: Sunday, August 26, 2001 8:33 AM
Subject: Security with HELO
> Hi, I just scanned my system running james 1.2.1...
>
> Warning is included below. Does this warning apply to james and if so how
> can I avoid that?
>
> Thanx
>
>
> Warning found on port smtp (25/tcp)
>
> The remote STMP server seems to allow remote users to
> send mail anonymously by providing a too long argument
> to the HELO command (more than 1024 chars).
>
> This problem may allow bad guys to send hate
> mail, or threatening mail using your server
> and keep their anonymity.
>
> Risk factor : Low.
>
> Solution : If you are using sendmail, upgrade to
> version 8.9.x. If you do not run sendmail, contact
> your vendor.
> CVE : CAN-1999-0098
---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org