1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Qmail authentication for local domains

Discussion in 'Plesk for Linux - 8.x and Older' started by alexhubner, Jun 9, 2006.

  1. alexhubner

    alexhubner Guest

    Ok, this is something I still looking for a good response, so I'll try one more time here.

    Plesk 7.5.4 allow anyone to send emails to local domains without authenticate or providing credentials. It doesn't matter what authentication method you choose under "Mail" settings (POP before SMTP or SMTP Auth), you will always be permited to send messages to local domains using a Plesk host and without providing proper authentication/credentials.

    No authentication, nothing. You can simple configure your e-mail client (or spam script) to send messages to local domains using the host's SMTP server, bypassing SPF checks and delivering spam and virus as a legitimate domain user. That's very bad.

    Discussion (with no real response so far) can be found here: http://forums.ev1servers.net/showthread.php?t=62149

    People say this behaviour is necessary otherwise mail sent from to the domain will not be delivered. That's not true since the majority of SMTP servers I've know do not allow you to send messages without proper authentication, even if the destination is a local domain.

    I wonder how people can sleep with this. I can't, and I'm seriously considering moving away from Plesk and this "non understandable" security flaw.

    Any help will be GREATLY appreciated.