+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: Disable need for "confirmation" (ispcp 1.1.10) (/thread-14244.html)
Pages: 1 2
Disable need for "confirmation" (ispcp 1.1.10) - Monotoko - 06-23-2011 10:18 AM
Hi Guys,
I can understand why you confirm aliases for bigger hosts, but I am running a VPS with a few users and hosts, and if they add an alias can I make it automatically go through and just send an email? I can't see an obvious option for this.../
RE: Disable need for "confirmation" (ispcp 1.1.10) - RatS - 06-24-2011 03:58 AM
it's an security issue: You could add a domain gmail.com and fetch all e-mails send by any account on the server to a @gmail.com account, because the MTA delivers locally first.
RE: Disable need for "confirmation" (ispcp 1.1.10) - Monotoko - 06-24-2011 05:07 AM
Hi RatS,
I'm aware of that, but as I said my clients are my real life friends and I do not think they would do something so malicious. Of course I would still like to be sent notification of people adding alias domains and which ones they add so I can still keep an eye on it, and put a stop to it if it does come up.
How do other control panels do it?
Daniel
RE: Disable need for "confirmation" (ispcp 1.1.10) - RatS - 06-24-2011 05:26 PM
I assume they have order processes, too.
However, feel free, to write yourself a patch for this. It's just an frontend / database issue. You need to change the status to 'toadd' instead of 'ordered' or so.
RE: Disable need for "confirmation" (ispcp 1.1.10) - fluser - 06-24-2011 05:52 PM
(06-24-2011 03:58 AM)RatS Wrote: it's an security issue: You could add a domain gmail.com and fetch all e-mails send by any account on the server to a @gmail.com account, because the MTA delivers locally first.
I don't think that it would work. First, MX-Entry would not match the right ip-address and you have to fill in the right DNS servers where you ordered the domain... And both don't match the fake "gmail.com"
Best Regards
Flusr
RE: Disable need for "confirmation" (ispcp 1.1.10) - RatS - 06-26-2011 07:16 AM
just try it on a test system. Add a domain gmail.com and a catchall email-account redirected to whatever. Send an e-mail to test@gmail.com from a local e-mail-account (one on the same server). You will receive it.
RE: Disable need for "confirmation" (ispcp 1.1.10) - kilburn - 06-26-2011 03:45 PM
(06-24-2011 05:52 PM)fluser Wrote: I don't think that it would work. First, MX-Entry would not match the right ip-address and you have to fill in the right DNS servers where you ordered the domain... And both don't match the fake "gmail.com"
It works because postfix honors its own configuration (saying that gmail.com is local in that case) *before* trying any external resolution. Otherwise it would be impossible to setup mail gateways and the like.
RE: Disable need for "confirmation" (ispcp 1.1.10) - fluser - 06-27-2011 07:01 AM
hmmm, ok, you're right for the local server. But from WWW it wouldn't work.
Best Regards
RE: Disable need for "confirmation" (ispcp 1.1.10) - kilburn - 06-27-2011 03:14 PM
Quote:hmmm, ok, you're right for the local server. But from WWW it wouldn't work.
No, obviously not. However, in this example the attacking user would capture all the e-mails that other users of that server send to gmail.com. Bad enough to justify the confirmation procedure IMHO...
RE: Disable need for "confirmation" (ispcp 1.1.10) - RatS - 06-28-2011 06:38 AM
Bad enough you have to trust each reseller on the system.
