Hi there;
rt-3.6.1 and apach2 mysql5 and exim4
I have rebuilt my RT dev box copying stuff from the live system including the RT bits in exim.conf
I forgot to change my
data = “|/opt/rt3/bin/rt-mailgate --queue … --url https://myrt.mycom.com/” so it was still pointing to my live system …
on submitting test messages/tickets these were created in the live system, which then occurred me that there is a potential flaw here, there is no authentication or restriction of any kind …
Generally the REST interface expects authentication from the client (supplied from rt.conf or .rtrc), how does the mailgate (which I guess /REST/1.0/NoAuth/mail-gateway) part of it authenticate ??
Have anyone came across this? any solutions or suggestions ?
Roy
wiki: MailGatewayAccessControlOn 2/2/07, Roy El-Hames rfh@pipex.net wrote:
Hi there;
rt-3.6.1 and apach2 mysql5 and exim4
I have rebuilt my RT dev box copying stuff from the live system including the RT bits in exim.conf
I forgot to change my
data = “|/opt/rt3/bin/rt-mailgate --queue … --url https://myrt.mycom.com/” so it was still pointing to my live system …
on submitting test messages/tickets these were created in the live system, which then occurred me that there is a potential flaw here, there is no authentication or restriction of any kind …
Generally the REST interface expects authentication from the client (supplied from rt.conf or .rtrc), how does the mailgate (which I guess /REST/1.0/NoAuth/mail-gateway) part of it authenticate ??
Have anyone came across this? any solutions or suggestions ?
Roy
The rt-users Archives
Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com
Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Best regards, Ruslan.