Current time: 11-15-2024, 04:33 PM Hello There, Guest! (LoginRegister)


Post Reply 
Disable need for "confirmation" (ispcp 1.1.10)
Author Message
Monotoko Offline
Junior Member
*

Posts: 20
Joined: Jan 2011
Reputation: 0
Post: #1
Disable need for "confirmation" (ispcp 1.1.10)
Hi Guys,

I can understand why you confirm aliases for bigger hosts, but I am running a VPS with a few users and hosts, and if they add an alias can I make it automatically go through and just send an email? I can't see an obvious option for this.../
06-23-2011 10:18 AM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #2
RE: Disable need for "confirmation" (ispcp 1.1.10)
it's an security issue: You could add a domain gmail.com and fetch all e-mails send by any account on the server to a @gmail.com account, because the MTA delivers locally first.
06-24-2011 03:58 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Monotoko Offline
Junior Member
*

Posts: 20
Joined: Jan 2011
Reputation: 0
Post: #3
RE: Disable need for "confirmation" (ispcp 1.1.10)
Hi RatS,

I'm aware of that, but as I said my clients are my real life friends and I do not think they would do something so malicious. Of course I would still like to be sent notification of people adding alias domains and which ones they add so I can still keep an eye on it, and put a stop to it if it does come up.

How do other control panels do it?

Daniel
06-24-2011 05:07 AM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #4
RE: Disable need for "confirmation" (ispcp 1.1.10)
I assume they have order processes, too.

However, feel free, to write yourself a patch for this. It's just an frontend / database issue. You need to change the status to 'toadd' instead of 'ordered' or so.
06-24-2011 05:26 PM
Visit this user's website Find all posts by this user Quote this message in a reply
fluser Offline
Documentation Team
***
Docu Team

Posts: 246
Joined: May 2010
Reputation: 1
Post: #5
RE: Disable need for "confirmation" (ispcp 1.1.10)
(06-24-2011 03:58 AM)RatS Wrote:  it's an security issue: You could add a domain gmail.com and fetch all e-mails send by any account on the server to a @gmail.com account, because the MTA delivers locally first.

I don't think that it would work. First, MX-Entry would not match the right ip-address and you have to fill in the right DNS servers where you ordered the domain... And both don't match the fake "gmail.com"

Best Regards
Flusr
06-24-2011 05:52 PM
Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #6
RE: Disable need for "confirmation" (ispcp 1.1.10)
just try it on a test system. Add a domain gmail.com and a catchall email-account redirected to whatever. Send an e-mail to test@gmail.com from a local e-mail-account (one on the same server). You will receive it.
06-26-2011 07:16 AM
Visit this user's website Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #7
RE: Disable need for "confirmation" (ispcp 1.1.10)
(06-24-2011 05:52 PM)fluser Wrote:  I don't think that it would work. First, MX-Entry would not match the right ip-address and you have to fill in the right DNS servers where you ordered the domain... And both don't match the fake "gmail.com"

It works because postfix honors its own configuration (saying that gmail.com is local in that case) *before* trying any external resolution. Otherwise it would be impossible to setup mail gateways and the like.
06-26-2011 03:45 PM
Visit this user's website Find all posts by this user Quote this message in a reply
fluser Offline
Documentation Team
***
Docu Team

Posts: 246
Joined: May 2010
Reputation: 1
Post: #8
RE: Disable need for "confirmation" (ispcp 1.1.10)
hmmm, ok, you're right for the local server. But from WWW it wouldn't work.

Best Regards
06-27-2011 07:01 AM
Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #9
RE: Disable need for "confirmation" (ispcp 1.1.10)
Quote:hmmm, ok, you're right for the local server. But from WWW it wouldn't work.

No, obviously not. However, in this example the attacking user would capture all the e-mails that other users of that server send to gmail.com. Bad enough to justify the confirmation procedure IMHO...
06-27-2011 03:14 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #10
RE: Disable need for "confirmation" (ispcp 1.1.10)
Bad enough you have to trust each reseller on the system. Wink
06-28-2011 06:38 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)