A
alexhubner
Guest
Ok, this is something I still looking for a good response, so I'll try one more time here.
Plesk 7.5.4 allow anyone to send emails to local domains without authenticate or providing credentials. It doesn't matter what authentication method you choose under "Mail" settings (POP before SMTP or SMTP Auth), you will always be permited to send messages to local domains using a Plesk host and without providing proper authentication/credentials.
No authentication, nothing. You can simple configure your e-mail client (or spam script) to send messages to local domains using the host's SMTP server, bypassing SPF checks and delivering spam and virus as a legitimate domain user. That's very bad.
Discussion (with no real response so far) can be found here: http://forums.ev1servers.net/showthread.php?t=62149
People say this behaviour is necessary otherwise mail sent from to the domain will not be delivered. That's not true since the majority of SMTP servers I've know do not allow you to send messages without proper authentication, even if the destination is a local domain.
I wonder how people can sleep with this. I can't, and I'm seriously considering moving away from Plesk and this "non understandable" security flaw.
Any help will be GREATLY appreciated.
Plesk 7.5.4 allow anyone to send emails to local domains without authenticate or providing credentials. It doesn't matter what authentication method you choose under "Mail" settings (POP before SMTP or SMTP Auth), you will always be permited to send messages to local domains using a Plesk host and without providing proper authentication/credentials.
No authentication, nothing. You can simple configure your e-mail client (or spam script) to send messages to local domains using the host's SMTP server, bypassing SPF checks and delivering spam and virus as a legitimate domain user. That's very bad.
Discussion (with no real response so far) can be found here: http://forums.ev1servers.net/showthread.php?t=62149
People say this behaviour is necessary otherwise mail sent from to the domain will not be delivered. That's not true since the majority of SMTP servers I've know do not allow you to send messages without proper authentication, even if the destination is a local domain.
I wonder how people can sleep with this. I can't, and I'm seriously considering moving away from Plesk and this "non understandable" security flaw.
Any help will be GREATLY appreciated.