Mail relay issue
Date: Sat, 30 Aug 2003 00:24:48 +0100 To: firstname.lastname@example.org
This is not really a vulnerability "per se". I came across with a weird
open relay situation, hopefully someone here might now why
Consider the following:
A) Microsoft Exchange SMTP server
B) Sendmail that trusts "A"
Server "A" appends a default domain, if one is not given on the RCPT TO
command, for example:
RCPT TO: fubar
250 2.1.5 email@example.com
Server "A" is configured to deliver all mail to "test.local" to server
If I send an email to server A issuing rcpt to as:
RCPT TO: "firstname.lastname@example.org"
The exchange server will append the domain test.local and deliver it to
server B, as in:
RCPT TO: "email@example.com"@test.local
Now, server B (sendmail), apparently understands this sintax
("firstname.lastname@example.org"@test.local) as an SMTP route and delivers the email
into norelay.com's MX.
So, basicaly, in a somewhat "strange" way, this system is in fact an
What i'm trying to understand, is why does sendmail understand this as a
route rcpt. I took a brief look on the RFC and it says:
The forward-path may be a source route of the form
"@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
For example, mail received at relay host A with arguments
will be relayed on to host B with arguments
This is not quite the same as "one@two"@three.
Anyone care to comment?
Thanks in advance,
- application/pgp-signature attachment: stored