Mail relay issue

tharbad_at_kaotik.org
Date: 08/30/03

  • Next message: Steven Hill: "Re: Off by one on RedHat Linux"
    Date: Sat, 30 Aug 2003 00:24:48 +0100
    To: vuln-dev@securityfocus.com
    
    
    

    Hi,

    This is not really a vulnerability "per se". I came across with a weird
    open relay situation, hopefully someone here might now why
    this happens.

    Consider the following:
    A) Microsoft Exchange SMTP server
    B) Sendmail that trusts "A"

    Server "A" appends a default domain, if one is not given on the RCPT TO
    command, for example:
    RCPT TO: fubar
    250 2.1.5 fubar@test.local

    Server "A" is configured to deliver all mail to "test.local" to server
    "B".

    If I send an email to server A issuing rcpt to as:
    RCPT TO: "user@norelay.com"
    The exchange server will append the domain test.local and deliver it to
    server B, as in:
    RCPT TO: "user@norelay.com"@test.local

    Now, server B (sendmail), apparently understands this sintax
    ("user@norelay.com"@test.local) as an SMTP route and delivers the email
    into norelay.com's MX.

    So, basicaly, in a somewhat "strange" way, this system is in fact an
    open relay.
    What i'm trying to understand, is why does sendmail understand this as a
    route rcpt. I took a brief look on the RFC and it says:
    <quote>
    The forward-path may be a source route of the form
    "@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
    (...)
     For example, mail received at relay host A with arguments
     FROM:<USERX@HOSTY.ARPA>
     TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>
     will be relayed on to host B with arguments
     FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>
     TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.
    </quote>

    This is not quite the same as "one@two"@three.

    Anyone care to comment?

    Thanks in advance,

    Joao Gouveia

    
    



  • Next message: Steven Hill: "Re: Off by one on RedHat Linux"

    Relevant Pages

    • Re: Mail relay issue
      ... I would guess that after it goes into the local mail spool at test.local ... > open relay situation, hopefully someone here might now why ... > A) Microsoft Exchange SMTP server ... > If I send an email to server A issuing rcpt to as: ...
      (Vuln-Dev)
    • Re: Relaying Mail test
      ... mx.mydom.com.com internet address = 1.1.1.1 ... The last two lines tell you about the mail server. ... By modifying the MAIL FROM and RCPT TO ... you can test for open relay ...
      (microsoft.public.windows.server.sbs)
    • gdm hangs
      ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
      (Debian-User)
    • problem with sendmail in solaris 9
      ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
      (SunManagers)
    • Re: Add new cluster and use existing LUNs?
      ... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
      (microsoft.public.sqlserver.clustering)