List Info

Thread: Re: Auto-creation of user accounts after-effects
Re: Auto-creation of user accounts after-effects
country flaguser name
United States		 2007-02-19 02:23:40 
> My question is how I can leave this "Auto-creation
of user accounts"
> enabled
> and prevent creation of fictitious user accounts?
Should I change
> authentication method to POP3 ?

Depending on the MTA you are using, your best bet is to
implement a system
that checks the existence of the downstream account before
the MTA accepts
the email  With Postfix, this feature is called Address
Verification.  See
here for more details:
http://www.postfix.org/ADDRESS_VERIFICATION_README.html

I am not too familiar with other MTAs, but I'm guessing the
others may
have a similar feature, or you would need to create a static
files of all
the downstream accounts and configure your MTA to only
accept mail for
those accounts.  The Postfix method is nice since it's
dynamic and always
does lookups in real-time.

Ryan

_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
Re: Auto-creation of user accounts after-effects
country flaguser name
United States		 2007-02-19 11:06:08 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Feb 19, 2007, at 12:30 AM, Eugene Pefti wrote:


>
> My question is how I can leave this "Auto-creation
of user  
> accounts" enabled
> and prevent creation of fictitious user accounts?
Should I change
> authentication method to POP3 ?

You *MUST* reject unknown users at the upstream MTA level. 
Otherwise  
you can contribute to backscatter problems,  and waste
resources as  
spammers hit you with dictionary attacks.  More on
backscatter spam:

h
ttp://spamlinks.net/prevent-secure-backscatter.htm

As Ryan said, recipient verification is one way to
accomplish this,  
but even better would be if you can tap into a user database
somehow  
via sql,ldap, or something.  Postfix provides a lot of
mechanisms to  
do this.


As far as Mia goes, though,  I would recommend using
anything else  
before internal authentication... internal auth means having
to  
remember another password that is not synchronized with the
email  
password.  Unless filter email for multiple hosts that have
no common  
pop/imap/ldap/sql server, I'd certainly stay away from
internal auth.


David Morton
Maia Mailguard http://www.maiamailguard
.com
mortondadgrmm.net



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF2dkDUy30ODPkzl0RAlicAJ4jbvz5+Bp3LavaNBZFkk2PCWl8rACf
eaAi
yHWHtnk41wOd0gg7LwUi3rE=
=2FSm
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )