Note: Make sure to read the comments to hear from the tutorial's author. It seems the tutorial as listed may not be at fault and as such I apologize for any misconceptions. The spirit of this post still holds true however.
So we've all probably blindly followed the directions of one tutorial or another at some point in time. Whether it was for some programming technique or to get a mail server up and running. Have you ever stopped to think about how damaging the tutorial could be if it contained wrong information?
In the best case, the tutorial just wouldn't work for you. In the worst case it could introduce some vulnerability to your system that could allow a remote attacker to take over your system or utilize your system to do their bidding. Can't happen you say? It does happen and you better be careful when following tutorials, especially when those tutorials have you installing critical system software.
Let's take a look at an example from a tutorial on installing Qmail on FreeBSD. This is a pretty decent tutorial that will have you up and running with Qmail on FreeBSD in pretty short order. I personally don't like the use of binc-imap, but that's just personal preference. Given that this tutorial is from BSDGuides, people are going to feel pretty confident that the information is correct and trustworthy. I can only imagine that many, many people have installed Qmail via this particular guide.
OK, so what's the problem? Well, with this installation, you end up with a script that invokes qmail-smtpd. Part of that script looks like this:
/usr/local/vpopmail/bin/vchkpw /usr/bin/true
That should cause qmail-smtpd to authenticate users through vchkpw, right? Well, not really. What it actually does is cause any username and password combination to authenticate! That's right, you've just become an open relay even though you are attempting to utilize smtpd-auth.
So, where'd the guide go wrong? There should have been a $LOCALNAME right after qmail-smtpd. A site user named Jurgen actually points that out in a comment, but how many people using this guide are going to read all the comments? Not many I assure you. So, the lesson is to not trust every tutorial you come across. Use the as a reference, but make sure you know what they are doing. Check the man pages for every program it invokes and make sure the commend line arguements look good.
Aug 29, 02:41 pm
If people would follow the tutorials to the T, they would not be having this problem. The latest qmail-smtp-auth patches are maintained by http://www.fehcom.de/qmail/smtpauth.html#PATCHES
The one that is included in the ports tree is outdated, something I have pointed out to the port maintainer who has done nothing. $LOCALNAME is not required ANYWHERE in the new patches, and is in the old. I am not liable for stupidity when following my guide.
Apparently you missed that in my entire guide as well, since if you had followed it, it would have worked just perfectly fine. There is a reason there are two steps to compiling it:
cd /usr/ports/mail/qmail
make extract
cd ./work/qmail-1.03
wget http://www.bsdguides.org/downloads/freebsd/qmail-smtpd-auth.patch
patch < qmail-smtpd-auth.patch
See, we download a qmail-smtpd-auth patch. That one does not require $LOCALNAME.
Thanks for playing :D