Mail relay issue

• Previous message: Marco Ivaldi: "Re: Off by one on RedHat Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 30 Aug 2003 00:24:48 +0100
To: vuln-dev@securityfocus.com

Hi,

This is not really a vulnerability "per se". I came across with a weird
open relay situation, hopefully someone here might now why
this happens.

Consider the following:
A) Microsoft Exchange SMTP server
B) Sendmail that trusts "A"

Server "A" appends a default domain, if one is not given on the RCPT TO
command, for example:
RCPT TO: fubar
250 2.1.5 fubar@test.local

Server "A" is configured to deliver all mail to "test.local" to server
"B".

If I send an email to server A issuing rcpt to as:
RCPT TO: "user@norelay.com"
The exchange server will append the domain test.local and deliver it to
server B, as in:
RCPT TO: "user@norelay.com"@test.local

Now, server B (sendmail), apparently understands this sintax
("user@norelay.com"@test.local) as an SMTP route and delivers the email
into norelay.com's MX.

So, basicaly, in a somewhat "strange" way, this system is in fact an
open relay.
What i'm trying to understand, is why does sendmail understand this as a
route rcpt. I took a brief look on the RFC and it says:
<quote>
The forward-path may be a source route of the form
"@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
(...)
 For example, mail received at relay host A with arguments
 FROM:<USERX@HOSTY.ARPA>
 TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>
 will be relayed on to host B with arguments
 FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>
 TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.
</quote>

This is not quite the same as "one@two"@three.

Anyone care to comment?

Thanks in advance,

Joao Gouveia

• application/pgp-signature attachment: stored

• Previous message: Marco Ivaldi: "Re: Off by one on RedHat Linux"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]