Re: Mail relay issue

From: *** St.Peters (stpeters_at_NetHeaven.com)
Date: 09/04/03

  • Next message: wirepair: "win32 call dword ptr [eax] help needed" 
    Date: Thu, 4 Sep 2003 10:27:13 -0400
To: cokane@cokane.org

    This relaying can be prevented by the addition of just two rule lines
    in sendmail.cf[*].

    I've appended patches to add the lines to proto.m4 for sendmail 8.12
    and 8.11 (specifically 8.12.9 and 8.11.6). I've tested and am using
    the 8.12 patch, but the 8.11 patch is completely untested. It is
    basically the same change and should work.

    [*] I think it could be done with just one earlier dequote rule, but
    I'm going with what I tested. 

    --
*** St.Peters, stpeters@NetHeaven.com 
> I would guess that after it goes into the local mail spool at test.local
> the @test.local gets split off and then test.local spools it for
> user@norelay.com and connects to norelay.com's MX and dumps it into the
> SMTP server. Who then locally delivers it to user after stripping off the
> @.* from the end.
> 
> > Hi,
> >
> > This is not really a vulnerability "per se". I came across with a weird
> > open relay situation, hopefully someone here might now why
> > this happens.
> >
> > Consider the following:
> > A) Microsoft Exchange SMTP server
> > B) Sendmail that trusts "A"
> >
> > Server "A" appends a default domain, if one is not given on the RCPT TO
> > command, for example:
> > RCPT TO: fubar
> > 250 2.1.5 fubar@test.local
> >
> > Server "A" is configured to deliver all mail to "test.local" to server
> > "B".
> >
> > If I send an email to server A issuing rcpt to as:
> > RCPT TO: "user@norelay.com"
> > The exchange server will append the domain test.local and deliver it to
> > server B, as in:
> > RCPT TO: "user@norelay.com"@test.local
> >
> > Now, server B (sendmail), apparently understands this sintax
> > ("user@norelay.com"@test.local) as an SMTP route and delivers the email
> > into norelay.com's MX.
> >
> > So, basicaly, in a somewhat "strange" way, this system is in fact an
> > open relay.
> > What i'm trying to understand, is why does sendmail understand this as a
> > route rcpt. I took a brief look on the RFC and it says:
> > <quote>
> > The forward-path may be a source route of the form
> > "@ONE,@TWO:JOE@THREE", where ONE, TWO, and THREE are hosts.
> > (...)
> >  For example, mail received at relay host A with arguments
> >  FROM:<USERX@HOSTY.ARPA>
> >  TO:<@HOSTA.ARPA,@HOSTB.ARPA:USERC@HOSTD.ARPA>
> >  will be relayed on to host B with arguments
> >  FROM:<@HOSTA.ARPA:USERX@HOSTY.ARPA>
> >  TO:<@HOSTB.ARPA:USERC@HOSTD.ARPA>.
> > </quote>
> >
> > This is not quite the same as "one@two"@three.
> >
> > Anyone care to comment?
> >
> > Thanks in advance,
> >
> > Joao Gouveia
NOTE: The patches below have tabs in them.  sendmail requires the tabs
Tested patch for sendmail 8.12.9
--- proto.m4-dist	Fri Mar 28 12:20:53 2003
+++ proto.m4	Thu Sep  4 09:26:40 2003
@@ -983,6 +983,9 @@
 R$* < @ . $* > $*	$#error $@ 5.1.2 $: "_CODE553 Invalid host name"
 R$* < @ $* .. $* > $*	$#error $@ 5.1.2 $: "_CODE553 Invalid host name"
 dnl no a@b@
+R$- < $* >		$: $(dequote $1 $) < $2 >
+R$* $=O $* < $* >	$#error $@ 5.1.2 $: "_CODE553 Invalid route address"
+dnl no "a@b"@c
 R$* < @ $* @ > $*	$#error $@ 5.1.2 $: "_CODE553 Invalid route address"
 dnl no a@b@c
 R$* @ $* < @ $* > $*	$#error $@ 5.1.3 $: "_CODE553 Invalid route address"
UNTESTED patch for sendmail 8.11.6
--- proto.m4-dist	Tue Jul 31 18:25:49 2001
+++ proto.m4	Thu Sep  4 09:44:33 2003
@@ -880,6 +880,8 @@
 R$* < @ . $* > $*	$#error $@ 5.1.2 $: "CODE553 Invalid host name"
 R$* < @ $* .. $* > $*	$#error $@ 5.1.2 $: "CODE553 Invalid host name"
 dnl comma only allowed before @; this check is not complete
+R$- < $* >		$: $(dequote $1 $) < $2 >
+R$* $=O $* < $* >	$#error $@ 5.1.2 $: "CODE553 Invalid route address"
 R$* , $~O $*		$#error $@ 5.1.2 $: "CODE553 Invalid route address"
 
 # now delete the local info -- note $=O to find characters that cause forwarding
NOTE REPEAT: The patches have tabs in them.  sendmail requires the
tabs
  • Next message: wirepair: "win32 call dword ptr [eax] help needed"
    • Quantcast