Re: Mail relay issue

cokane_at_cokane.org
Date: 09/02/03

Next message: emial_at_alumni.uv.es: "Re: Defeating non-executable stacks ... trying to, actually"

Previous message: Michal Zalewski: "certain versions of Windows XP leaking memory in TCP packets?"
Next in thread: *** St.Peters: "Re: Mail relay issue"
Reply: *** St.Peters: "Re: Mail relay issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 2 Sep 2003 16:21:09 -0400 (EDT)
To: tharbad@kaotik.org

I would guess that after it goes into the local mail spool at test.local
the @test.local gets split off and then test.local spools it for
user@norelay.com and connects to norelay.com's MX and dumps it into the
SMTP server. Who then locally delivers it to user after stripping off the
@.* from the end.

> Hi,
>
> This is not really a vulnerability "per se". I came across with a weird
> open relay situation, hopefully someone here might now why
> this happens.
>
> Consider the following:
> A) Microsoft Exchange SMTP server
> B) Sendmail that trusts "A"
>
> Server "A" appends a default domain, if one is not given on the RCPT TO
> command, for example:
> RCPT TO: fubar
> 250 2.1.5 fubar@test.local
>
> Server "A" is configured to deliver all mail to "test.local" to server
> "B".
>
> If I send an email to server A issuing rcpt to as:
> RCPT TO: "user@norelay.com"
> The exchange server will append the domain test.local and deliver it to
> server B, as in:
> RCPT TO: "user@norelay.com"@test.local
>
> Now, server B (sendmail), apparently understands this sintax
> ("user@norelay.com"@test.local) as an SMTP route and delivers the email
> into norelay.com's MX.
>
> So, basicaly, in a somewhat "strange" way, this system is in fact an
> open relay.
> What i'm trying to understand, is why does sendmail understand this as a
> route rcpt. I took a brief look on the RFC and it says:
> <quote>
> The forward-path may be a source route of the form
> "@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
> (...)
> For example, mail received at relay host A with arguments
> FROM:<USERX@HOSTY.ARPA>
> TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>
> will be relayed on to host B with arguments
> FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>
> TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.
> </quote>
>
> This is not quite the same as "one@two"@three.
>
> Anyone care to comment?
>
> Thanks in advance,
>
> Joao Gouveia
>
>

-------------------------------------
Web Based Mail Provided By Domain-it!
=-=-=- http://www.domainit.com -=-=-=

Next message: emial_at_alumni.uv.es: "Re: Defeating non-executable stacks ... trying to, actually"

Previous message: Michal Zalewski: "certain versions of Windows XP leaking memory in TCP packets?"
Next in thread: *** St.Peters: "Re: Mail relay issue"
Reply: *** St.Peters: "Re: Mail relay issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]